From: Luiz Augusto von Dentz <[email protected]>
This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:
Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
Link: https://lore.kernel.org/lkml/[email protected]
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Signed-off-by: Sungwoo Kim <[email protected]>
---
net/bluetooth/l2cap_core.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 770891f68703..1f34b82ca0ec 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4309,6 +4309,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
}
}
+ chan = l2cap_chan_hold_unless_zero(chan);
+ if (!chan) {
+ err = -EBADSLT;
+ goto unlock;
+ }
+
err = 0;
l2cap_chan_lock(chan);
@@ -4338,6 +4344,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
}
l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
unlock:
mutex_unlock(&conn->chan_lock);
--
2.37.3
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=682039
---Test result---
Test Summary:
CheckPatch FAIL 1.35 seconds
GitLint PASS 0.77 seconds
SubjectPrefix PASS 0.63 seconds
BuildKernel PASS 42.47 seconds
BuildKernel32 PASS 36.84 seconds
Incremental Build with patchesPASS 52.41 seconds
TestRunner: Setup PASS 621.55 seconds
TestRunner: l2cap-tester PASS 19.43 seconds
TestRunner: iso-tester PASS 19.76 seconds
TestRunner: bnep-tester PASS 7.57 seconds
TestRunner: mgmt-tester PASS 120.62 seconds
TestRunner: rfcomm-tester PASS 11.86 seconds
TestRunner: sco-tester PASS 11.05 seconds
TestRunner: ioctl-tester PASS 12.94 seconds
TestRunner: smp-tester PASS 11.09 seconds
TestRunner: userchan-tester PASS 7.68 seconds
Details
##############################
Test: CheckPatch - FAIL - 1.35 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
Bluetooth: L2CAP: Fix user-after-free\ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: unsaf ("ace/src' is owned by someone else)")'
#86:
Bluetooth: chan 0000000023c4974d
ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit fatal: unsaf ("ace/src' is owned by someone else)")'
#87:
Bluetooth: parent 00000000ae861c08
total: 2 errors, 0 warnings, 0 checks, 19 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/12994594.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Thu, 29 Sep 2022 13:32:41 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> This uses l2cap_chan_hold_unless_zero() after calling
> __l2cap_get_chan_blah() to prevent the following trace:
>
> Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
> *kref)
> Bluetooth: chan 0000000023c4974d
> Bluetooth: parent 00000000ae861c08
> ==================================================================
> BUG: KASAN: use-after-free in __mutex_waiter_is_first
> kernel/locking/mutex.c:191 [inline]
> BUG: KASAN: use-after-free in __mutex_lock_common
> kernel/locking/mutex.c:671 [inline]
> BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
> kernel/locking/mutex.c:729
> Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: Fix user-after-free
https://git.kernel.org/bluetooth/bluetooth-next/c/35fcbc4243aa
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html