From: Luiz Augusto von Dentz <[email protected]>
This fixes the following error caused by hci_conn being freed while
hcy_acl_create_conn_sync is pending:
==================================================================
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848
CPU: 0 PID: 848 Comm: kworker/u3:0 Not tainted 6.8.0-rc6-g2ab3e8d67fc1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x21/0x70
print_report+0xce/0x620
? preempt_count_sub+0x13/0xc0
? __virt_addr_valid+0x15f/0x310
? hci_acl_create_conn_sync+0xa7/0x2e0
kasan_report+0xdf/0x110
? hci_acl_create_conn_sync+0xa7/0x2e0
hci_acl_create_conn_sync+0xa7/0x2e0
? __pfx_hci_acl_create_conn_sync+0x10/0x10
? __pfx_lock_release+0x10/0x10
? __pfx_hci_acl_create_conn_sync+0x10/0x10
hci_cmd_sync_work+0x138/0x1c0
process_one_work+0x405/0x800
? __pfx_lock_acquire+0x10/0x10
? __pfx_process_one_work+0x10/0x10
worker_thread+0x37b/0x670
? __pfx_worker_thread+0x10/0x10
kthread+0x19b/0x1e0
? kthread+0xfe/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 847:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
hci_conn_add+0xc6/0x970
hci_connect_acl+0x309/0x410
pair_device+0x4fb/0x710
hci_sock_sendmsg+0x933/0xef0
sock_write_iter+0x2c3/0x2d0
do_iter_readv_writev+0x21a/0x2e0
vfs_writev+0x21c/0x7b0
do_writev+0x14a/0x180
do_syscall_64+0x77/0x150
entry_SYSCALL_64_after_hwframe+0x6c/0x74
Freed by task 847:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0xfa/0x150
kfree+0xcb/0x250
device_release+0x58/0xf0
kobject_put+0xbb/0x160
hci_conn_del+0x281/0x570
hci_conn_hash_flush+0xfc/0x130
hci_dev_close_sync+0x336/0x960
hci_dev_close+0x10e/0x140
hci_sock_ioctl+0x14a/0x5c0
sock_ioctl+0x58a/0x5d0
__x64_sys_ioctl+0x480/0xf60
do_syscall_64+0x77/0x150
entry_SYSCALL_64_after_hwframe+0x6c/0x74
Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/hci_sync.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 8a3d0d1f7871..f6b662369322 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6709,6 +6709,9 @@ static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data)
struct hci_cp_create_conn cp;
int err;
+ if (!hci_conn_valid(hdev, conn))
+ return -ECANCELED;
+
/* Many controllers disallow HCI Create Connection while it is doing
* HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
* Connection. This may cause the MGMT discovering state to become false
--
2.43.0
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=833836
---Test result---
Test Summary:
CheckPatch PASS 0.50 seconds
GitLint PASS 0.21 seconds
SubjectPrefix PASS 0.06 seconds
BuildKernel PASS 28.49 seconds
CheckAllWarning PASS 31.21 seconds
CheckSparse PASS 36.86 seconds
CheckSmatch PASS 100.73 seconds
BuildKernel32 PASS 27.56 seconds
TestRunnerSetup PASS 524.37 seconds
TestRunner_l2cap-tester PASS 20.51 seconds
TestRunner_iso-tester FAIL 39.68 seconds
TestRunner_bnep-tester PASS 5.02 seconds
TestRunner_mgmt-tester FAIL 116.26 seconds
TestRunner_rfcomm-tester PASS 7.61 seconds
TestRunner_sco-tester PASS 11.25 seconds
TestRunner_ioctl-tester PASS 8.13 seconds
TestRunner_mesh-tester PASS 6.06 seconds
TestRunner_smp-tester PASS 8.09 seconds
TestRunner_userchan-tester PASS 5.15 seconds
IncrementalBuild PASS 26.60 seconds
Details
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
Total: 117, Passed: 116 (99.1%), Failed: 1, Not Run: 0
Failed Test Cases
ISO Connect2 Suspend - Success Failed 10.272 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 489 (99.4%), Failed: 1, Not Run: 2
Failed Test Cases
LL Privacy - Add Device 6 (RL is full) Failed 0.198 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 8 Mar 2024 11:07:15 -0500 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> This fixes the following error caused by hci_conn being freed while
> hcy_acl_create_conn_sync is pending:
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
> Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848
>
> [...]
Here is the summary with links:
- [v1] Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
https://git.kernel.org/bluetooth/bluetooth-next/c/3d1c16e920c8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html