syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <[email protected]>
---
net/bluetooth/hci_conn.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index acf563fbdfd9..a0ccbef34bc2 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -152,10 +152,6 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hci_conn_del_sysfs(conn);
debugfs_remove_recursive(conn->debugfs);
-
- hci_dev_put(hdev);
-
- hci_conn_put(conn);
}
static void le_scan_cleanup(struct work_struct *work)
--
2.25.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=728193
---Test result---
Test Summary:
CheckPatch PASS 0.76 seconds
GitLint FAIL 0.76 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 39.46 seconds
CheckAllWarning PASS 43.50 seconds
CheckSparse PASS 48.67 seconds
CheckSmatch PASS 129.92 seconds
BuildKernel32 PASS 39.50 seconds
TestRunnerSetup PASS 543.39 seconds
TestRunner_l2cap-tester PASS 18.91 seconds
TestRunner_iso-tester PASS 24.66 seconds
TestRunner_bnep-tester PASS 7.19 seconds
TestRunner_mgmt-tester FAIL 130.80 seconds
TestRunner_rfcomm-tester PASS 10.79 seconds
TestRunner_sco-tester PASS 10.10 seconds
TestRunner_ioctl-tester FAIL 12.00 seconds
TestRunner_mesh-tester PASS 9.13 seconds
TestRunner_smp-tester PASS 9.75 seconds
TestRunner_userchan-tester PASS 7.58 seconds
IncrementalBuild PASS 36.34 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: Fix double free in hci_conn_cleanup
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
32: B1 Line exceeds max length (87>80): "Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]"
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 5, Not Run: 0
Failed Test Cases
Read Ext Controller Info 1 Failed 0.144 seconds
Read Ext Controller Info 2 Failed 0.176 seconds
Read Ext Controller Info 3 Failed 0.148 seconds
Read Ext Controller Info 4 Failed 0.144 seconds
Read Ext Controller Info 5 Failed 0.180 seconds
##############################
Test: TestRunner_ioctl-tester - FAIL
Desc: Run ioctl-tester with test-runner
Output:
No test result found
---
Regards,
Linux Bluetooth