From: Luiz Augusto von Dentz <[email protected]>
Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free
caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Signed-off-by: Min Li <[email protected]>
---
net/bluetooth/l2cap_core.c | 24 ++++++------------------
1 file changed, 6 insertions(+), 18 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 8153293b9a45..5cc95fd17f7d 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4651,33 +4651,27 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
- mutex_lock(&conn->chan_lock);
-
- chan = __l2cap_get_chan_by_scid(conn, dcid);
+ chan = l2cap_get_chan_by_scid(conn, dcid);
if (!chan) {
- mutex_unlock(&conn->chan_lock);
cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
return 0;
}
- l2cap_chan_hold(chan);
- l2cap_chan_lock(chan);
-
rsp.dcid = cpu_to_le16(chan->scid);
rsp.scid = cpu_to_le16(chan->dcid);
l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
chan->ops->set_shutdown(chan);
+ mutex_lock(&conn->chan_lock);
l2cap_chan_del(chan, ECONNRESET);
+ mutex_unlock(&conn->chan_lock);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
- mutex_unlock(&conn->chan_lock);
-
return 0;
}
@@ -4697,33 +4691,27 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
- mutex_lock(&conn->chan_lock);
-
- chan = __l2cap_get_chan_by_scid(conn, scid);
+ chan = l2cap_get_chan_by_scid(conn, scid);
if (!chan) {
mutex_unlock(&conn->chan_lock);
return 0;
}
- l2cap_chan_hold(chan);
- l2cap_chan_lock(chan);
-
if (chan->state != BT_DISCONN) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
- mutex_unlock(&conn->chan_lock);
return 0;
}
+ mutex_lock(&conn->chan_lock);
l2cap_chan_del(chan, 0);
+ mutex_unlock(&conn->chan_lock);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
- mutex_unlock(&conn->chan_lock);
-
return 0;
}
--
2.39.2
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=738043
---Test result---
Test Summary:
CheckPatch PASS 0.70 seconds
GitLint PASS 0.33 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 32.03 seconds
CheckAllWarning PASS 35.10 seconds
CheckSparse PASS 40.39 seconds
CheckSmatch PASS 108.24 seconds
BuildKernel32 PASS 31.21 seconds
TestRunnerSetup PASS 445.76 seconds
TestRunner_l2cap-tester PASS 16.46 seconds
TestRunner_iso-tester PASS 16.15 seconds
TestRunner_bnep-tester PASS 5.35 seconds
TestRunner_mgmt-tester FAIL 113.09 seconds
TestRunner_rfcomm-tester PASS 8.48 seconds
TestRunner_sco-tester PASS 7.78 seconds
TestRunner_ioctl-tester PASS 9.09 seconds
TestRunner_mesh-tester PASS 6.64 seconds
TestRunner_smp-tester PASS 7.67 seconds
TestRunner_userchan-tester PASS 5.58 seconds
IncrementalBuild PASS 29.77 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 497, Passed: 494 (99.4%), Failed: 3, Not Run: 0
Failed Test Cases
Get PHY Success Failed 0.127 seconds
Set PHY 1m 2m coded Succcess Timed out 2.070 seconds
Start Discovery LE - (Ext Scan Param) Failed 0.121 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 7 Apr 2023 11:02:01 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free
> caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
> prevent referencing a channel that is about to be destroyed.
>
> Signed-off-by: Luiz Augusto von Dentz <[email protected]>
> Signed-off-by: Min Li <[email protected]>
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
https://git.kernel.org/bluetooth/bluetooth-next/c/cbcb70b9beee
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html