Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1124856ioo;
        Fri, 27 May 2022 01:56:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJylxkjU4XmZ6IGKfG6LPeRu5zriLFFUEN3Iq0JSXxhc0Sk3wXkmAnV6v5bI+bBR5WSzo5RL
X-Received: by 2002:a17:907:8a0a:b0:6fe:cede:95d8 with SMTP id sc10-20020a1709078a0a00b006fecede95d8mr24054166ejc.59.1653641807675;
        Fri, 27 May 2022 01:56:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1653641807; cv=none;
        d=google.com; s=arc-20160816;
        b=KLmUJR/q1ZWlsv58JBovOzfB/Cxqp25C0Fif7Z3tZPifYOe2M038eMamtYGTAQAYQ5
         vwOWzHdOQSMXpcOHzayQCc7F0ITxZ4LgiV2J50BBYHXf8NPm24K9Ce7p+EGoxkb5H8fW
         /lrM1EpCDiT8szyx1VWpnhqEOcTMlHCjPDGl4MG1YP8TFcDLEBJlypUhuqHORCRhmsKz
         eaaE3zGk/Uaf6oHQ069Dhsme562VJK/cUr4R8f0SvOQ7VTf3pJz+mhV36oTVV7fVxrAX
         YZB+8dM31X25oCrbLmyBIDCOrLeo8KmbB7fmCfgAX4Kag7Qc0+c161ZgqPvdwY/ZwnHo
         ja3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=Ym1mSZ1N+gDIg7RPoqcZ6DASQgrFGhS7kPRYey05Jig=;
        b=AquExugIpeidJD6GZ6zRrCp+7qWiSeY9e76MrX6WOzpmwGFEnAMQBWL87FBJyE0x3w
         x/UqCy4A9Sqq3KCb5p5F812tGeUzy13Kw4fkfe1+x9eiYMhcXcLoDjbtglRneiJHAN30
         88Y0LzpNdF/S4lPQ+7I49Lsm9yqCVkq7eCVhMSe2GaYT4DEL+jviGjI/dsfYyv0WcTXw
         wHf/oa+41isayArS1rshZBbI8jZBPrXeYNXhQL4GfuSL+PKbn5EXlHt7U8cvSar3K/HK
         DlulmCynnjxEpivv1tcgEdR/SE5+uz5yZaY5T8pmtkBPwCmVEIjgpC+iEaWAGFLVIO9h
         wpmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=U1xGut8j;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d7-20020a056402400700b0042aa9beb66dsi4003066eda.417.2022.05.27.01.56.20;
        Fri, 27 May 2022 01:56:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=U1xGut8j;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1348852AbiEZUMO (ORCPT <rfc822;serge.simon@gmail.com>
        + 99 others); Thu, 26 May 2022 16:12:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57102 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1348874AbiEZUMI (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Thu, 26 May 2022 16:12:08 -0400
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEA9EC5DB9;
        Thu, 26 May 2022 13:12:07 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id w2-20020a17090ac98200b001e0519fe5a8so2574231pjt.4;
        Thu, 26 May 2022 13:12:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Ym1mSZ1N+gDIg7RPoqcZ6DASQgrFGhS7kPRYey05Jig=;
        b=U1xGut8jUgrl5aH8rrFlvVXLlKZ7koIFTkdaMNaSFb8co+fPLt4WOdT87pgdLm6qh/
         T5NtkOndjxddPXrFuQIIF0BxTtiH2PPpuJU4fsZpIT/NmHbDkvkP04pJxo3w8ZXXearK
         kMXiE6Hh5pvG5yBWpANTZX3wgyqrKqbM8ya8yowLKKrQOEz0A3Hd4+1yEqTStNr0ieYv
         7/baUY8jkz09C99Gw4+4utqAiIqoDRP8JanN0EoMKt1diGcDbyXxcTDIvTv9ws+1qJ31
         UQUqHbQNlGGzEId1tuQe/ERjK/CIo/eHN5u9tNsEezabBNv7BphITj4I/SyMZRUEcxlX
         /T7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Ym1mSZ1N+gDIg7RPoqcZ6DASQgrFGhS7kPRYey05Jig=;
        b=twQJiG/y+MXWHGFtdSibf+/NSl3Eml3r+NyyvuL6OHZvVXz8YU7lq/v2QLdDf1ZQhe
         KhSA6Q27sXBWYBbUHBt8m9xHqmPuEIPFqyVpbXZXLslMz8ujzmUAkZ050DH8XOXSlCx0
         7+Xey39LanoU0z829boeS73yWe81STAFwZU0RpKZuM/nBFpFmQrng0XTRZ2YzFfMZck5
         qTiTKBYTYghn2MzFb0NtK7abrWjMjhdO2SEC22jchENEh7ul+N2daHJyGK7aFVP7Flj+
         i5fK0438pLDDTdSx4DlHog+fkNNAchTb2z83/tZV+LQv6QUb5Ty2y0GsZ5COWcp0668G
         pG1A==
X-Gm-Message-State: AOAM5328KOA0AblWsCLd6hLX9O1bAyGtZifFJiBNOfhOiTQsP5PeOZ9r
        vu2cfmwLagKCzw66b+3ENDC01hHK7kUOBHi1wFWCpup8
X-Received: by 2002:a17:902:d5c1:b0:162:64e:8c21 with SMTP id
 g1-20020a170902d5c100b00162064e8c21mr27987572plh.34.1653595927124; Thu, 26
 May 2022 13:12:07 -0700 (PDT)
MIME-Version: 1.0
References: <20220526094918.482971-1-niejianglei2021@163.com> <081b216e6496e8cc2284df191dcc2d8b604d04f7.camel@redhat.com>
In-Reply-To: <081b216e6496e8cc2284df191dcc2d8b604d04f7.camel@redhat.com>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Thu, 26 May 2022 13:11:56 -0700
Message-ID: <CABBYNZJ+E6KMyqODib_nhGJuZzWssSrswKR9MoqPrM7tuEpDcg@mail.gmail.com>
Subject: Re: [PATCH] Bluetooth: hci_conn: fix potential double free in le_scan_cleanup()
To:     Paolo Abeni <pabeni@redhat.com>
Cc:     Jianglei Nie <niejianglei2021@163.com>, marcel@holtmann.org,
        johan.hedberg@gmail.com, davem@davemloft.net, edumazet@google.com,
        kuba@kernel.org, linux-bluetooth@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi,

On Thu, May 26, 2022 at 4:24 AM Paolo Abeni <pabeni@redhat.com> wrote:
>
> On Thu, 2022-05-26 at 17:49 +0800, Jianglei Nie wrote:
> > When "c == conn" is true, hci_conn_cleanup() is called. The
> > hci_conn_cleanup() calls hci_dev_put() and hci_conn_put() in
> > its function implementation. hci_dev_put() and hci_conn_put()
> > will free the relevant resource if the reference count reaches
> > zero, which may lead to a double free when hci_dev_put() and
> > hci_conn_put() are called again.
> >
> > We should add a return to this function after hci_conn_cleanup()
> > is called.
> >
> > Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
> > ---
> >  net/bluetooth/hci_conn.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> > index fe803bee419a..7b3e91eb9fa3 100644
> > --- a/net/bluetooth/hci_conn.c
> > +++ b/net/bluetooth/hci_conn.c
> > @@ -166,6 +166,7 @@ static void le_scan_cleanup(struct work_struct *work)
> >       if (c == conn) {
> >               hci_connect_le_scan_cleanup(conn);
> >               hci_conn_cleanup(conn);
> > +             return;
>
> This looks not correct. At very least you should release the
> hci_dev_lock.

Yep, it should probably use break instead of return.

> Cheers,
>
> Paolo
>


-- 
Luiz Augusto von Dentz