Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1185215rwl; Fri, 7 Apr 2023 11:13:36 -0700 (PDT) X-Google-Smtp-Source: AKy350YrXLhXj4csgaedTus+Q1MDvMYSCxnmdO8Kqs1KR4kPrUPSJyUBmpop36onsKaHs9MaZe95 X-Received: by 2002:a17:902:d2ce:b0:1a2:1a5b:cc69 with SMTP id n14-20020a170902d2ce00b001a21a5bcc69mr4375465plc.32.1680891216204; Fri, 07 Apr 2023 11:13:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680891216; cv=none; d=google.com; s=arc-20160816; b=Ifkm7cy3Z3sMAFAbFtEhgNS1Hr0oFGfJ3xvWs0sVmGNnfeR05fxEmkmyopW9AcNBUx XiKHA32HYEe/iKwqhH9LLhv0PFeISJpWWg0G8YXG4HAFz4KoqnOxvF5HWKiFbL9vtS7B NfcXxHTH5bfOgd5DyScpjhBptmwEiYNviPJs0GrLJLj2noMHqhzrL7CDeljLjNbJSwJl e2cOJmtjIzyJyTVcb+ybeHKyrqUiJBM0MjqXRq0BAn7fS2+ubI7+jpsE9dsAnGtRJkPM xwjw7fSXKhiDPeKJ54vPaB689Cy/9/Tt05p6KH3pOJCJLFpGRWF5Srvb9zLpsa6ozKhi rhLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=vuQCtQA3zzbxQ/51A1Oi1S7Ut8EFYywvcTa4TksyED8=; b=WJyoaJYH88TmkhBcMf2OmmHzTkfY4aEksHc1dj76gSJE8sBH+od2F5DoM2UKMStiT/ D4Mb0apl07zqmJNbeg3+hXOIOh6daEuMsiCltCWdBnNktdPZwqFnfYAQbetS+GNpxjAN VvsIgUOmc3KpI2c4UmXqkFGNo7SFam0h3bMkx/6UW7fPBjNK4InU3FcrZXWhJg5FyWyX vwrl6sKhrWo//8gXeQ40Il4A7mHQPOeq0kudpCyHKt/h42mCbb0g5Ls0EUAiDotiMAtl iAweAdjvMC1PrHtHcyB4ylSKsSPE/ST5Y+hH1elId5QHDmXugLFbpZsrgkyhD1cA/vyy B1kQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=UtYZBxlW; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h64-20020a638343000000b00513b1fa260bsi4132248pge.61.2023.04.07.11.13.08; Fri, 07 Apr 2023 11:13:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=UtYZBxlW; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231879AbjDGSCd (ORCPT + 99 others); Fri, 7 Apr 2023 14:02:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231757AbjDGSC2 (ORCPT ); Fri, 7 Apr 2023 14:02:28 -0400 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 93F7FAF0D for ; Fri, 7 Apr 2023 11:02:06 -0700 (PDT) Received: by mail-pl1-x631.google.com with SMTP id kq3so40546948plb.13 for ; Fri, 07 Apr 2023 11:02:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680890525; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=vuQCtQA3zzbxQ/51A1Oi1S7Ut8EFYywvcTa4TksyED8=; b=UtYZBxlWP851b84Yu7USaZwE510VKaAnuCQ4E+YZ5yOWntS5+e5D41BSGVqbURKklA A1BqKRP9XyXZfmk6ZRbMDc8xRH2RtSfC+dD/4aqXXb7b4zmmsdFaBmA1HVM7QNBOHant 5CLheiilz2jjgmvaohIcTyA2VuGmd+KHRkMm3zyFF2rGip1Iiv7e/YeUzena2fOLg95a HYxABECK57qiZEs3VQ30wjUoeWHdeLOFp7qt90qsG7wBXqYjAd1d0sHcKwivtpGq1Req aPbiSulHhQQ1KMrkRESqdDmaEb7NrC59++UfMQm3hnRsH1E3pwAGSKriM9cywF9UEUDZ zE+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680890525; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vuQCtQA3zzbxQ/51A1Oi1S7Ut8EFYywvcTa4TksyED8=; b=o4qLVGDenMBTarazw4h3t6T3ddiVxHt+yYEw2PcsFv22leouixNeWgi4HSHdlLtm3s s2NWW/EIzm70ugRWZYiKsxB4Ym9XbP+9x89/RkHq4zHMLp08VHnEgQtRFxzUQvdwqwaA R5AgSH0wae3G3v84oCjscWIyqkHPZph70QdEQDJPcIGqAttXgfHSVbOWs0nC7Ez0ddxz ytMYVeeh7egfWpV1CL+odg3hhnZM0c8yg8ZQHGMAQyTNtFeiCJBrj/YasMqWRVmSGvD9 icgZEzJU7yBTgn11cfWE0DpwHeFdFOpd/HHErIRjgSpw89yyHyhKiI7zVxJlOW5eUHly Vxsw== X-Gm-Message-State: AAQBX9fDjLbrw9xY6++TtkBLwevjdTpLn2aIyJzMv8LHgv/L2W0vZ20Y 2k7sKpDQd81T1YuKPHLAO88NNFi9lWY= X-Received: by 2002:a05:6a20:6d0f:b0:cc:63c6:8d3a with SMTP id fv15-20020a056a206d0f00b000cc63c68d3amr3384089pzb.41.1680890524505; Fri, 07 Apr 2023 11:02:04 -0700 (PDT) Received: from lvondent-mobl4.. (c-71-59-129-171.hsd1.or.comcast.net. [71.59.129.171]) by smtp.gmail.com with ESMTPSA id 186-20020a6304c3000000b004fbb4a55b64sm2985993pge.86.2023.04.07.11.02.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Apr 2023 11:02:02 -0700 (PDT) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH] Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Date: Fri, 7 Apr 2023 11:02:01 -0700 Message-Id: <20230407180201.3229763-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Luiz Augusto von Dentz Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Min Li --- net/bluetooth/l2cap_core.c | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 8153293b9a45..5cc95fd17f7d 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4651,33 +4651,27 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); - mutex_lock(&conn->chan_lock); - - chan = __l2cap_get_chan_by_scid(conn, dcid); + chan = l2cap_get_chan_by_scid(conn, dcid); if (!chan) { - mutex_unlock(&conn->chan_lock); cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); return 0; } - l2cap_chan_hold(chan); - l2cap_chan_lock(chan); - rsp.dcid = cpu_to_le16(chan->scid); rsp.scid = cpu_to_le16(chan->dcid); l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); chan->ops->set_shutdown(chan); + mutex_lock(&conn->chan_lock); l2cap_chan_del(chan, ECONNRESET); + mutex_unlock(&conn->chan_lock); chan->ops->close(chan); l2cap_chan_unlock(chan); l2cap_chan_put(chan); - mutex_unlock(&conn->chan_lock); - return 0; } @@ -4697,33 +4691,27 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); - mutex_lock(&conn->chan_lock); - - chan = __l2cap_get_chan_by_scid(conn, scid); + chan = l2cap_get_chan_by_scid(conn, scid); if (!chan) { mutex_unlock(&conn->chan_lock); return 0; } - l2cap_chan_hold(chan); - l2cap_chan_lock(chan); - if (chan->state != BT_DISCONN) { l2cap_chan_unlock(chan); l2cap_chan_put(chan); - mutex_unlock(&conn->chan_lock); return 0; } + mutex_lock(&conn->chan_lock); l2cap_chan_del(chan, 0); + mutex_unlock(&conn->chan_lock); chan->ops->close(chan); l2cap_chan_unlock(chan); l2cap_chan_put(chan); - mutex_unlock(&conn->chan_lock); - return 0; } -- 2.39.2