Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp2277308rwb; Sun, 6 Aug 2023 14:22:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFfi2byXUoamSU5kpJCCDWL3FiQrRc9uzsNTfCBAOWvbUAKs1I4Ff2xchmj953Asz5UUP0q X-Received: by 2002:a54:4694:0:b0:3a1:dd99:8158 with SMTP id k20-20020a544694000000b003a1dd998158mr6858078oic.6.1691356932333; Sun, 06 Aug 2023 14:22:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1691356932; cv=pass; d=google.com; s=arc-20160816; b=gDS0FIK6Z+w/FJcel72jv3jj4Aaap3zH+Szu3OVH6eRlOYQXYyRNC4T9VvMXeB/OBJ C5QSe3Dfyq5Pxd1ekbIR6ol6IJ3GnVLo0LBH/S6TfA7pDLFb+da/El7d73kv5hsOZuQa E/AjwPyHUjhj9jd6UiiErYwzi/1bTJzATzeUo0hQJXdCCrFJg4Xh4NvvHM+FF+n3zWQG vCmv4iFOStIMo5f9COUUVOrMQxedOcztxy9xR88648LF/hiy30Ps5KI3YGuNZJlx9nKd Ni8dHUqwH2ZmoWy8eU6tTCmY/FAo/RsnJmlNeztb4MC8/Cbv4aOhvg0optZI/D68Umd7 7QPg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NS2VaQ7geGZzm/jXHh7YZtOLYcCN+so+PWM+FlPyk30=; fh=raBgKoRsHCwQLc6ReOhmOoEQ+DtSaNc74fugaHBwryI=; b=ec+JgDUx3/mtsAo3SSIjJ1BaqmJtDyPhU2ibBVVE6/OUNav2VhGymK3xTgiurXb8ME V7/RPA8qGc8S+yzAU21hixY73tdiuHmDSPhMZp6KHtYyMAsjl8z5OIAzPtktODlM+u4d jLSosYHsQjcA6xNxVwb0meedXFVuFiskEzzMNTDnibPns6c6uqeQqdCf+kAxCzaFqJgX U4GzlQUv4RAj0DqW0KmibEHcunu/bLN/KnfAihN6RIizQLttkzmFSbnN25rGURtJfp+h qXjfkzRCW4QjmfH/emrMr6jGL3j9dbs0xq3w1Bxhvg1X4/Mtrml6jS5CpMyU6B0D3XOb Mxug== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@iki.fi header.s=lahtoruutu header.b=PBF5eYAz; arc=pass (i=1); spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cj5-20020a056a00298500b00687978513d0si4687646pfb.352.2023.08.06.14.21.59; Sun, 06 Aug 2023 14:22:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@iki.fi header.s=lahtoruutu header.b=PBF5eYAz; arc=pass (i=1); spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229503AbjHFUU1 (ORCPT + 99 others); Sun, 6 Aug 2023 16:20:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229649AbjHFUU0 (ORCPT ); Sun, 6 Aug 2023 16:20:26 -0400 Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C92F1722 for ; Sun, 6 Aug 2023 13:20:24 -0700 (PDT) Received: from monolith.lan (unknown [193.138.7.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4RJrRV3j8Kz49Q8H; Sun, 6 Aug 2023 23:20:22 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1691353222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NS2VaQ7geGZzm/jXHh7YZtOLYcCN+so+PWM+FlPyk30=; b=PBF5eYAzaU/+N4JtpMytfZaJW7CXbj67LmksYFVeF0GGr/fgoLDrx5FISWHzAcdzYDbZfz HDH06xIodUVUjDevLuBXDmYfBEFefgA+cEEeMzYHAq2gITq+Q4fc2+GWyQyRngPFozzrin LmaF6XX9/vZoZHfbeSknjmmstsTId+Mdc8HMPVlemTXEf+Eh857Tutdv5V1wIqMt7O2W2i 5Xf4EwJ4QuVKo/LgDBzxaz20PEZQc0aal7v6kMZ60W2tg1DuqMdgQ5DBPTQuHIdH6tnySd SU8dn6QDpUNwx0wtSbNmRuOiyHThPc9PIrg/LMMpkTWPNaY8HboFp8NZbw5oKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1691353222; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NS2VaQ7geGZzm/jXHh7YZtOLYcCN+so+PWM+FlPyk30=; b=avUAPM7q5CYXXRMVAXm68FLLAv1XMljzDys1wO6uTfoa155ayorEcpdiemOceLuOwVxUF+ CpBCxEtyuOkuTnggn0VCX3WTWqr0LrtM3c5tDgkDIv1FNUZKX6hakE0iPngTU2sa8WnZLY PhJfBYsvVf4scNJmga5wsl7E374hWshNZvh0VlwUTKR9W66eTYLH+17yySnpJ2fOlZXfXi hDWLYMxs9dooJggWZOlTXQFkAwD4fSrqbZcueCuo0Nk3EoYOLWjPU8j4rFya/coPG0bl8C sQpqAhJ1Dcfk9JkpknojhNkkRgXE2uwdlVN2QK6EmkuswpXQq2VxMIgqhzYo2g== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1691353222; a=rsa-sha256; cv=none; b=q8t3U/D003ytyDNNZL+IMo2HXcUbSnIw2AIFWEdkXQU5iN3Zph/zDG5zqluj8y+Zi9jtuQ FxCva7RG77N1eqdpoD9y2v1zi5fqhrDzg74Te77mYhp9GXrsmUAxkEaMJkQwxTrSxMxIIL RRH2cgtqDYJQ/rGWf0zIVzja2JfyipIwCATerSihScSraLXpdvLJ6WNW3YEqKuHI4CFBJ9 WsIk74PfCNp49vX6blcl66Dm4kLPnH1DoNg7bXghm/6VPeSVh+Qb1Ie5zAkURzN4U++DSp d0VQCvHnG+WfmStD23SZsJGSpWCToEiN+yJExbE/Neu7Jj5+LRv/49zlegGcfQ== From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen Subject: [PATCH v2 4/4] Bluetooth: hci_conn: verify connection is to be aborted before doing it Date: Sun, 6 Aug 2023 23:18:40 +0300 Message-ID: <8e9dcf715fa1215545c1a01ad44b62d77a4edebe.1691352503.git.pav@iki.fi> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org When processing connections in abort_conn_sync, also check the connection handle still refers to a connection that should be aborted. There is a theoretical race condition where a connection handle is reused, after hci_abort_conn but before abort_conn_sync is processed in hci_sync. This change should avoid terminating a wrong connection in this case. Signed-off-by: Pauli Virtanen --- Notes: v2: no change net/bluetooth/hci_conn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index ae206eb551f7..b65a1e9b178b 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -2861,7 +2861,7 @@ static int abort_conn_sync(struct hci_dev *hdev, void *data) u16 handle = PTR_ERR(data); conn = hci_conn_hash_lookup_handle(hdev, handle); - if (!conn) + if (!conn || !conn->abort_reason) return 0; return hci_abort_conn_sync(hdev, conn, conn->abort_reason); @@ -2876,6 +2876,8 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) */ if (conn->abort_reason) return 0; + if (!reason) + return -EINVAL; bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason); -- 2.41.0