Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp455667rdb;
        Sat, 30 Sep 2023 11:01:19 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFQXBeIdvw2KtjOawoKwtwIgindYNlLsxezENimCEwEfTsEoRKi9NrbG9haiYbtRKxXQAxL
X-Received: by 2002:a05:6a00:2d20:b0:68e:3772:4e40 with SMTP id fa32-20020a056a002d2000b0068e37724e40mr6987953pfb.3.1696096879036;
        Sat, 30 Sep 2023 11:01:19 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1696096879; cv=pass;
        d=google.com; s=arc-20160816;
        b=VBS+bv9Tb1dlDgqIoJz0fjWjDyeeYeDKcSbb6jN0AZnxgkObuSNjchzDQoBHmuKeEj
         SqhRP6CBGFeIWIA0JwKbFSDv3HYKOZiGA7YhdOYh2lTPxebTKRXicgsxGuJwMwX6FVcX
         e38SFXMFmV36WR1kY4O5DJY+wN5Lt/RCVBpujFuoyTiAa895/6kXf1TcRR39uN7vGx64
         fv5pAcwOJ7UrIhdCGakwOT7ALIjJOK+JNa5WPuHQEOkHUca7BpW5nXHQuo8q+9Ew6aih
         2wFIKmyzzBQfiaQ50VcHMgIjUD5EM4ZoRtCoA8bGe8GxJc1EBLt7y9iCmG2vxKmuNhhs
         W/dA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=/AMsXO9IMyLMxzv4Xz4AhWb5QaTAdBihj6zISEM8lVk=;
        fh=ExGhjNQEFJgRqHmYATVc5UXZbS7abAmaHDitrfHKOuE=;
        b=h4C7A4v4IS+i4M4VD/MsCdavBXClUfcjvyXan/EwzkU92jNTqrvZ5AzCOgCs1oIP23
         l9gvOghk8FJG7rVrHHVs+VZCwVz9s1siy+jFyfLOmGytmgqtnuHGMPLL/lP9I1hG86MC
         jAQ01aYhusQa3mE0eLN6mCM123nFb1jXb3WkQrEPPa0aAH+1eyR/rdwy6I2CqpqmPtRl
         iuHW7Eqs5pZ4Qf8nmXzlRJw6tXqp+fP3fScJt1alBxR17X8QwNgQ+6O3RMbNBAkAKieQ
         UnDASoav97uqQ7ZR2/1JtkYajah6NQ1aovf+5lYDK//OGS5Dh0xNzb2tki/axBhYhnxn
         OqRw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@iki.fi header.s=meesny header.b=iionRygw;
       arc=pass (i=1);
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [23.128.96.36])
        by mx.google.com with ESMTPS id n22-20020a63f816000000b0056f7592d732si23218355pgh.424.2023.09.30.11.01.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 30 Sep 2023 11:01:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@iki.fi header.s=meesny header.b=iionRygw;
       arc=pass (i=1);
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id AD58081C0C2E;
	Sat, 30 Sep 2023 05:53:45 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233956AbjI3Mxq (ORCPT <rfc822;glenndaneels@gmail.com>
        + 99 others); Sat, 30 Sep 2023 08:53:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40300 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233939AbjI3Mxp (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Sat, 30 Sep 2023 08:53:45 -0400
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92F96E6
        for <linux-bluetooth@vger.kernel.org>; Sat, 30 Sep 2023 05:53:43 -0700 (PDT)
Received: from monolith.lan (91-152-120-176.elisa-laajakaista.fi [91.152.120.176])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: pav)
        by meesny.iki.fi (Postfix) with ESMTPSA id 4RyRwh2l9kzyXv;
        Sat, 30 Sep 2023 15:53:39 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny;
        t=1696078420;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=/AMsXO9IMyLMxzv4Xz4AhWb5QaTAdBihj6zISEM8lVk=;
        b=iionRygwcN/sp3O8e4Lpir+z3zyKdiNvSQyxku8ophR+kOGlQqiROCybC0SBp+GORHZSTD
        5WwgUzDIr4WUycNpBzj+IUBcA3I+LN3IrlSKyaqe0lVCIaz0wUG/WFaj8dbmiu2bhDNT2o
        XCcfdSNhp6YAByNzDPaRlirO2/BtFBM=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1696078420; a=rsa-sha256; cv=none;
        b=Ixbw3tXqKJOMR/XS2wG3R1i5HJxPb+EPCBXWh3DEz6C3F4DZEB/OwzZV7DcoQxGYjRSuZv
        999+ok0y70sTnQ5uWZcS7lNbNO/5QcM5iiupaROHidY5ekqALzpqYa4N1kptu5BGUht9Wd
        VRLe/EOYcBPY/VrrSGRrqMXzTV/zqyo=
ARC-Authentication-Results: i=1;
        ORIGINATING;
        auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi;
        s=meesny; t=1696078420;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=/AMsXO9IMyLMxzv4Xz4AhWb5QaTAdBihj6zISEM8lVk=;
        b=jsY263zxdi7NpCV/QRs6l3OwiKVANsa8dwvnGUxcnUVTix3x78nrbQurSAaSIO4rt1666X
        hEGMY723/Dlxqvnx0LUKDebgdiYSLwwOt0kgrz7yuZMQAmbPHTZMLIgNr6x/BHKyuZjN8B
        W+fCfhBjVP5R3qmsf9sZBLtq4xNFobc=
From:   Pauli Virtanen <pav@iki.fi>
To:     linux-bluetooth@vger.kernel.org
Cc:     Pauli Virtanen <pav@iki.fi>
Subject: [PATCH v2 1/2] Bluetooth: hci_sync: always check if connection is alive before deleting
Date:   Sat, 30 Sep 2023 15:53:32 +0300
Message-ID: <53130b4a5fb21a15f2674c336282d25ef5d2232e.1696077070.git.pav@iki.fi>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Sat, 30 Sep 2023 05:53:46 -0700 (PDT)

In hci_abort_conn_sync it is possible that conn is deleted concurrently
by something else, also e.g. when waiting for hdev->lock.  This causes
double deletion of the conn, so UAF or conn_hash.list corruption.

Fix by having all code paths check that the connection is still in
conn_hash before deleting it, while holding hdev->lock which prevents
any races.

Log (when powering off while BAP streaming, occurs rarely):
=======================================================================
kernel BUG at lib/list_debug.c:56!
...
 ? __list_del_entry_valid (lib/list_debug.c:56)
 hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth
 hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth
 ? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth]
 ? lock_release+0x1d5/0x3c0
 ? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth]
 ? __pfx_lock_release+0x10/0x10
 ? __kmem_cache_free+0x14d/0x2e0
 hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth]
 ? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth]
 ? hci_clear_adv_sync+0x14f/0x170 [bluetooth]
 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
 hci_set_powered_sync+0x293/0x450 [bluetooth]
=======================================================================

Fixes: 94d9ba9f9888 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---

Notes:
    v2: rebased

 net/bluetooth/hci_sync.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 3640d73f9595..c6f57af88bfd 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5380,6 +5380,7 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
 {
 	int err = 0;
 	u16 handle = conn->handle;
+	bool disconnect = false;
 	struct hci_conn *c;
 
 	switch (conn->state) {
@@ -5395,24 +5396,15 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
 		break;
 	case BT_OPEN:
 	case BT_BOUND:
-		hci_dev_lock(hdev);
-		hci_conn_failed(conn, reason);
-		hci_dev_unlock(hdev);
-		return 0;
+		break;
 	default:
-		hci_dev_lock(hdev);
-		conn->state = BT_CLOSED;
-		hci_disconn_cfm(conn, reason);
-		hci_conn_del(conn);
-		hci_dev_unlock(hdev);
-		return 0;
+		disconnect = true;
+		break;
 	}
 
 	hci_dev_lock(hdev);
 
-	/* Check if the connection hasn't been cleanup while waiting
-	 * commands to complete.
-	 */
+	/* Check if the connection has been cleaned up concurrently */
 	c = hci_conn_hash_lookup_handle(hdev, handle);
 	if (!c || c != conn) {
 		err = 0;
@@ -5424,7 +5416,13 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
 	 * or in case of LE it was still scanning so it can be cleanup
 	 * safely.
 	 */
-	hci_conn_failed(conn, reason);
+	if (disconnect) {
+		conn->state = BT_CLOSED;
+		hci_disconn_cfm(conn, reason);
+		hci_conn_del(conn);
+	} else {
+		hci_conn_failed(conn, reason);
+	}
 
 unlock:
 	hci_dev_unlock(hdev);
-- 
2.41.0