raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 10:00:17 +00:00
Code Issues Projects Releases Wiki Activity

Bluetooth: hci_sync: always check if connection is alive before deleting

Browse Source 
In hci_abort_conn_sync it is possible that conn is deleted concurrently
by something else, also e.g. when waiting for hdev->lock.  This causes
double deletion of the conn, so UAF or conn_hash.list corruption.

Fix by having all code paths check that the connection is still in
conn_hash before deleting it, while holding hdev->lock which prevents
any races.

Log (when powering off while BAP streaming, occurs rarely):
=======================================================================
kernel BUG at lib/list_debug.c:56!
...
 ? __list_del_entry_valid (lib/list_debug.c:56)
 hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth
 hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth
 ? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth]
 ? lock_release+0x1d5/0x3c0
 ? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth]
 ? __pfx_lock_release+0x10/0x10
 ? __kmem_cache_free+0x14d/0x2e0
 hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth]
 ? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth]
 ? hci_clear_adv_sync+0x14f/0x170 [bluetooth]
 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
 hci_set_powered_sync+0x293/0x450 [bluetooth]
=======================================================================

Fixes: 94d9ba9f98 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Pauli Virtanen
2023-09-30 15:53:32 +03:00
committed by Luiz Augusto von Dentz
parent 1ffc6f8cc3
commit a239110ee8
1 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
net/bluetooth/hci_sync.c
View File

@@ -5369,6 +5369,7 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
{ {
int err = 0; int err = 0;
u16 handle = conn->handle; u16 handle = conn->handle;
bool disconnect = false;
struct hci_conn *c; struct hci_conn *c;
switch (conn->state) { switch (conn->state) {
@@ -5399,24 +5400,15 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
hci_dev_unlock(hdev); hci_dev_unlock(hdev);
return 0; return 0;
case BT_BOUND: case BT_BOUND:
hci_dev_lock(hdev); break;
hci_conn_failed(conn, reason);
hci_dev_unlock(hdev);
return 0;
default: default:
hci_dev_lock(hdev); disconnect = true;
conn->state = BT_CLOSED; break;
hci_disconn_cfm(conn, reason);
hci_conn_del(conn);
hci_dev_unlock(hdev);
return 0;
} }
hci_dev_lock(hdev); hci_dev_lock(hdev);
/* Check if the connection hasn't been cleanup while waiting /* Check if the connection has been cleaned up concurrently */
* commands to complete.
*/
c = hci_conn_hash_lookup_handle(hdev, handle); c = hci_conn_hash_lookup_handle(hdev, handle);
if (!c || c != conn) { if (!c || c != conn) {
err = 0; err = 0;
@@ -5428,7 +5420,13 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
* or in case of LE it was still scanning so it can be cleanup * or in case of LE it was still scanning so it can be cleanup
* safely. * safely.
*/ */
if (disconnect) {
conn->state = BT_CLOSED;
hci_disconn_cfm(conn, reason);
hci_conn_del(conn);
} else {
hci_conn_failed(conn, reason); hci_conn_failed(conn, reason);
}
unlock: unlock:
hci_dev_unlock(hdev); hci_dev_unlock(hdev);