From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Luiz Augusto von Dentz" <luiz.von.dentz@intel.com>,
"Sönke Huster" <soenke.huster@eknoes.de>,
"Marcel Holtmann" <marcel@holtmann.org>,
"Sasha Levin" <sashal@kernel.org>,
johan.hedberg@gmail.com, luiz.dentz@gmail.com,
davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 21/22] Bluetooth: Fix use after free in hci_send_acl
Date: Fri, 1 Apr 2022 10:47:28 -0400 [thread overview]
Message-ID: <20220401144729.1955554-21-sashal@kernel.org> (raw)
In-Reply-To: <20220401144729.1955554-1-sashal@kernel.org>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit f63d24baff787e13b723d86fe036f84bdbc35045 ]
This fixes the following trace caused by receiving
HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without
first checking if conn->type is in fact AMP_LINK and in case it is
do properly cleanup upper layers with hci_disconn_cfm:
==================================================================
BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50
Read of size 8 at addr ffff88800e404818 by task bluetoothd/142
CPU: 0 PID: 142 Comm: bluetoothd Not tainted
5.17.0-rc5-00006-gda4022eeac1a #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x59
print_address_description.constprop.0+0x1f/0x150
kasan_report.cold+0x7f/0x11b
hci_send_acl+0xaba/0xc50
l2cap_do_send+0x23f/0x3d0
l2cap_chan_send+0xc06/0x2cc0
l2cap_sock_sendmsg+0x201/0x2b0
sock_sendmsg+0xdc/0x110
sock_write_iter+0x20f/0x370
do_iter_readv_writev+0x343/0x690
do_iter_write+0x132/0x640
vfs_writev+0x198/0x570
do_writev+0x202/0x280
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05
<48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015
RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77
R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580
RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001
</TASK>
R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0
Allocated by task 45:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
hci_chan_create+0x9a/0x2f0
l2cap_conn_add.part.0+0x1a/0xdc0
l2cap_connect_cfm+0x236/0x1000
le_conn_complete_evt+0x15a7/0x1db0
hci_le_conn_complete_evt+0x226/0x2c0
hci_le_meta_evt+0x247/0x450
hci_event_packet+0x61b/0xe90
hci_rx_work+0x4d5/0xc50
process_one_work+0x8fb/0x15a0
worker_thread+0x576/0x1240
kthread+0x29d/0x340
ret_from_fork+0x1f/0x30
Freed by task 45:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xfb/0x130
kfree+0xac/0x350
hci_conn_cleanup+0x101/0x6a0
hci_conn_del+0x27e/0x6c0
hci_disconn_phylink_complete_evt+0xe0/0x120
hci_event_packet+0x812/0xe90
hci_rx_work+0x4d5/0xc50
process_one_work+0x8fb/0x15a0
worker_thread+0x576/0x1240
kthread+0x29d/0x340
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff88800c0f0500
The buggy address is located 24 bytes inside of
which belongs to the cache kmalloc-128 of size 128
The buggy address belongs to the page:
128-byte region [ffff88800c0f0500, ffff88800c0f0580)
flags: 0x100000000000200(slab|node=0|zone=1)
page:00000000fe45cd86 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xc0f0
raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
raw: 0100000000000200 ffffea00003a2c80 dead000000000004
ffff8880078418c0
page dumped because: kasan: bad access detected
ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
Memory state around the buggy address:
>ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
==================================================================
ffff88800c0f0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Reported-by: Sönke Huster <soenke.huster@eknoes.de>
Tested-by: Sönke Huster <soenke.huster@eknoes.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 39e222fb3004..4eeba9dfb38f 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4470,8 +4470,9 @@ static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
hci_dev_lock(hdev);
hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
- if (hcon) {
+ if (hcon && hcon->type == AMP_LINK) {
hcon->state = BT_CLOSED;
+ hci_disconn_cfm(hcon, ev->reason);
hci_conn_del(hcon);
}
--
2.34.1
next prev parent reply other threads:[~2022-04-01 15:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-01 14:47 [PATCH AUTOSEL 4.14 01/22] ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 02/22] ptp: replace snprintf with sysfs_emit Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 03/22] powerpc: dts: t104xrdb: fix phy type for FMAN 4/5 Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 04/22] scsi: mvsas: Replace snprintf() with sysfs_emit() Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 05/22] scsi: bfa: " Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 06/22] power: supply: axp20x_battery: properly report current when discharging Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 07/22] powerpc: Set crashkernel offset to mid of RMA region Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 08/22] PCI: aardvark: Fix support for MSI interrupts Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 09/22] iommu/arm-smmu-v3: fix event handling soft lockup Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [dm-devel] [PATCH AUTOSEL 4.14 10/22] dm ioctl: prevent potential spectre v1 gadget Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 11/22] scsi: pm8001: Fix pm8001_mpi_task_abort_resp() Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 12/22] scsi: aha152x: Fix aha152x_setup() __setup handler return value Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 13/22] net/smc: correct settings of RMB window update limit Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 14/22] macvtap: advertise link netns via netlink Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 15/22] bnxt_en: Eliminate unintended link toggle during FW reset Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 16/22] MIPS: fix fortify panic when copying asm exception handlers Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 17/22] powerpc/code-patching: Pre-map patch area Sasha Levin
2022-04-01 14:47 ` Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 18/22] scsi: libfc: Fix use after free in fc_exch_abts_resp() Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 19/22] usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm Sasha Levin
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 20/22] xtensa: fix DTC warning unit_address_format Sasha Levin
2022-04-01 14:47 ` Sasha Levin [this message]
2022-04-01 14:47 ` [PATCH AUTOSEL 4.14 22/22] init/main.c: return 1 from handled __setup() functions Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220401144729.1955554-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=soenke.huster@eknoes.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.