From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: ZhengHan Wang <wzhmmmmm@gmail.com>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>,
marcel@holtmann.org, johan.hedberg@gmail.com,
luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 14/18] Bluetooth: Fix double free in hci_conn_cleanup
Date: Tue, 7 Nov 2023 07:10:44 -0500 [thread overview]
Message-ID: <20231107121104.3757943-14-sashal@kernel.org> (raw)
In-Reply-To: <20231107121104.3757943-1-sashal@kernel.org>
From: ZhengHan Wang <wzhmmmmm@gmail.com>
[ Upstream commit a85fb91e3d728bdfc80833167e8162cce8bc7004 ]
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_conn.c | 6 ++----
net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
2 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 728be9307f526..55e0ecd88543e 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -168,13 +168,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
}
- hci_conn_del_sysfs(conn);
-
debugfs_remove_recursive(conn->debugfs);
- hci_dev_put(hdev);
+ hci_conn_del_sysfs(conn);
- hci_conn_put(conn);
+ hci_dev_put(hdev);
}
static void le_scan_cleanup(struct work_struct *work)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 08542dfc2dc53..633b82d542728 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
conn->dev.type = &bt_link;
conn->dev.class = bt_class;
@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
if (device_is_registered(&conn->dev))
return;
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
- if (device_add(&conn->dev) < 0) {
+ if (device_add(&conn->dev) < 0)
bt_dev_err(hdev, "failed to register connection device");
- return;
- }
-
- hci_dev_hold(hdev);
}
void hci_conn_del_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- if (!device_is_registered(&conn->dev))
+ bt_dev_dbg(hdev, "conn %p", conn);
+
+ if (!device_is_registered(&conn->dev)) {
+ /* If device_add() has *not* succeeded, use *only* put_device()
+ * to drop the reference count.
+ */
+ put_device(&conn->dev);
return;
+ }
while (1) {
struct device *dev;
@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
put_device(dev);
}
- device_del(&conn->dev);
-
- hci_dev_put(hdev);
+ device_unregister(&conn->dev);
}
static void bt_host_release(struct device *dev)
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:10 [PATCH AUTOSEL 6.1 01/18] wifi: plfxlc: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 02/18] wifi: mac80211_hwsim: " Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 03/18] wifi: mac80211: don't return unset power in ieee80211_get_tx_power() Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 04/18] atl1c: Work around the DMA RX overflow issue Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 05/18] bpf: Detect IP == ksym.end as part of BPF program Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 06/18] wifi: ath9k: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 07/18] wifi: ath10k: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:10 ` Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 08/18] net: annotate data-races around sk->sk_tx_queue_mapping Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 09/18] net: annotate data-races around sk->sk_dst_pending_confirm Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 10/18] wifi: ath10k: Don't touch the CE interrupt registers after power up Sasha Levin
2023-11-07 12:10 ` Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 11/18] vsock: read from socket's error queue Sasha Levin
2023-11-07 12:10 ` Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 12/18] bpf: Ensure proper register state printing for cond jumps Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 13/18] Bluetooth: btusb: Add date->evt_skb is NULL check Sasha Levin
2023-11-07 12:10 ` Sasha Levin [this message]
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 15/18] ACPI: EC: Add quirk for HP 250 G7 Notebook PC Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 16/18] tsnep: Fix tsnep_request_irq() format-overflow warning Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 17/18] platform/chrome: kunit: initialize lock for fake ec_dev Sasha Levin
2023-11-07 12:10 ` [PATCH AUTOSEL 6.1 18/18] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107121104.3757943-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
--cc=wzhmmmmm@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.