From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable@kernel.org,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Min Li <lm0963hack@gmail.com>
Subject: [PATCH 4.14 21/37] Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
Date: Tue, 18 Apr 2023 14:21:31 +0200 [thread overview]
Message-ID: <20230418120255.412004523@linuxfoundation.org> (raw)
In-Reply-To: <20230418120254.687480980@linuxfoundation.org>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit a2a9339e1c9deb7e1e079e12e27a0265aea8421a upstream.
Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free
caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.
Cc: stable@kernel.org
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Min Li <lm0963hack@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 24 ++++++------------------
1 file changed, 6 insertions(+), 18 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4350,33 +4350,27 @@ static inline int l2cap_disconnect_req(s
BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
- mutex_lock(&conn->chan_lock);
-
- chan = __l2cap_get_chan_by_scid(conn, dcid);
+ chan = l2cap_get_chan_by_scid(conn, dcid);
if (!chan) {
- mutex_unlock(&conn->chan_lock);
cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid);
return 0;
}
- l2cap_chan_hold(chan);
- l2cap_chan_lock(chan);
-
rsp.dcid = cpu_to_le16(chan->scid);
rsp.scid = cpu_to_le16(chan->dcid);
l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
chan->ops->set_shutdown(chan);
+ mutex_lock(&conn->chan_lock);
l2cap_chan_del(chan, ECONNRESET);
+ mutex_unlock(&conn->chan_lock);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
- mutex_unlock(&conn->chan_lock);
-
return 0;
}
@@ -4396,33 +4390,27 @@ static inline int l2cap_disconnect_rsp(s
BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
- mutex_lock(&conn->chan_lock);
-
- chan = __l2cap_get_chan_by_scid(conn, scid);
+ chan = l2cap_get_chan_by_scid(conn, scid);
if (!chan) {
mutex_unlock(&conn->chan_lock);
return 0;
}
- l2cap_chan_hold(chan);
- l2cap_chan_lock(chan);
-
if (chan->state != BT_DISCONN) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
- mutex_unlock(&conn->chan_lock);
return 0;
}
+ mutex_lock(&conn->chan_lock);
l2cap_chan_del(chan, 0);
+ mutex_unlock(&conn->chan_lock);
chan->ops->close(chan);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
- mutex_unlock(&conn->chan_lock);
-
return 0;
}
next prev parent reply other threads:[~2023-04-18 12:24 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 12:21 [PATCH 4.14 00/37] 4.14.313-rc1 review Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 01/37] pwm: cros-ec: Explicitly set .polarity in .get_state() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 02/37] wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 03/37] icmp: guard against too small mtu Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 04/37] ipv6: Fix an uninit variable access bug in __ip6_make_skb() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 05/37] gpio: davinci: Add irq chip flag to skip set wake Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 06/37] USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 07/37] USB: serial: option: add Telit FE990 compositions Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 08/37] USB: serial: option: add Quectel RM500U-CN modem Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 09/37] iio: dac: cio-dac: Fix max DAC write value check for 12-bit Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 10/37] tty: serial: sh-sci: Fix Rx on RZ/G2L SCI Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 11/37] nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 12/37] nilfs2: fix sysfs interface lifetime Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 13/37] perf/core: Fix the same task check in perf_event_set_output Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 14/37] ftrace: Mark get_lock_parent_ip() __always_inline Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 15/37] ring-buffer: Fix race while reader and writer are on the same page Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 16/37] mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 17/37] ALSA: emu10k1: fix capture interrupt handler unlinking Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 18/37] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 19/37] ALSA: i2c/cs8427: fix iec958 mixer control deactivation Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 20/37] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards Greg Kroah-Hartman
2023-04-18 12:21 ` Greg Kroah-Hartman [this message]
2023-04-18 12:21 ` [PATCH 4.14 22/37] Bluetooth: Fix race condition in hidp_session_thread Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 23/37] mtdblock: tolerate corrected bit-flips Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 24/37] 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 25/37] niu: Fix missing unwind goto in niu_alloc_channels() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 26/37] qlcnic: check pci_reset_function result Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 27/37] net: macb: fix a memory corruption in extended buffer descriptor mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 28/37] i2c: imx-lpi2c: clean rx/tx buffers upon new message Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 29/37] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 30/37] verify_pefile: relax wrapper length check Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 31/37] ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 32/37] cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 33/37] watchdog: sbsa_wdog: Make sure the timeout programming is within the limits Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 34/37] coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 35/37] KVM: arm64: Factor out core register ID enumeration Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 36/37] KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 4.14 37/37] arm64: KVM: Fix system register enumeration Greg Kroah-Hartman
2023-04-18 14:11 ` [PATCH 4.14 00/37] 4.14.313-rc1 review Chris Paterson
2023-04-19 3:33 ` Guenter Roeck
2023-04-19 8:41 ` Naresh Kamboju
2023-04-19 10:51 ` Jon Hunter
2023-04-19 12:39 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230418120255.412004523@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lm0963hack@gmail.com \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox