From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67CBD2857D2; Tue, 26 Aug 2025 13:33:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756215183; cv=none; b=ZELX8AhEF3iC6OooFZJ6eV3VLkeMASjmU42HsHCbi9OzKcV5hnbxPGLuat4J9O+mvlVNiZ9V3K/oeIIaZvWBB4c4/j/c65Zyjw/BkZwBqAGLp9ZeiIQZeXPtVmVuKRDNo+2iGcvEj5MbDgCQxlIEe9Tnvqt1InkNYDPMRdz22PI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756215183; c=relaxed/simple; bh=qNqRvr8RIPU5rhTgUx9vPJrPrxbzGOyoLfoMqY6J29I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mUIdU/O5jOiLCIMsDJymadx9TUJ35dF1jps42glwmiXjET6ejKWGOkAKMbgpcSrxe7E9dvfPXEywszTNkAd0MN3HmLRKpoJ6p1zOTKYvgJApBRMTFJplbs4VklKft0GppkJuhB7YzkTi2o7Vn60MjOWXlPw/YAQ+458nB401f8Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=omNcuLla; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="omNcuLla" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EC0FDC4CEF1; Tue, 26 Aug 2025 13:33:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1756215183; bh=qNqRvr8RIPU5rhTgUx9vPJrPrxbzGOyoLfoMqY6J29I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=omNcuLlaZis/Ma179Hnvkhp/YAKWpq1JprNRhXesnxUKkagKM5rpdaBinm3ineDa2 t4iddkVDesevcvDdiw9kHIZhrDqZxvbESbUnx4SLlCEaHheo20CPZw7BFhIkPsrpvx n1v55558l79rsYFXilwdNKSGIPhQd5sD+BpTrKnY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Luiz Augusto von Dentz , Sumanth Gavini Subject: [PATCH 6.1 388/482] Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Date: Tue, 26 Aug 2025 13:10:41 +0200 Message-ID: <20250826110940.414210365@linuxfoundation.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250826110930.769259449@linuxfoundation.org> References: <20250826110930.769259449@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sumanth Gavini commit 5af1f84ed13a416297ab9ced7537f4d5ae7f329a upstream. Connections may be cleanup while waiting for the commands to complete so this attempts to check if the connection handle remains valid in case of errors that would lead to call hci_conn_failed: BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160 Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52 CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted 6.5.0-rc1-00527-g2dfe76d58d3a #5615 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x1d/0x70 print_report+0xce/0x620 ? __virt_addr_valid+0xd4/0x150 ? hci_conn_failed+0x1f/0x160 kasan_report+0xd1/0x100 ? hci_conn_failed+0x1f/0x160 hci_conn_failed+0x1f/0x160 hci_abort_conn_sync+0x237/0x360 Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sumanth Gavini Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_sync.c | 43 +++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -5525,31 +5525,46 @@ static int hci_reject_conn_sync(struct h int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason) { - int err; + int err = 0; + u16 handle = conn->handle; switch (conn->state) { case BT_CONNECTED: case BT_CONFIG: - return hci_disconnect_sync(hdev, conn, reason); + err = hci_disconnect_sync(hdev, conn, reason); + break; case BT_CONNECT: err = hci_connect_cancel_sync(hdev, conn); - /* Cleanup hci_conn object if it cannot be cancelled as it - * likelly means the controller and host stack are out of sync. - */ - if (err) { - hci_dev_lock(hdev); - hci_conn_failed(conn, err); - hci_dev_unlock(hdev); - } - return err; + break; case BT_CONNECT2: - return hci_reject_conn_sync(hdev, conn, reason); + err = hci_reject_conn_sync(hdev, conn, reason); + break; default: conn->state = BT_CLOSED; - break; + return 0; + } + + /* Cleanup hci_conn object if it cannot be cancelled as it + * likelly means the controller and host stack are out of sync + * or in case of LE it was still scanning so it can be cleanup + * safely. + */ + if (err) { + struct hci_conn *c; + + /* Check if the connection hasn't been cleanup while waiting + * commands to complete. + */ + c = hci_conn_hash_lookup_handle(hdev, handle); + if (!c || c != conn) + return 0; + + hci_dev_lock(hdev); + hci_conn_failed(conn, err); + hci_dev_unlock(hdev); } - return 0; + return err; } static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)