From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DF9FC7EE2E for ; Mon, 12 Jun 2023 11:04:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237246AbjFLLEK (ORCPT ); Mon, 12 Jun 2023 07:04:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36680 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237727AbjFLLDk (ORCPT ); Mon, 12 Jun 2023 07:03:40 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E73F883C4 for ; Mon, 12 Jun 2023 03:51:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6DFBE6253F for ; Mon, 12 Jun 2023 10:51:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 813FDC433D2; Mon, 12 Jun 2023 10:51:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1686567108; bh=pHVimp4qoF2AHHQtcuFEHH0jos1ANwGrfKD9XFyn0yw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JzYPX9wlhsPvlGccKlOYh0Ox7rj7hpsEDsG9y4MIlq1oWLBOSH90hFbjdl7HbAPAz uenwJlR3jvp8G+cI1oYFFA7fEiZNyW72cvrafBt4HFm2yjGP3eIyDaR8UkXh/Ui3G0 EXhrF3YOoD4GI4ziOMKfktN82UotSCXTO4wMWjaQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Luiz Augusto von Dentz , Ruihan Li , Luiz Augusto von Dentz Subject: [PATCH 6.3 154/160] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Date: Mon, 12 Jun 2023 12:28:06 +0200 Message-ID: <20230612101722.113596893@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230612101715.129581706@linuxfoundation.org> References: <20230612101715.129581706@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ruihan Li commit 2910431ab0e500dfc5df12299bb15eef0f30b43e upstream. If hci_conn_put(conn->parent) reduces conn->parent's reference count to zero, it can immediately deallocate conn->parent. At the same time, conn->link->list has its head in conn->parent, causing use-after-free problems in the latter list_del_rcu(&conn->link->list). This problem can be easily solved by reordering the two operations, i.e., first performing the list removal with list_del_rcu and then decreasing the refcnt with hci_conn_put. Reported-by: Luiz Augusto von Dentz Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@mail.gmail.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_conn.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1107,12 +1107,12 @@ static void hci_conn_unlink(struct hci_c if (!conn->link) return; - hci_conn_put(conn->parent); - conn->parent = NULL; - list_del_rcu(&conn->link->list); synchronize_rcu(); + hci_conn_put(conn->parent); + conn->parent = NULL; + kfree(conn->link); conn->link = NULL; }