From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, ZhengHan Wang <wzhmmmmm@gmail.com>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 11/97] Bluetooth: Fix double free in hci_conn_cleanup
Date: Fri, 24 Nov 2023 17:49:44 +0000 [thread overview]
Message-ID: <20231124171934.566368336@linuxfoundation.org> (raw)
In-Reply-To: <20231124171934.122298957@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhengHan Wang <wzhmmmmm@gmail.com>
[ Upstream commit a85fb91e3d728bdfc80833167e8162cce8bc7004 ]
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_conn.c | 6 ++----
net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
2 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b876e97b61c92..0e837feaa527e 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -125,13 +125,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
if (hdev->notify)
hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
- hci_conn_del_sysfs(conn);
-
debugfs_remove_recursive(conn->debugfs);
- hci_dev_put(hdev);
+ hci_conn_del_sysfs(conn);
- hci_conn_put(conn);
+ hci_dev_put(hdev);
}
static void le_scan_cleanup(struct work_struct *work)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index ccd2c377bf83c..266112c960ee8 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
conn->dev.type = &bt_link;
conn->dev.class = bt_class;
@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- BT_DBG("conn %p", conn);
+ bt_dev_dbg(hdev, "conn %p", conn);
if (device_is_registered(&conn->dev))
return;
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
- if (device_add(&conn->dev) < 0) {
+ if (device_add(&conn->dev) < 0)
bt_dev_err(hdev, "failed to register connection device");
- return;
- }
-
- hci_dev_hold(hdev);
}
void hci_conn_del_sysfs(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
- if (!device_is_registered(&conn->dev))
+ bt_dev_dbg(hdev, "conn %p", conn);
+
+ if (!device_is_registered(&conn->dev)) {
+ /* If device_add() has *not* succeeded, use *only* put_device()
+ * to drop the reference count.
+ */
+ put_device(&conn->dev);
return;
+ }
while (1) {
struct device *dev;
@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
put_device(dev);
}
- device_del(&conn->dev);
-
- hci_dev_put(hdev);
+ device_unregister(&conn->dev);
}
static void bt_host_release(struct device *dev)
--
2.42.0
next prev parent reply other threads:[~2023-11-24 17:56 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 17:49 [PATCH 4.19 00/97] 4.19.300-rc1 review Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 01/97] locking/ww_mutex/test: Fix potential workqueue corruption Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 02/97] perf/core: Bail out early if the request AUX area is out of bound Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 03/97] clocksource/drivers/timer-imx-gpt: Fix potential memory leak Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 04/97] clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 05/97] x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 06/97] wifi: mac80211: dont return unset power in ieee80211_get_tx_power() Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 07/97] wifi: ath9k: fix clang-specific fortify warnings Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 08/97] wifi: ath10k: fix clang-specific fortify warning Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 09/97] net: annotate data-races around sk->sk_tx_queue_mapping Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 10/97] net: annotate data-races around sk->sk_dst_pending_confirm Greg Kroah-Hartman
2023-11-24 17:49 ` Greg Kroah-Hartman [this message]
2023-11-24 17:49 ` [PATCH 4.19 12/97] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 13/97] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 14/97] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 15/97] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 16/97] selftests/efivarfs: create-read: fix a resource leak Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 17/97] crypto: pcrypt - Fix hungtask for PADATA_RESET Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 18/97] RDMA/hfi1: Use FIELD_GET() to extract Link Width Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 19/97] fs/jfs: Add check for negative db_l2nbperpage Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 20/97] fs/jfs: Add validity check for db_maxag and db_agpref Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 21/97] jfs: fix array-index-out-of-bounds in dbFindLeaf Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 22/97] jfs: fix array-index-out-of-bounds in diAlloc Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 23/97] ARM: 9320/1: fix stack depot IRQ stack filter Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 24/97] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 25/97] atm: iphase: Do PCI error checks on own line Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 26/97] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 27/97] HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 28/97] tty: vcc: Add check for kstrdup() in vcc_probe() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 29/97] usb: gadget: f_ncm: Always set current gadget in ncm_bind() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 30/97] i2c: sun6i-p2wi: Prevent potential division by zero Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 31/97] media: gspca: cpia1: shift-out-of-bounds in set_flicker Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 32/97] media: vivid: avoid integer overflow Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 33/97] gfs2: ignore negated quota changes Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 34/97] drm/amd/display: Avoid NULL dereference of timing generator Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 35/97] pwm: Fix double shift bug Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 36/97] NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 37/97] ipvlan: add ipvlan_route_v6_outbound() helper Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 38/97] tty: Fix uninit-value access in ppp_sync_receive() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 39/97] tipc: Fix kernel-infoleak due to uninitialized TLV value Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 40/97] ppp: limit MRU to 64K Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 41/97] xen/events: fix delayed eoi list handling Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 42/97] ptp: annotate data-race around q->head and q->tail Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 43/97] net: ethernet: cortina: Fix max RX frame define Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 44/97] net: ethernet: cortina: Handle large frames Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 45/97] net: ethernet: cortina: Fix MTU max setting Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 46/97] macvlan: Dont propagate promisc change to lower dev in passthru Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 47/97] cifs: spnego: add ; in HOST_KEY_LEN Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 48/97] media: venus: hfi: add checks to perform sanity on queue pointers Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 49/97] randstruct: Fix gcc-plugin performance mode to stay in group Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 50/97] KVM: x86: Ignore MSR_AMD64_TW_CFG access Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 51/97] audit: dont take task_lock() in audit_exe_compare() code path Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 52/97] audit: dont WARN_ON_ONCE(!current->mm) in audit_exe_compare() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 53/97] hvc/xen: fix error path in xen_hvc_init() to always register frontend driver Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 54/97] PCI/sysfs: Protect drivers D3cold preference from user space Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 55/97] mmc: meson-gx: Remove setting of CMD_CFG_ERROR Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 56/97] genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 57/97] PCI: keystone: Dont discard .remove() callback Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 58/97] PCI: keystone: Dont discard .probe() callback Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 59/97] parisc/pdc: Add width field to struct pdc_model Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 60/97] parisc/power: Add power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 61/97] clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 62/97] mmc: vub300: fix an error code Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 63/97] PM: hibernate: Use __get_safe_page() rather than touching the list Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 64/97] PM: hibernate: Clean up sync_read handling in snapshot_write_next() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 65/97] jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 66/97] quota: explicitly forbid quota files from being encrypted Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 67/97] mcb: fix error handling for different scenarios when parsing Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 68/97] dmaengine: stm32-mdma: correct desc prep when channel running Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 69/97] s390/cmma: fix initial kernel address space page table walk Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 70/97] s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 71/97] parisc: Prevent booting 64-bit kernels on PA1.x machines Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 72/97] parisc/pgtable: Do not drop upper 5 address bits of physical address Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 73/97] parisc/power: Fix power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 74/97] ALSA: info: Fix potential deadlock at disconnection Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 75/97] ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 76/97] tty: serial: meson: if no alias specified use an available id Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 77/97] tty/serial: Migrate meson_uart to use has_sysrq Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 78/97] serial: meson: remove redundant initialization of variable id Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 79/97] tty: serial: meson: retrieve port FIFO size from DT Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 80/97] serial: meson: Use platform_get_irq() to get the interrupt Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 81/97] tty: serial: meson: fix hard LOCKUP on crtscts mode Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 82/97] net: dsa: lan9303: consequently nested-lock physical MDIO Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 83/97] i2c: i801: fix potential race in i801_block_transaction_byte_by_byte Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 84/97] media: lirc: drop trailing space from scancode transmit Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 85/97] media: sharp: fix sharp encoding Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 86/97] media: venus: hfi_parser: Add check to keep the number of codecs within range Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 87/97] media: venus: hfi: fix the check to handle session buffer requirement Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 88/97] media: venus: hfi: add checks to handle capabilities from firmware Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 89/97] Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 90/97] ext4: apply umask if ACL support is disabled Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 91/97] ext4: correct offset of gdb backup in non meta_bg group to update_backups Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 92/97] ext4: correct return value of ext4_convert_meta_bg Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 93/97] ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 94/97] drm/amdgpu: fix error handling in amdgpu_bo_list_get() Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 95/97] scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 96/97] iomap: Set all uptodate bits for an Uptodate page Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 97/97] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-11-24 19:13 ` [PATCH 4.19 00/97] 4.19.300-rc1 review Daniel Díaz
2023-11-25 11:20 ` Pavel Machek
2023-11-25 15:26 ` Greg Kroah-Hartman
2023-11-25 16:44 ` Pavel Machek
2023-11-25 15:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231124171934.566368336@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wzhmmmmm@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox