From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81CEA14532F; Thu, 23 May 2024 13:26:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716470772; cv=none; b=lIswokiEaRn1HQZgccLneTCSuUXW0Ys9QwT24W6ziOUO3I6USHjktuczS0sg9ts5+QEVFLLYyIX4x9dQG0KeU3Tgds1OF8cQt0vnZl2AmD7BWvy8fBY1tPFrI9Ii6vtWTLni7A21J9eczLDJEh4HQ0/7UlsHZ/Zp4Gozpp6Z8po= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716470772; c=relaxed/simple; bh=sb6qJ5u2OoHCXcB3QB7hK5mL4sd4xT9RISN2ge+Iajs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hdQP4wv7xnvd4iGru/GLHQClwXmybpUtjwikIaRkYKab0pzkcw38oTk6aXpZEjNAHvgrT/mZgyhto0RBoqe6GMaLZaTWMInRd22+IR00I5aux4yKoMK0V1PZhN4lQds4N9aUOG2AsGsHX55kX+Gjh1bT9Oz2zOob+gOrp64WEeU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ijw1Iq2x; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ijw1Iq2x" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0BC0FC3277B; Thu, 23 May 2024 13:26:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716470772; bh=sb6qJ5u2OoHCXcB3QB7hK5mL4sd4xT9RISN2ge+Iajs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ijw1Iq2xULtLogYwDUo46Y57sDxIcAEAbS7wjyx9JMmfAhLqOiaqD4BbnRUxx0aXh 9zbxKAcdA/0xVpfU7FjEIxEHQJMbJHg3VZRB+2lyM8w1osoQoCB0LHV2kj3Hac58RE Oh5a3ty6vaqmQDC1o92EaQI2dnjR9eRJS8tRENro= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Sungwoo Kim , Luiz Augusto von Dentz Subject: [PATCH 6.6 081/102] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Date: Thu, 23 May 2024 15:13:46 +0200 Message-ID: <20240523130345.525057317@linuxfoundation.org> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240523130342.462912131@linuxfoundation.org> References: <20240523130342.462912131@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sungwoo Kim commit 4d7b41c0e43995b0e992b9f8903109275744b658 upstream. Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 Fixes: 73ffa904b782 ("Bluetooth: Move conf_{req,rsp} stuff to struct l2cap_chan") Signed-off-by: Sungwoo Kim Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/l2cap_core.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3905,13 +3905,12 @@ static inline int l2cap_command_rej(stru return 0; } -static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, - struct l2cap_cmd_hdr *cmd, - u8 *data, u8 rsp_code, u8 amp_id) +static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, + u8 *data, u8 rsp_code, u8 amp_id) { struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; - struct l2cap_chan *chan = NULL, *pchan; + struct l2cap_chan *chan = NULL, *pchan = NULL; int result, status = L2CAP_CS_NO_INFO; u16 dcid = 0, scid = __le16_to_cpu(req->scid); @@ -3924,7 +3923,7 @@ static struct l2cap_chan *l2cap_connect( &conn->hcon->dst, ACL_LINK); if (!pchan) { result = L2CAP_CR_BAD_PSM; - goto sendresp; + goto response; } mutex_lock(&conn->chan_lock); @@ -4011,17 +4010,15 @@ static struct l2cap_chan *l2cap_connect( } response: - l2cap_chan_unlock(pchan); - mutex_unlock(&conn->chan_lock); - l2cap_chan_put(pchan); - -sendresp: rsp.scid = cpu_to_le16(scid); rsp.dcid = cpu_to_le16(dcid); rsp.result = cpu_to_le16(result); rsp.status = cpu_to_le16(status); l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); + if (!pchan) + return; + if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { struct l2cap_info_req info; info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); @@ -4044,7 +4041,9 @@ sendresp: chan->num_conf_req++; } - return chan; + l2cap_chan_unlock(pchan); + mutex_unlock(&conn->chan_lock); + l2cap_chan_put(pchan); } static int l2cap_connect_req(struct l2cap_conn *conn,