diff mbox series

[kernel,v1] Bluetooth: L2CAP: Fix use-after-free

Message ID 20230524170415.kernel.v1.1.I575ec21daa35ebba038fe38e164df60b6121c633@changeid
State Accepted
Commit ed299eeb7f448cbbfe0d554172bdf61074e4880c
Headers show
Series [kernel,v1] Bluetooth: L2CAP: Fix use-after-free | expand

Commit Message

Zhengping Jiang May 25, 2023, 12:04 a.m. UTC 
Fix potential use-after-free in l2cap_le_command_rej.

Signed-off-by: Zhengping Jiang <jiangzp@google.com>
---

Changes in v1:
- Use l2cap_chan_hold_unless_zero to prevent adding refcnt when it is
  already 0.

 net/bluetooth/l2cap_core.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

patchwork-bot+bluetooth@kernel.org May 26, 2023, 10:50 p.m. UTC | #1 
Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 24 May 2023 17:04:15 -0700 you wrote:
> Fix potential use-after-free in l2cap_le_command_rej.
> 
> Signed-off-by: Zhengping Jiang <jiangzp@google.com>
> ---
> 
> Changes in v1:
> - Use l2cap_chan_hold_unless_zero to prevent adding refcnt when it is
>   already 0.
> 
> [...]

Here is the summary with links:
  - [kernel,v1] Bluetooth: L2CAP: Fix use-after-free
    https://git.kernel.org/bluetooth/bluetooth-next/c/a088d769ef3a

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 376b523c7b26..19b0b1f7ffed 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6361,9 +6361,14 @@  static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
 	if (!chan)
 		goto done;
 
+	chan = l2cap_chan_hold_unless_zero(chan);
+	if (!chan)
+		goto done;
+
 	l2cap_chan_lock(chan);
 	l2cap_chan_del(chan, ECONNREFUSED);
 	l2cap_chan_unlock(chan);
+	l2cap_chan_put(chan);
 
 done:
 	mutex_unlock(&conn->chan_lock);