Bluetooth: L2CAP: Fix user-after-free

Message ID	20220929203241.4140795-1-luiz.dentz@gmail.com
State	New
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> From: Luiz Augusto von Dentz <luiz.dentz@gmail.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH] Bluetooth: L2CAP: Fix user-after-free Date: Thu, 29 Sep 2022 13:32:41 -0700 Message-Id: <20220929203241.4140795-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Bluetooth: L2CAP: Fix user-after-free \| expand Bluetooth: L2CAP: Fix user-after-free

Message ID

20220929203241.4140795-1-luiz.dentz@gmail.com

State

New

Headers

From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH] Bluetooth: L2CAP: Fix user-after-free
Date: Thu, 29 Sep 2022 13:32:41 -0700
Message-Id: <20220929203241.4140795-1-luiz.dentz@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Bluetooth: L2CAP: Fix user-after-free | expand

Commit Message

Luiz Augusto von Dentz Sept. 29, 2022, 8:32 p.m. UTC

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:

Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/l2cap_core.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

patchwork-bot+bluetooth@kernel.org Oct. 1, 2022, 12:40 a.m. UTC | #1

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 29 Sep 2022 13:32:41 -0700 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> This uses l2cap_chan_hold_unless_zero() after calling
> __l2cap_get_chan_blah() to prevent the following trace:
> 
> Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
> *kref)
> Bluetooth: chan 0000000023c4974d
> Bluetooth: parent 00000000ae861c08
> ==================================================================
> BUG: KASAN: use-after-free in __mutex_waiter_is_first
> kernel/locking/mutex.c:191 [inline]
> BUG: KASAN: use-after-free in __mutex_lock_common
> kernel/locking/mutex.c:671 [inline]
> BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
> kernel/locking/mutex.c:729
> Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
> 
> [...]

Here is the summary with links:
  - Bluetooth: L2CAP: Fix user-after-free
    https://git.kernel.org/bluetooth/bluetooth-next/c/35fcbc4243aa

You are awesome, thank you!

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 770891f68703..1f34b82ca0ec 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4309,6 +4309,12 @@  static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 		}
 	}
 
+	chan = l2cap_chan_hold_unless_zero(chan);
+	if (!chan) {
+		err = -EBADSLT;
+		goto unlock;
+	}
+
 	err = 0;
 
 	l2cap_chan_lock(chan);
@@ -4338,6 +4344,7 @@  static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
 	}
 
 	l2cap_chan_unlock(chan);
+	l2cap_chan_put(chan);
 
 unlock:
 	mutex_unlock(&conn->chan_lock);

Bluetooth: L2CAP: Fix user-after-free

Commit Message

Comments

Patch