| Message ID | 20230407180201.3229763-1-luiz.dentz@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=738043 ---Test result--- Test Summary: CheckPatch PASS 0.70 seconds GitLint PASS 0.33 seconds SubjectPrefix PASS 0.12 seconds BuildKernel PASS 32.03 seconds CheckAllWarning PASS 35.10 seconds CheckSparse PASS 40.39 seconds CheckSmatch PASS 108.24 seconds BuildKernel32 PASS 31.21 seconds TestRunnerSetup PASS 445.76 seconds TestRunner_l2cap-tester PASS 16.46 seconds TestRunner_iso-tester PASS 16.15 seconds TestRunner_bnep-tester PASS 5.35 seconds TestRunner_mgmt-tester FAIL 113.09 seconds TestRunner_rfcomm-tester PASS 8.48 seconds TestRunner_sco-tester PASS 7.78 seconds TestRunner_ioctl-tester PASS 9.09 seconds TestRunner_mesh-tester PASS 6.64 seconds TestRunner_smp-tester PASS 7.67 seconds TestRunner_userchan-tester PASS 5.58 seconds IncrementalBuild PASS 29.77 seconds Details ############################## Test: TestRunner_mgmt-tester - FAIL Desc: Run mgmt-tester with test-runner Output: Total: 497, Passed: 494 (99.4%), Failed: 3, Not Run: 0 Failed Test Cases Get PHY Success Failed 0.127 seconds Set PHY 1m 2m coded Succcess Timed out 2.070 seconds Start Discovery LE - (Ext Scan Param) Failed 0.121 seconds --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Fri, 7 Apr 2023 11:02:01 -0700 you wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free > caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to > prevent referencing a channel that is about to be destroyed. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Min Li <lm0963hack@gmail.com> > > [...] Here is the summary with links: - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} https://git.kernel.org/bluetooth/bluetooth-next/c/cbcb70b9beee You are awesome, thank you!
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 8153293b9a45..5cc95fd17f7d 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4651,33 +4651,27 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); - mutex_lock(&conn->chan_lock); - - chan = __l2cap_get_chan_by_scid(conn, dcid); + chan = l2cap_get_chan_by_scid(conn, dcid); if (!chan) { - mutex_unlock(&conn->chan_lock); cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); return 0; } - l2cap_chan_hold(chan); - l2cap_chan_lock(chan); - rsp.dcid = cpu_to_le16(chan->scid); rsp.scid = cpu_to_le16(chan->dcid); l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); chan->ops->set_shutdown(chan); + mutex_lock(&conn->chan_lock); l2cap_chan_del(chan, ECONNRESET); + mutex_unlock(&conn->chan_lock); chan->ops->close(chan); l2cap_chan_unlock(chan); l2cap_chan_put(chan); - mutex_unlock(&conn->chan_lock); - return 0; } @@ -4697,33 +4691,27 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); - mutex_lock(&conn->chan_lock); - - chan = __l2cap_get_chan_by_scid(conn, scid); + chan = l2cap_get_chan_by_scid(conn, scid); if (!chan) { mutex_unlock(&conn->chan_lock); return 0; } - l2cap_chan_hold(chan); - l2cap_chan_lock(chan); - if (chan->state != BT_DISCONN) { l2cap_chan_unlock(chan); l2cap_chan_put(chan); - mutex_unlock(&conn->chan_lock); return 0; } + mutex_lock(&conn->chan_lock); l2cap_chan_del(chan, 0); + mutex_unlock(&conn->chan_lock); chan->ops->close(chan); l2cap_chan_unlock(chan); l2cap_chan_put(chan); - mutex_unlock(&conn->chan_lock); - return 0; }