From patchwork Thu May 26 09:49:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jianglei Nie X-Patchwork-Id: 576279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FE09C433F5 for ; Thu, 26 May 2022 09:50:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239582AbiEZJuO (ORCPT ); Thu, 26 May 2022 05:50:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231214AbiEZJuO (ORCPT ); Thu, 26 May 2022 05:50:14 -0400 Received: from mail-m973.mail.163.com (mail-m973.mail.163.com [123.126.97.3]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D0846558B; Thu, 26 May 2022 02:50:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=Di6y9 LmpgXQ4/BEcC3oV3UoBlBH0yPqVOabL8M117+A=; b=EZPjLzAPCOi4AlHgX6qbU SjQHFuz4h3Y+YZC9aoQz8DWoxh7+OlCSC6l5VK3QLNpphNjFaLFud+l3qCp/vU2z XLJRHx4xpuecJEv3OTAU3NsSzWVZdLOJXWmeOYk0qSR23pqQr6lDAf9T6HAyYadE Vi0nRvSmQ8Db9OFEV+etis= Received: from localhost.localdomain (unknown [123.112.69.106]) by smtp3 (Coremail) with SMTP id G9xpCgDXpnghTY9iJIzYEg--.5546S4; Thu, 26 May 2022 17:49:43 +0800 (CST) From: Jianglei Nie To: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jianglei Nie Subject: [PATCH] Bluetooth: hci_conn: fix potential double free in le_scan_cleanup() Date: Thu, 26 May 2022 17:49:18 +0800 Message-Id: <20220526094918.482971-1-niejianglei2021@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CM-TRANSID: G9xpCgDXpnghTY9iJIzYEg--.5546S4 X-Coremail-Antispam: 1Uf129KBjvdXoWruFWfZFy8tw48AF48AryftFb_yoWfKrcEv3 sa9F4S9w4DZ395CanIya15A3y8Jwn3ZFykJa12qry5K3s0vFnrGr4xXr1kKryUWw4UZr1f Crs8Gr1kZw17tjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7xREsqXtUUUUU== X-Originating-IP: [123.112.69.106] X-CM-SenderInfo: xqlhyxxdqjzvrlsqjii6rwjhhfrp/1tbi6xcNjFXl1rDewQAAs0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org When "c == conn" is true, hci_conn_cleanup() is called. The hci_conn_cleanup() calls hci_dev_put() and hci_conn_put() in its function implementation. hci_dev_put() and hci_conn_put() will free the relevant resource if the reference count reaches zero, which may lead to a double free when hci_dev_put() and hci_conn_put() are called again. We should add a return to this function after hci_conn_cleanup() is called. Signed-off-by: Jianglei Nie --- net/bluetooth/hci_conn.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index fe803bee419a..7b3e91eb9fa3 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -166,6 +166,7 @@ static void le_scan_cleanup(struct work_struct *work) if (c == conn) { hci_connect_le_scan_cleanup(conn); hci_conn_cleanup(conn); + return; } hci_dev_unlock(hdev);