MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
01ce972e6f
linux-yocto/include/net
History
Luiz Augusto von Dentz 6243bda271 Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync 
[ Upstream commit 9e622804d57e2d08f0271200606bd1270f75126f ]

This fixes the following UFA in hci_acl_create_conn_sync where a
connection still pending is command submission (conn->state == BT_OPEN)
maybe freed, also since this also can happen with the likes of
hci_le_create_conn_sync fix it as well:

BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541

CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci3 hci_cmd_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
 hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 123736:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
 hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]
 hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634
 pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556
 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:727
 sock_write_iter+0x258/0x330 net/socket.c:1131
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x54b/0xa90 fs/read_write.c:686
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 103680:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x18e/0x440 mm/slub.c:4842
 device_release+0x9c/0x1c0
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x22b/0x480 lib/kobject.c:737
 hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
 hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
 hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199
 hci_event_func net/bluetooth/hci_event.c:7477 [inline]
 hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 insert_work+0x3d/0x330 kernel/workqueue.c:2183
 __queue_work+0xbd9/0xfe0 kernel/workqueue.c:2345
 queue_delayed_work_on+0x18b/0x280 kernel/workqueue.c:2561
 pairing_complete+0x1e7/0x2b0 net/bluetooth/mgmt.c:3451
 pairing_complete_cb+0x1ac/0x230 net/bluetooth/mgmt.c:3487
 hci_connect_cfm include/net/bluetooth/hci_core.h:2064 [inline]
 hci_conn_failed+0x24d/0x310 net/bluetooth/hci_conn.c:1275
 hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199
 hci_event_func net/bluetooth/hci_event.c:7477 [inline]
 hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245

Fixes: aef2aa4fa9 ("Bluetooth: hci_event: Fix creating hci_conn object on error status")
Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque@tencent.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-10-02 13:40:39 +02:00
..
9p net/9p: add 'pooled_rbuffers' flag to struct p9_trans_module 2022-10-05 07:05:41 +09:00
bluetooth Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync 2025-10-02 13:40:39 +02:00
caif
iucv
netfilter netfilter: nf_conntrack: fix crash due to removal of uninitialised entry 2025-07-24 08:51:53 +02:00
netns xfrm: fix a data-race in xfrm_gen_index() 2023-10-25 12:03:06 +02:00
nfc
phonet
sctp sctp: detect and prevent references to a freed transport in sendmsg 2025-04-25 10:43:43 +02:00
tc_act net_sched: act_ctinfo: use atomic64_t for three counters 2025-08-15 12:04:58 +02:00
6lowpan.h
act_api.h
addrconf.h ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr 2024-04-17 11:18:24 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h af_unix: Try not to hold unix_gc_lock during accept(). 2025-06-04 14:40:24 +02:00
af_vsock.h
ah.h
amt.h
arp.h neighbour: switch to standard rcu, instead of rcu_bh 2023-10-10 22:00:42 +02:00
atmclip.h
ax25.h ax25: rcu protect dev->ax25_ptr 2025-02-21 13:49:02 +01:00
ax88796.h
bareudp.h
bond_3ad.h bonding: Add independent control state machine 2025-08-28 16:26:18 +02:00
bond_alb.h bonding (gcc13): synchronize bond_{a,t}lb_xmit() types 2023-05-11 23:03:41 +09:00
bond_options.h bonding: Add independent control state machine 2025-08-28 16:26:18 +02:00
bonding.h bonding: Add independent control state machine 2025-08-28 16:26:18 +02:00
bpf_sk_storage.h
busy_poll.h net: busy-poll: use ktime_get_ns() instead of local_clock() 2024-09-04 13:25:02 +02:00
calipso.h
cfg80211-wext.h
cfg80211.h wifi: cfg80211: Fix interface type validation 2025-08-28 16:25:56 +02:00
cfg802154.h mac802154: fix llsec key resources release in mac802154_llsec_key_del 2024-04-03 15:19:31 +02:00
checksum.h net: Fix checksum update for ILA adj-transport 2025-06-27 11:07:38 +01:00
cipso_ipv4.h
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h net: devlink: add port_init/fini() helpers to allow pre-register/post-unregister functions 2022-09-30 18:17:16 -07:00
dropreason.h
dsa.h net: dsa: add support for mac_prepare() and mac_finish() calls 2025-05-02 07:46:50 +02:00
dsfield.h
dst_cache.h
dst_metadata.h Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2022-10-03 07:52:13 +01:00
dst_ops.h net: fix __dst_negative_advice() race 2024-06-16 13:41:40 +02:00
dst.h include: net: add static inline dst_dev_overhead() to dst.h 2025-03-07 16:56:46 +01:00
erspan.h
esp.h
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h
firewire.h
flow_dissector.h
flow_offload.h
flow.h ipv4: Drop tos parameter from flowi4_update_output() 2025-05-18 08:21:21 +02:00
fou.h
fq_impl.h
fq.h
garp.h
gen_stats.h
genetlink.h genetlink: hold RCU in genlmsg_mcast() 2024-11-01 01:56:00 +01:00
geneve.h
gre.h
gro_cells.h
gro.h
gtp.h
gue.h
hwbm.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h net: ieee802154: return -EINVAL for unknown addr type 2022-10-07 08:42:00 +01:00
if_inet6.h net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX 2023-12-20 17:00:15 +01:00
ife.h
ila.h
inet_common.h inet: factor out locked section of inet_accept() in a new helper 2024-06-12 11:03:53 +02:00
inet_connection_sock.h tcp/dccp: allow a connection when sk_max_ack_backlog is zero 2025-01-17 13:34:38 +01:00
inet_dscp.h
inet_ecn.h
inet_frag.h
inet_hashtables.h net: remove duplicate reuseport_lookup functions 2024-06-12 11:03:12 +02:00
inet_sock.h udp: fix busy polling 2024-01-31 16:17:04 -08:00
inet_timewait_sock.h tcp/dccp: do not care about families in inet_twsk_purge() 2024-08-29 17:30:44 +02:00
inet6_connection_sock.h
inet6_hashtables.h net: remove duplicate reuseport_lookup functions 2024-06-12 11:03:12 +02:00
inetpeer.h inetpeer: remove create argument of inet_getpeer() 2025-02-21 13:49:01 +01:00
ioam6.h
ip_fib.h ipv4: Fix incorrect TOS in route get reply 2024-08-03 08:49:24 +02:00
ip_tunnels.h ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices 2025-01-09 13:30:00 +01:00
ip_vs.h ipvs: Update width of source for ip_vs_sync_conn_options 2023-05-24 17:32:39 +01:00
ip.h ipv4: Convert ip_route_input() to dscp_t. 2025-03-07 16:56:44 +01:00
ip6_checksum.h
ip6_fib.h ipv6: Remove in6addr_any alternatives. 2023-09-19 12:28:10 +02:00
ip6_route.h ipv6: fix source address selection with route leak 2024-08-14 13:53:02 +02:00
ip6_tunnel.h
ipcomp.h
ipconfig.h
ipv6_frag.h
ipv6_stubs.h bpf: Derive source IP addr via bpf_*_fib_lookup() 2024-03-06 14:45:20 +00:00
ipv6.h tcp: Fix bind() regression for v4-mapped-v6 wildcard address. 2023-09-19 12:28:10 +02:00
iw_handler.h
kcm.h kcm: Serialise kcm_sendmsg() for the same socket. 2024-08-29 17:30:44 +02:00
l3mdev.h vrf: use RCU protection in l3mdev_l3_out() 2025-02-21 13:49:56 +01:00
lag.h
lapb.h net: lapb: increase LAPB_HEADER_LEN 2024-12-19 18:08:53 +01:00
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h llc: Drop support for ETH_P_TR_802_2. 2024-01-31 16:17:04 -08:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
lwtunnel.h lwt: Check LWTUNNEL_XMIT_CONTINUE strictly 2023-09-13 09:42:33 +02:00
mac80211.h wifi: mac80211: don't complete management TX on SAE commit 2025-08-28 16:25:56 +02:00
mac802154.h
macsec.h macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads 2024-05-02 16:29:32 +02:00
mctp.h mctp: Handle error of rtnl_register_module(). 2024-10-17 15:22:23 +02:00
mctpdevice.h
mip6.h
mld.h
mpls_iptunnel.h
mpls.h
mptcp.h mptcp: remove MPTCP 'ifdef' in TCP SYN cookies 2023-01-07 11:11:44 +01:00
mrp.h mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:33:02 +01:00
ncsi.h
ndisc.h neighbour: switch to standard rcu, instead of rcu_bh 2023-10-10 22:00:42 +02:00
neighbour.h neighbour: add support for NUD_PERMANENT proxy entries 2025-08-28 16:25:57 +02:00
net_debug.h
net_failover.h
net_namespace.h net: add dev_net_rcu() helper 2025-02-21 13:50:06 +01:00
net_ratelimit.h
net_trackers.h
netdev_queues.h net: provide macros for commonly copied lockless queue stop/wake code 2024-11-01 01:56:04 +01:00
netevent.h
netlabel.h
netlink.h netlink: split up copies in the ack construction 2023-10-10 22:00:44 +02:00
netprio_cgroup.h
netrom.h
nexthop.h ipv6: remove nexthop_fib6_nh_bh() 2023-10-10 22:00:46 +02:00
nl802154.h
nsh.h
p8022.h
page_pool.h page_pool: fix inconsistency for page_pool_ring_[un]lock() 2023-06-05 09:26:20 +02:00
pie.h
ping.h net/ipv4: ping_group_range: allow GID from 2147483648 to 4294967294 2023-06-14 11:15:16 +02:00
pkt_cls.h net: sched: cls_api: introduce tc_cls_bind_class() helper 2022-10-02 16:07:17 +01:00
pkt_sched.h net/sched: make psched_mtu() RTNL-less safe 2023-07-23 13:49:27 +02:00
pptp.h
protocol.h
psample.h
psnap.h
raw.h raw: Fix NULL deref in raw_get_next(). 2023-04-13 16:55:23 +02:00
rawv6.h
red.h treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
regulatory.h wifi: cfg80211: fix regulatory disconnect with OCB/NAN 2023-07-19 16:21:10 +02:00
request_sock.h
rose.h net: rose: convert 'use' field to refcount_t 2025-09-04 15:26:28 +02:00
route.h ipv4: Drop tos parameter from flowi4_update_output() 2025-05-18 08:21:21 +02:00
rpl.h ipv6: rpl: Fix Route of Death. 2023-06-14 11:15:20 +02:00
rsi_91x.h
rtnetlink.h rtnetlink: Add bulk registration helpers for rtnetlink message handlers. 2024-10-17 15:22:23 +02:00
rtnh.h
sch_generic.h net_sched: Flush gso_skb list too during ->change() 2025-05-22 14:10:02 +02:00
scm.h af_unix: Add dead flag to struct scm_fp_list. 2025-06-04 14:40:24 +02:00
secure_seq.h
seg6_hmac.h
seg6_local.h
seg6.h
selftests.h
slhc_vj.h
smc.h
snmp.h
sock_reuseport.h soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-12-31 13:32:04 +01:00
sock.h net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. 2025-09-19 16:29:55 +02:00
Space.h
stp.h
strparser.h strparser: Add read_sock callback 2025-03-07 16:56:37 +01:00
switchdev.h net: bridge: switchdev: Skip MDB replays of deferred events on offload 2024-03-01 13:26:35 +01:00
tcp_states.h
tcp.h bpf: Fix wrong copied_seq calculation 2025-03-07 16:56:37 +01:00
timewait_sock.h
tipc.h
tls_toe.h
tls.h tls: fix race between async notify and socket close 2024-02-23 09:12:31 +01:00
transp_v6.h
tso.h
tun_proto.h
udp_tunnel.h udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO 2024-01-10 17:10:28 +01:00
udp.h net: drop UFO packets in udp_rcv_segment() 2025-08-15 12:05:10 +02:00
udplite.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2022-10-12 17:50:37 -07:00
vsock_addr.h
vxlan.h vxlan: Fix nexthop hash size 2023-08-11 12:08:17 +02:00
wext.h
x25.h
x25device.h
xdp_priv.h
xdp_sock_drv.h
xdp_sock.h
xdp.h
xfrm.h espintcp: remove encap socket caching to avoid reference leak 2025-06-04 14:40:19 +02:00
xsk_buff_pool.h xsk: Fix unaligned descriptor validation 2023-05-11 23:03:21 +09:00