MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2026-01-27 12:47:24 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
78b4eb9975
linux-yocto/include/net/bluetooth
History
Pauli Virtanen 79a2d4678b Bluetooth: hci_core: lookup hci_conn on RX path on protocol side 
The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c632524 ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.

Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed1 ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it.  It's better to do the locking so that even if these run
concurrently no UAF is possible.

Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.

syzkaller has reported a crash that appears to be this issue:

    [Task hdev->workqueue]          [Task 2]
                                    hci_disconnect_all_sync
    l2cap_recv_acldata(hcon)
                                      hci_conn_get(hcon)
                                      hci_abort_conn_sync(hcon)
                                        hci_dev_lock
      hci_dev_lock
                                        hci_conn_del(hcon)
      v-------------------------------- hci_dev_unlock
                                      hci_conn_put(hcon)
      conn = hcon->l2cap_data (UAF)

Fixes: 5af1f84ed1 ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
Reported-by: syzbot+d32d77220b92eddd89ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d32d77220b92eddd89ad
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-11-20 17:01:09 -05:00
..
bluetooth.h Bluetooth: Add function and line information to bt_dbg 2025-09-27 11:37:01 -04:00
coredump.h
hci_core.h Bluetooth: hci_core: lookup hci_conn on RX path on protocol side 2025-11-20 17:01:09 -05:00
hci_drv.h Bluetooth: Annotate struct hci_drv_rp_read_info with __counted_by_le() 2025-09-27 11:37:00 -04:00
hci_mon.h Bluetooth: Introduce HCI Driver protocol 2025-05-21 10:28:07 -04:00
hci_sock.h
hci_sync.h Bluetooth: hci_sync: fix set_local_name race condition 2025-08-22 13:57:31 -04:00
hci.h Bluetooth: hci_event: Fix not handling PA Sync Lost event 2025-11-11 08:55:18 -05:00
iso.h
l2cap.h Revert "Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()" 2025-10-24 10:30:30 -04:00
mgmt.h Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() 2025-10-31 12:43:05 -04:00
rfcomm.h
sco.h