linux/net/bluetooth
Luiz Augusto von Dentz d0be8347c6 Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
This fixes the following trace which is caused by hci_rx_work starting up
*after* the final channel reference has been put() during sock_close() but
*before* the references to the channel have been destroyed, so instead
the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.

  refcount_t: increment on 0; use-after-free.
  BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0
  Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705

  CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S      W
  4.14.234-00003-g1fb6d0bd49a4-dirty #28
  Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150
  Google Inc. MSM sm8150 Flame DVT (DT)
  Workqueue: hci0 hci_rx_work
  Call trace:
   dump_backtrace+0x0/0x378
   show_stack+0x20/0x2c
   dump_stack+0x124/0x148
   print_address_description+0x80/0x2e8
   __kasan_report+0x168/0x188
   kasan_report+0x10/0x18
   __asan_load4+0x84/0x8c
   refcount_dec_and_test+0x20/0xd0
   l2cap_chan_put+0x48/0x12c
   l2cap_recv_frame+0x4770/0x6550
   l2cap_recv_acldata+0x44c/0x7a4
   hci_acldata_packet+0x100/0x188
   hci_rx_work+0x178/0x23c
   process_one_work+0x35c/0x95c
   worker_thread+0x4cc/0x960
   kthread+0x1a8/0x1c4
   ret_from_fork+0x10/0x18

Cc: stable@kernel.org
Reported-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2022-07-26 13:35:24 -07:00
..
bnep bluetooth: Use netif_rx(). 2022-03-07 11:40:41 +00:00
cmtp Merge branch 'signal-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2022-01-17 05:49:30 +02:00
hidp Merge branch 'signal-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2022-01-17 05:49:30 +02:00
rfcomm bluetooth-next pull request for net-next: 2021-10-05 07:41:16 -07:00
6lowpan.c bluetooth: Use netif_rx(). 2022-03-07 11:40:41 +00:00
a2mp.c Bluetooth: a2mp: Use the correct print format 2021-06-26 07:12:41 +02:00
a2mp.h Bluetooth: Replace zero-length array with flexible-array member 2020-02-28 08:30:02 +01:00
af_bluetooth.c net: SO_RCVMARK socket option for SO_MARK with recvmsg() 2022-04-28 13:08:15 -07:00
amp.c Bluetooth: amp: Use the correct print format 2021-06-26 07:12:41 +02:00
amp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
aosp.c Bluetooth: aosp: Support AOSP Bluetooth Quality Report 2021-11-02 19:37:52 +01:00
aosp.h Bluetooth: aosp: Support AOSP Bluetooth Quality Report 2021-11-02 19:37:52 +01:00
ecdh_helper.c crypto: ecdh - move curve_id of ECDH from the key to algorithm name 2021-03-13 00:04:03 +11:00
ecdh_helper.h Fix misc new gcc warnings 2021-04-27 17:05:53 -07:00
eir.c Bluetooth: eir: Add helpers for managing service data 2022-05-19 20:11:26 +02:00
eir.h Bluetooth: eir: Add helpers for managing service data 2022-05-19 20:11:26 +02:00
hci_codec.c Bluetooth: Read codec capabilities only if supported 2021-10-07 17:57:22 +02:00
hci_codec.h Bluetooth: Add support for Read Local Supported Codecs V2 2021-09-07 14:09:18 -07:00
hci_conn.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
hci_core.c Bluetooth: core: Fix deadlock on hci_power_on_sync. 2022-07-05 13:20:03 -07:00
hci_debugfs.c Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c 2021-09-22 16:17:13 +02:00
hci_debugfs.h Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c 2021-09-22 16:17:13 +02:00
hci_event.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
hci_request.c bluetooth: don't use bitmaps for random flag accesses 2022-06-05 16:28:41 -07:00
hci_request.h Bluetooth: hci_sync: Add hci_le_create_conn_sync 2021-12-22 23:01:35 +01:00
hci_sock.c net: remove noblock parameter from skb_recv_datagram() 2022-04-06 13:45:26 +01:00
hci_sync.c Bluetooth: Always set event mask on suspend 2022-07-26 13:35:13 -07:00
hci_sysfs.c Bluetooth: Fix memory leak of hci device 2021-10-13 14:31:50 +02:00
Kconfig Bluetooth: Add support for reading AOSP vendor capabilities 2021-04-06 14:11:23 -07:00
l2cap_core.c Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-07-26 13:35:24 -07:00
l2cap_sock.c Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() 2022-01-07 08:40:11 +01:00
leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
leds.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lib.c Bluetooth: Introduce debug feature when dynamic debug is disabled 2020-05-11 12:16:27 +02:00
Makefile Bluetooth: Add helper for serialized HCI command execution 2021-10-29 16:51:58 +02:00
mgmt_config.c Bluetooth: mgmt: Use the correct print format 2021-06-26 07:12:42 +02:00
mgmt_config.h Bluetooth: mgmt: Add commands for runtime configuration 2020-06-18 13:11:03 +03:00
mgmt_util.c Bluetooth: Keep MGMT pending queue ordered FIFO 2022-05-13 13:05:48 +02:00
mgmt_util.h Bluetooth: mgmt: Introduce mgmt_alloc_skb and mgmt_send_event_skb 2021-12-07 17:05:52 +01:00
mgmt.c Bluetooth: mgmt: Fix double free on error path 2022-07-26 13:32:40 -07:00
msft.c Bluetooth: msft: Clear tracked devices on resume 2022-03-18 17:12:08 +01:00
msft.h Bluetooth: msft: Fix compilation when CONFIG_BT_MSFTEXT is not set 2021-12-07 17:05:51 +01:00
sco.c Bluetooth: HCI: Add HCI_QUIRK_BROKEN_ENHANCED_SETUP_SYNC_CONN quirk 2022-05-13 13:05:48 +02:00
selftest.c crypto: ecdh - move curve_id of ECDH from the key to algorithm name 2021-03-13 00:04:03 +11:00
selftest.h
smp.c Bluetooth: use inclusive language in HCI role comments 2021-06-26 07:12:43 +02:00
smp.h Bluetooth: use inclusive language in SMP 2021-06-26 07:12:37 +02:00