Skip to content

Commit

Permalink
Bluetooth: fix use-after-free in hci_conn_del with ISO connections
Browse files Browse the repository at this point in the history
If hci_conn_del gets called on a LE connection linked to a CIS
connection, subsequent hci_conn_del on the CIS connection results to
use-after-free [1] as cis->link still points to the deleted connection.

This occurs e.g. if hci_cmd_sync_queue fails in hci_le_create_cis.

Fix it by doing the same what is done with the SCO+ACL linked
connections.

[1]:
BUG: KASAN: use-after-free in hci_conn_del+0xa4/0x3e0
Write of size 8 at addr ffff8880013d2668 by task iso-tester/29

CPU: 0 PID: 29 Comm: iso-tester Not tainted 6.2.0-rc7-00024-g0e21956501c0-dirty torvalds#203
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x19/0x27
 print_report+0x160/0x484
 ? __virt_addr_valid+0xd4/0x150
 ? hci_conn_del+0xa4/0x3e0
 kasan_report+0xc7/0xf0
 ? hci_conn_del+0xa4/0x3e0
 hci_conn_del+0xa4/0x3e0
 hci_conn_hash_flush+0xea/0x130
 hci_dev_close_sync+0x34f/0x930
 hci_unregister_dev+0x104/0x2a0
 vhci_release+0x4c/0x90
 __fput+0x102/0x410
 task_work_run+0xfe/0x180
 ? __pfx_task_work_run+0x10/0x10
 exit_to_user_mode_prepare+0xfd/0x100
 syscall_exit_to_user_mode+0x1c/0x50
 do_syscall_64+0x4e/0x90
 entry_SYSCALL_64_after_hwframe+0x70/0xda
RIP: 0033:0x7f9880de0944
  • Loading branch information
pv committed Mar 9, 2023
1 parent 0e21956 commit a046ec2
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions net/bluetooth/hci_conn.c
Original file line number Diff line number Diff line change
Expand Up @@ -1074,8 +1074,15 @@ int hci_conn_del(struct hci_conn *conn)
/* Unacked frames */
hdev->acl_cnt += conn->sent;
} else if (conn->type == LE_LINK) {
struct hci_conn *iso = conn->link;

cancel_delayed_work(&conn->le_conn_timeout);

if (iso) {
iso->link = NULL;
hci_conn_drop(iso);
}

if (hdev->le_pkts)
hdev->le_cnt += conn->sent;
else
Expand Down

0 comments on commit a046ec2

Please sign in to comment.