#syz test On Mon, Oct 7, 2024 at 4:54 PM Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx> wrote: > > #syz test > > On Mon, Oct 7, 2024 at 1:16 PM Luiz Augusto von Dentz > <luiz.dentz@xxxxxxxxx> wrote: > > > > #syz test > > > > On Fri, Oct 4, 2024 at 1:24 PM Luiz Augusto von Dentz > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > #syz test > > > > > > On Fri, Oct 4, 2024 at 12:06 PM Luiz Augusto von Dentz > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > #syz test > > > > > > > > On Thu, Oct 3, 2024 at 3:21 PM Luiz Augusto von Dentz > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > #syz test > > > > > > > > > > On Thu, Oct 3, 2024 at 12:32 PM Luiz Augusto von Dentz > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > #syz test > > > > > > > > > > > > On Thu, Oct 3, 2024 at 11:38 AM Luiz Augusto von Dentz > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 4:46 PM Luiz Augusto von Dentz > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:46 PM Luiz Augusto von Dentz > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:19 PM Luiz Augusto von Dentz > > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > > > #syz test > > > > > > > > > > > > > > > > > > > > On Wed, Oct 2, 2024 at 3:04 PM Luiz Augusto von Dentz > > > > > > > > > > <luiz.dentz@xxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > > > > > From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> > > > > > > > > > > > > > > > > > > > > > > This makes use of disable_delayed_work_sync instead > > > > > > > > > > > cancel_delayed_work_sync as it not only cancel the ongoing work but also > > > > > > > > > > > disables new submit which is disarable since the object holding the work > > > > > > > > > > > is about to be freed. > > > > > > > > > > > > > > > > > > > > > > In addition to it remove call to sco_sock_set_timer on __sco_sock_close > > > > > > > > > > > since at that point it is useless to set a timer as the sk will be freed > > > > > > > > > > > there is nothing to be done in sco_sock_timeout. > > > > > > > > > > > > > > > > > > > > > > Reported-by: syzbot+4c0d0c4cde787116d465@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > > > > > > Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 > > > > > > > > > > > Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") > > > > > > > > > > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> > > > > > > > > > > > --- > > > > > > > > > > > net/bluetooth/sco.c | 13 +------------ > > > > > > > > > > > 1 file changed, 1 insertion(+), 12 deletions(-) > > > > > > > > > > > > > > > > > > > > > > diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c > > > > > > > > > > > index a5ac160c592e..2b1e66976068 100644 > > > > > > > > > > > --- a/net/bluetooth/sco.c > > > > > > > > > > > +++ b/net/bluetooth/sco.c > > > > > > > > > > > @@ -208,7 +208,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > /* Ensure no more work items will run before freeing conn. */ > > > > > > > > > > > - cancel_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > + disable_delayed_work_sync(&conn->timeout_work); > > > > > > > > > > > > > > > > > > > > > > hcon->sco_data = NULL; > > > > > > > > > > > kfree(conn); > > > > > > > > > > > @@ -442,17 +442,6 @@ static void __sco_sock_close(struct sock *sk) > > > > > > > > > > > > > > > > > > > > > > case BT_CONNECTED: > > > > > > > > > > > case BT_CONFIG: > > > > > > > > > > > - if (sco_pi(sk)->conn->hcon) { > > > > > > > > > > > - sk->sk_state = BT_DISCONN; > > > > > > > > > > > - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); > > > > > > > > > > > - sco_conn_lock(sco_pi(sk)->conn); > > > > > > > > > > > - hci_conn_drop(sco_pi(sk)->conn->hcon); > > > > > > > > > > > - sco_pi(sk)->conn->hcon = NULL; > > > > > > > > > > > - sco_conn_unlock(sco_pi(sk)->conn); > > > > > > > > > > > - } else > > > > > > > > > > > - sco_chan_del(sk, ECONNRESET); > > > > > > > > > > > - break; > > > > > > > > > > > - > > > > > > > > > > > case BT_CONNECT2: > > > > > > > > > > > case BT_CONNECT: > > > > > > > > > > > case BT_DISCONN: > > > > > > > > > > > -- > > > > > > > > > > > 2.46.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > > > > > -- > > > > > Luiz Augusto von Dentz > > > > > > > > > > > > > > > > -- > > > > Luiz Augusto von Dentz > > > > > > > > > > > > -- > > > Luiz Augusto von Dentz > > > > > > > > -- > > Luiz Augusto von Dentz > > > > -- > Luiz Augusto von Dentz -- Luiz Augusto von Dentz
From 4a960d62b95deab698c4e13af036a3f0589add70 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Date: Tue, 22 Oct 2024 12:31:08 -0400 Subject: [PATCH v1] Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. Reported-by: syzbot+4c0d0c4cde787116d465@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> --- net/bluetooth/sco.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index a5ac160c592e..9a28b2f83e7c 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -76,6 +76,27 @@ struct sco_pinfo { #define SCO_CONN_TIMEOUT (HZ * 40) #define SCO_DISCONN_TIMEOUT (HZ * 2) +static bool sco_conn_linked(struct sco_conn *conn) +{ + struct sock *sk; + + if (!conn || !conn->sk) + return false; + + read_lock(&sco_sk_list.lock); + + sk_for_each(sk, &sco_sk_list.head) { + if (sk == conn->sk) { + read_unlock(&sco_sk_list.lock); + return true; + } + } + + read_unlock(&sco_sk_list.lock); + + return false; +} + static void sco_sock_timeout(struct work_struct *work) { struct sco_conn *conn = container_of(work, struct sco_conn, @@ -87,7 +108,7 @@ static void sco_sock_timeout(struct work_struct *work) sco_conn_unlock(conn); return; } - sk = conn->sk; + sk = sco_conn_linked(conn) ? conn->sk : NULL; if (sk) sock_hold(sk); sco_conn_unlock(conn); -- 2.47.0
