Patch "Bluetooth: use hdev lock for accept_list and reject_list in conn req" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 6 Jun 2022 08:29:38 -0400

This is a note to let you know that I've just added the patch titled

    Bluetooth: use hdev lock for accept_list and reject_list in conn req

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-use-hdev-lock-for-accept_list-and-reject_l.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 799be57c44b03c6feab99be90270a3795a27b2e1
Author: Niels Dossche <dossche.niels@xxxxxxxxx>
Date:   Tue Apr 5 19:37:52 2022 +0200

    Bluetooth: use hdev lock for accept_list and reject_list in conn req
    
    [ Upstream commit fb048cae51bacdfbbda2954af3c213fdb1d484f4 ]
    
    All accesses (both reads and modifications) to
    hdev->{accept,reject}_list are protected by hdev lock,
    except the ones in hci_conn_request_evt. This can cause a race
    condition in the form of a list corruption.
    The solution is to protect these lists in hci_conn_request_evt as well.
    
    I was unable to find the exact commit that introduced the issue for the
    reject list, I was only able to find it for the accept list.
    
    Fixes: a55bd29d5227 ("Bluetooth: Add white list lookup for incoming connection requests")
    Signed-off-by: Niels Dossche <dossche.niels@xxxxxxxxx>
    Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index e984a8b4b914..5ac3aca6deeb 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2790,10 +2790,12 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 		return;
 	}
 
+	hci_dev_lock(hdev);
+
 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
 				   BDADDR_BREDR)) {
 		hci_reject_conn(hdev, &ev->bdaddr);
-		return;
+		goto unlock;
 	}
 
 	/* Require HCI_CONNECTABLE or an accept list entry to accept the
@@ -2805,13 +2807,11 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 	    !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
 					       BDADDR_BREDR)) {
 		hci_reject_conn(hdev, &ev->bdaddr);
-		return;
+		goto unlock;
 	}
 
 	/* Connection accepted */
 
-	hci_dev_lock(hdev);
-
 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
 	if (ie)
 		memcpy(ie->data.dev_class, ev->dev_class, 3);
@@ -2823,8 +2823,7 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 				    HCI_ROLE_SLAVE);
 		if (!conn) {
 			bt_dev_err(hdev, "no memory for new connection");
-			hci_dev_unlock(hdev);
-			return;
+			goto unlock;
 		}
 	}
 
@@ -2864,6 +2863,10 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 		conn->state = BT_CONNECT2;
 		hci_connect_cfm(conn, 0);
 	}
+
+	return;
+unlock:
+	hci_dev_unlock(hdev);
 }
 
 static u8 hci_to_mgmt_reason(u8 err)






