Patch "Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression" has been added to the 5.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 15 Aug 2022 17:36:44 +0200

This is a note to let you know that I've just added the patch titled

    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 332f1795ca202489c665a75e62e18ff6284de077 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date: Mon, 1 Aug 2022 13:52:07 -0700
Subject: Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression

From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

commit 332f1795ca202489c665a75e62e18ff6284de077 upstream.

The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
static checker warning:

        net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
        error: we previously assumed 'c' could be null (see line 1996)

Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/bluetooth/l2cap_core.c |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1969,11 +1969,11 @@ static struct l2cap_chan *l2cap_global_c
 						   bdaddr_t *dst,
 						   u8 link_type)
 {
-	struct l2cap_chan *c, *c1 = NULL;
+	struct l2cap_chan *c, *tmp, *c1 = NULL;
 
 	read_lock(&chan_list_lock);
 
-	list_for_each_entry(c, &chan_list, global_l) {
+	list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
 		if (state && c->state != state)
 			continue;
 
@@ -1992,11 +1992,10 @@ static struct l2cap_chan *l2cap_global_c
 			dst_match = !bacmp(&c->dst, dst);
 			if (src_match && dst_match) {
 				c = l2cap_chan_hold_unless_zero(c);
-				if (!c)
-					continue;
-
-				read_unlock(&chan_list_lock);
-				return c;
+				if (c) {
+					read_unlock(&chan_list_lock);
+					return c;
+				}
 			}
 
 			/* Closest match */


Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are

queue-5.19/bluetooth-mgmt-fix-refresh-cached-connection-info.patch
queue-5.19/bluetooth-hci_sync-fix-resuming-scan-after-suspend-r.patch
queue-5.19/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
queue-5.19/bluetooth-add-default-wakeup-callback-for-hci-uart-d.patch
queue-5.19/bluetooth-hci_sync-fix-not-updating-privacy_mode.patch






