This is a note to let you know that I've just added the patch titled
Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
to the 6.3-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-refcnt-drop-must-be-placed-last-in-hci_conn_unlink.patch
and it can be found in the queue-6.3 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2910431ab0e500dfc5df12299bb15eef0f30b43e Mon Sep 17 00:00:00 2001
From: Ruihan Li <lrh2000@xxxxxxxxxx>
Date: Wed, 3 May 2023 21:39:35 +0800
Subject: Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
From: Ruihan Li <lrh2000@xxxxxxxxxx>
commit 2910431ab0e500dfc5df12299bb15eef0f30b43e upstream.
If hci_conn_put(conn->parent) reduces conn->parent's reference count to
zero, it can immediately deallocate conn->parent. At the same time,
conn->link->list has its head in conn->parent, causing use-after-free
problems in the latter list_del_rcu(&conn->link->list).
This problem can be easily solved by reordering the two operations,
i.e., first performing the list removal with list_del_rcu and then
decreasing the refcnt with hci_conn_put.
Reported-by: Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>
Closes: https://lore.kernel.org/linux-bluetooth/CABBYNZ+1kce8_RJrLNOXd_8=Mdpb=2bx4Nto-hFORk=qiOkoCg@xxxxxxxxxxxxxx/
Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon")
Signed-off-by: Ruihan Li <lrh2000@xxxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_conn.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1107,12 +1107,12 @@ static void hci_conn_unlink(struct hci_c
if (!conn->link)
return;
- hci_conn_put(conn->parent);
- conn->parent = NULL;
-
list_del_rcu(&conn->link->list);
synchronize_rcu();
+ hci_conn_put(conn->parent);
+ conn->parent = NULL;
+
kfree(conn->link);
conn->link = NULL;
}
Patches currently in stable-queue which might be from lrh2000@xxxxxxxxxx are
queue-6.3/bluetooth-refcnt-drop-must-be-placed-last-in-hci_conn_unlink.patch
queue-6.3/bluetooth-fix-potential-double-free-caused-by-hci_conn_unlink.patch
queue-6.3/usb-usbfs-enforce-page-requirements-for-mmap.patch
queue-6.3/mm-page_table_check-make-it-dependent-on-exclusive_system_ram.patch
queue-6.3/bluetooth-fix-uaf-in-hci_conn_hash_flush-again.patch
queue-6.3/usb-usbfs-use-consistent-mmap-functions.patch
queue-6.3/mm-page_table_check-ensure-user-pages-are-not-slab-pages.patch
