This is a note to let you know that I've just added the patch titled
Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
to the 6.8-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
and it can be found in the queue-6.8 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 7453847fb22c7c45334c43cc6a02ea5df5b9961d Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date: Fri, 16 Feb 2024 15:29:55 -0500
Subject: Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
commit 7453847fb22c7c45334c43cc6a02ea5df5b9961d upstream.
Fixes the following trace where hci_acl_create_conn_sync attempts to
call hci_abort_conn_sync after timeout:
BUG: KASAN: slab-use-after-free in hci_abort_conn_sync
(net/bluetooth/hci_sync.c:5439)
Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26
/arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127
lib/dump_stack.c:107)
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? preempt_count_sub (kernel/sched/core.c:5889)
? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1)
/include/linux/rcupdate.h:865 (discriminator 1)
/include/linux/mmzone.h:2026 (discriminator 1)
arch/x86/mm/physaddr.c:65 (discriminator 1))
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
kasan_report (mm/kasan/report.c:603)
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433)
hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681)
Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_sync.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6735,15 +6735,10 @@ static int hci_acl_create_conn_sync(stru
else
cp.role_switch = 0x00;
- err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
- sizeof(cp), &cp,
- HCI_EV_CONN_COMPLETE,
- conn->conn_timeout, NULL);
-
- if (err == -ETIMEDOUT)
- hci_abort_conn_sync(hdev, conn, HCI_ERROR_LOCAL_HOST_TERM);
-
- return err;
+ return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
+ sizeof(cp), &cp,
+ HCI_EV_CONN_COMPLETE,
+ conn->conn_timeout, NULL);
}
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are
queue-6.8/bluetooth-mgmt-fix-failing-to-mgmt_op_add_uuid-mgmt_.patch
queue-6.8/bluetooth-remove-pending-acl-connection-attempts.patch
queue-6.8/bluetooth-hci_sync-use-advertised-phys-on-hci_le_ext.patch
queue-6.8/bluetooth-hci_conn-always-use-sk_timeo-as-conn_timeo.patch
queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch
queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch
queue-6.8/bluetooth-btusb-fix-triggering-coredump-implementati.patch
queue-6.8/bluetooth-btusb-mediatek-fix-double-free-of-skb-in-c.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
queue-6.8/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
queue-6.8/bluetooth-qca-set-power_ctrl_enabled-on-null-returne.patch
queue-6.8/bluetooth-hci_event-fix-sending-hci_op_read_enc_key_.patch
queue-6.8/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
queue-6.8/bluetooth-hci_sync-using-hci_cmd_sync_submit-when-re.patch
queue-6.8/bluetooth-hci_conn-only-do-acl-connections-sequentia.patch
queue-6.8/bluetooth-iso-reassemble-pa-data-for-bcast-sink.patch
queue-6.8/bluetooth-hci_conn-fix-uaf-write-in-__hci_acl_create.patch
queue-6.8/bluetooth-hci_sync-add-helper-functions-to-manipulat.patch
queue-6.8/bluetooth-hci_event-use-hci-error-defines-instead-of.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
queue-6.8/bluetooth-hci_sync-attempt-to-dequeue-connection-att.patch
