This is a note to let you know that I've just added the patch titled
Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
to the 6.8-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
and it can be found in the queue-6.8 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From f7cbce60a38a6589f0dade720d4c2544959ecc0e Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date: Tue, 20 Feb 2024 13:10:47 -0500
Subject: Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
commit f7cbce60a38a6589f0dade720d4c2544959ecc0e upstream.
While waiting for hci_dev_lock the hci_conn object may be cleanup
causing the following trace:
BUG: KASAN: slab-use-after-free in hci_connect_le_scan_cleanup+0x29/0x350
Read of size 8 at addr ffff888001a50a30 by task kworker/u3:1/111
CPU: 0 PID: 111 Comm: kworker/u3:1 Not tainted
6.8.0-rc2-00701-g8179b15ab3fd-dirty #6418
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x21/0x70
print_report+0xce/0x620
? preempt_count_sub+0x13/0xc0
? __virt_addr_valid+0x15f/0x310
? hci_connect_le_scan_cleanup+0x29/0x350
kasan_report+0xdf/0x110
? hci_connect_le_scan_cleanup+0x29/0x350
hci_connect_le_scan_cleanup+0x29/0x350
create_le_conn_complete+0x25c/0x2c0
Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection attempt")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_sync.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6763,6 +6763,9 @@ static void create_le_conn_complete(stru
hci_dev_lock(hdev);
+ if (!hci_conn_valid(hdev, conn))
+ goto done;
+
if (!err) {
hci_connect_le_scan_cleanup(conn, 0x00);
goto done;
Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are
queue-6.8/bluetooth-mgmt-fix-failing-to-mgmt_op_add_uuid-mgmt_.patch
queue-6.8/bluetooth-remove-pending-acl-connection-attempts.patch
queue-6.8/bluetooth-hci_sync-use-advertised-phys-on-hci_le_ext.patch
queue-6.8/bluetooth-hci_conn-always-use-sk_timeo-as-conn_timeo.patch
queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch
queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch
queue-6.8/bluetooth-btusb-fix-triggering-coredump-implementati.patch
queue-6.8/bluetooth-btusb-mediatek-fix-double-free-of-skb-in-c.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
queue-6.8/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
queue-6.8/bluetooth-qca-set-power_ctrl_enabled-on-null-returne.patch
queue-6.8/bluetooth-hci_event-fix-sending-hci_op_read_enc_key_.patch
queue-6.8/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
queue-6.8/bluetooth-hci_sync-using-hci_cmd_sync_submit-when-re.patch
queue-6.8/bluetooth-hci_conn-only-do-acl-connections-sequentia.patch
queue-6.8/bluetooth-iso-reassemble-pa-data-for-bcast-sink.patch
queue-6.8/bluetooth-hci_conn-fix-uaf-write-in-__hci_acl_create.patch
queue-6.8/bluetooth-hci_sync-add-helper-functions-to-manipulat.patch
queue-6.8/bluetooth-hci_event-use-hci-error-defines-instead-of.patch
queue-6.8/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
queue-6.8/bluetooth-hci_sync-attempt-to-dequeue-connection-att.patch
