From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
commit 7453847fb22c7c45334c43cc6a02ea5df5b9961d upstream.
Fixes the following trace where hci_acl_create_conn_sync attempts to
call hci_abort_conn_sync after timeout:
BUG: KASAN: slab-use-after-free in hci_abort_conn_sync
(net/bluetooth/hci_sync.c:5439)
Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26
./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127
lib/dump_stack.c:107)
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? preempt_count_sub (kernel/sched/core.c:5889)
? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1)
./include/linux/rcupdate.h:865 (discriminator 1)
./include/linux/mmzone.h:2026 (discriminator 1)
arch/x86/mm/physaddr.c:65 (discriminator 1))
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
kasan_report (mm/kasan/report.c:603)
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433)
hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681)
Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_sync.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6796,15 +6796,10 @@ static int hci_acl_create_conn_sync(stru
else
cp.role_switch = 0x00;
- err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
- sizeof(cp), &cp,
- HCI_EV_CONN_COMPLETE,
- HCI_ACL_CONN_TIMEOUT, NULL);
-
- if (err == -ETIMEDOUT)
- hci_abort_conn_sync(hdev, conn, HCI_ERROR_LOCAL_HOST_TERM);
-
- return err;
+ return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
+ sizeof(cp), &cp,
+ HCI_EV_CONN_COMPLETE,
+ conn->conn_timeout, NULL);
}
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are
queue-6.6/bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch
queue-6.6/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
queue-6.6/bluetooth-btnxpuart-fix-null-pointer-dereference-in-.patch
queue-6.6/bluetooth-hci_sync-introduce-hci_cmd_sync_run-hci_cm.patch
queue-6.6/bluetooth-hci_conn-fix-uaf-write-in-__hci_acl_create.patch
queue-6.6/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
queue-6.6/bluetooth-qca-if-memdump-doesn-t-work-re-enable-ibs.patch
queue-6.6/revert-bluetooth-mgmt-smp-fix-address-type-when-using-smp-over-bredr-le.patch
queue-6.6/bluetooth-hci_sync-add-helper-functions-to-manipulat.patch
queue-6.6/bluetooth-hci_sync-attempt-to-dequeue-connection-att.patch
queue-6.6/bluetooth-remove-pending-acl-connection-attempts.patch
queue-6.6/bluetooth-hci_conn-only-do-acl-connections-sequentia.patch
queue-6.6/bluetooth-hci_event-use-hci-error-defines-instead-of.patch
queue-6.6/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
queue-6.6/bluetooth-mgmt-fix-not-generating-command-complete-f.patch
