From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
commit f7cbce60a38a6589f0dade720d4c2544959ecc0e upstream.
While waiting for hci_dev_lock the hci_conn object may be cleanup
causing the following trace:
BUG: KASAN: slab-use-after-free in hci_connect_le_scan_cleanup+0x29/0x350
Read of size 8 at addr ffff888001a50a30 by task kworker/u3:1/111
CPU: 0 PID: 111 Comm: kworker/u3:1 Not tainted
6.8.0-rc2-00701-g8179b15ab3fd-dirty #6418
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x21/0x70
print_report+0xce/0x620
? preempt_count_sub+0x13/0xc0
? __virt_addr_valid+0x15f/0x310
? hci_connect_le_scan_cleanup+0x29/0x350
kasan_report+0xdf/0x110
? hci_connect_le_scan_cleanup+0x29/0x350
hci_connect_le_scan_cleanup+0x29/0x350
create_le_conn_complete+0x25c/0x2c0
Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection attempt")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_sync.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6824,6 +6824,9 @@ static void create_le_conn_complete(stru
hci_dev_lock(hdev);
+ if (!hci_conn_valid(hdev, conn))
+ goto done;
+
if (!err) {
hci_connect_le_scan_cleanup(conn, 0x00);
goto done;
Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are
queue-6.6/bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch
queue-6.6/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
queue-6.6/bluetooth-btnxpuart-fix-null-pointer-dereference-in-.patch
queue-6.6/bluetooth-hci_sync-introduce-hci_cmd_sync_run-hci_cm.patch
queue-6.6/bluetooth-hci_conn-fix-uaf-write-in-__hci_acl_create.patch
queue-6.6/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
queue-6.6/bluetooth-qca-if-memdump-doesn-t-work-re-enable-ibs.patch
queue-6.6/revert-bluetooth-mgmt-smp-fix-address-type-when-using-smp-over-bredr-le.patch
queue-6.6/bluetooth-hci_sync-add-helper-functions-to-manipulat.patch
queue-6.6/bluetooth-hci_sync-attempt-to-dequeue-connection-att.patch
queue-6.6/bluetooth-remove-pending-acl-connection-attempts.patch
queue-6.6/bluetooth-hci_conn-only-do-acl-connections-sequentia.patch
queue-6.6/bluetooth-hci_event-use-hci-error-defines-instead-of.patch
queue-6.6/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
queue-6.6/bluetooth-mgmt-fix-not-generating-command-complete-f.patch
