Commit e53f5293 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'for-net-2022-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

 - Fix early wakeup after suspend
 - Fix double free on error
 - Fix use-after-free on l2cap_chan_put

* tag 'for-net-2022-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
  Bluetooth: Always set event mask on suspend
  Bluetooth: mgmt: Fix double free on error path
====================

Link: https://lore.kernel.org/r/20220726221328.423714-1-luiz.dentz@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents aa40d5a4 d0be8347

include/net/bluetooth/l2cap.h

+1 −0
Original line number Diff line number Diff line
@@ -847,6 +847,7 @@ enum { 
};



void l2cap_chan_hold(struct l2cap_chan *c);

struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c);

void l2cap_chan_put(struct l2cap_chan *c);



static inline void l2cap_chan_lock(struct l2cap_chan *chan)

net/bluetooth/hci_sync.c

+3 −3
Original line number Diff line number Diff line
@@ -4973,6 +4973,9 @@ int hci_suspend_sync(struct hci_dev *hdev) 
		return err;

	}



	/* Update event mask so only the allowed event can wakeup the host */

	hci_set_event_mask_sync(hdev);



	/* Only configure accept list if disconnect succeeded and wake

	 * isn't being prevented.

	 */
@@ -4984,9 +4987,6 @@ int hci_suspend_sync(struct hci_dev *hdev) 
	/* Unpause to take care of updating scanning params */

	hdev->scanning_paused = false;



	/* Update event mask so only the allowed event can wakeup the host */

	hci_set_event_mask_sync(hdev);



	/* Enable event filter for paired devices */

	hci_update_event_filter_sync(hdev);

net/bluetooth/l2cap_core.c

+48 −13
Original line number Diff line number Diff line
@@ -111,7 +111,8 @@ static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, 
}



/* Find channel with given SCID.

 * Returns locked channel. */

 * Returns a reference locked channel.

 */

static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,

						 u16 cid)

{
@@ -119,15 +120,19 @@ static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, 


	mutex_lock(&conn->chan_lock);

	c = __l2cap_get_chan_by_scid(conn, cid);

	if (c) {

		/* Only lock if chan reference is not 0 */

		c = l2cap_chan_hold_unless_zero(c);

		if (c)

			l2cap_chan_lock(c);

	}

	mutex_unlock(&conn->chan_lock);



	return c;

}



/* Find channel with given DCID.

 * Returns locked channel.

 * Returns a reference locked channel.

 */

static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,

						 u16 cid)
@@ -136,8 +141,12 @@ static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, 


	mutex_lock(&conn->chan_lock);

	c = __l2cap_get_chan_by_dcid(conn, cid);

	if (c) {

		/* Only lock if chan reference is not 0 */

		c = l2cap_chan_hold_unless_zero(c);

		if (c)

			l2cap_chan_lock(c);

	}

	mutex_unlock(&conn->chan_lock);



	return c;
@@ -162,8 +171,12 @@ static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, 


	mutex_lock(&conn->chan_lock);

	c = __l2cap_get_chan_by_ident(conn, ident);

	if (c) {

		/* Only lock if chan reference is not 0 */

		c = l2cap_chan_hold_unless_zero(c);

		if (c)

			l2cap_chan_lock(c);

	}

	mutex_unlock(&conn->chan_lock);



	return c;
@@ -497,6 +510,16 @@ void l2cap_chan_hold(struct l2cap_chan *c) 
	kref_get(&c->kref);

}



struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c)

{

	BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));



	if (!kref_get_unless_zero(&c->kref))

		return NULL;



	return c;

}



void l2cap_chan_put(struct l2cap_chan *c)

{

	BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref));
@@ -1968,7 +1991,10 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 
			src_match = !bacmp(&c->src, src);

			dst_match = !bacmp(&c->dst, dst);

			if (src_match && dst_match) {

				l2cap_chan_hold(c);

				c = l2cap_chan_hold_unless_zero(c);

				if (!c)

					continue;



				read_unlock(&chan_list_lock);

				return c;

			}
@@ -1983,7 +2009,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 
	}



	if (c1)

		l2cap_chan_hold(c1);

		c1 = l2cap_chan_hold_unless_zero(c1);



	read_unlock(&chan_list_lock);
@@ -4463,6 +4489,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, 


unlock:

	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);

	return err;

}
@@ -4577,6 +4604,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, 


done:

	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);

	return err;

}
@@ -5304,6 +5332,7 @@ static inline int l2cap_move_channel_req(struct l2cap_conn *conn, 
	l2cap_send_move_chan_rsp(chan, result);



	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);



	return 0;

}
@@ -5396,6 +5425,7 @@ static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result) 
	}



	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);

}



static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
@@ -5425,6 +5455,7 @@ static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, 
	l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);



	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);

}



static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
@@ -5488,6 +5519,7 @@ static int l2cap_move_channel_confirm(struct l2cap_conn *conn, 
	l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);



	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);



	return 0;

}
@@ -5523,6 +5555,7 @@ static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn, 
	}



	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);



	return 0;

}
@@ -5895,12 +5928,11 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn, 
	if (credits > max_credits) {

		BT_ERR("LE credits overflow");

		l2cap_send_disconn_req(chan, ECONNRESET);

		l2cap_chan_unlock(chan);



		/* Return 0 so that we don't trigger an unnecessary

		 * command reject packet.

		 */

		return 0;

		goto unlock;

	}



	chan->tx_credits += credits;
@@ -5911,7 +5943,9 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn, 
	if (chan->tx_credits)

		chan->ops->resume(chan);



unlock:

	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);



	return 0;

}
@@ -7597,6 +7631,7 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, 


done:

	l2cap_chan_unlock(chan);

	l2cap_chan_put(chan);

}



static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
@@ -8085,7 +8120,7 @@ static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, 
		if (src_type != c->src_type)

			continue;



		l2cap_chan_hold(c);

		c = l2cap_chan_hold_unless_zero(c);

		read_unlock(&chan_list_lock);

		return c;

	}

net/bluetooth/mgmt.c

+0 −1
Original line number Diff line number Diff line
@@ -4723,7 +4723,6 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, 
		else

			status = MGMT_STATUS_FAILED;



		mgmt_pending_remove(cmd);

		goto unlock;

	}