From:   ZhengHan Wang <wzhmmmmm@gmail.com>
To:     marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com
Cc:     linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, ZhengHan Wang <wzhmmmmm@gmail.com>
Subject: [PATCH] Bluetooth: Fix double free in hci_conn_cleanup
Date:   Thu,  9 Mar 2023 15:46:45 +0800
Patch-mainline: Not yet, reviewing on upstream
References: bsc#1209052 CVE-2023-28464

syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the 
hci_conn_cleanup function, releasing the same object again 
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:

hci_conn_del_sysfs:
  hci_dev_put
    put_device
      kobject_put
        kref_put
          kobject_release
            kobject_cleanup
              kfree_const
                kfree(name)

hci_dev_put:
  ...
    kfree(name)

hci_conn_put:
  put_device
    ...
      kfree(name)

This patch drop the hci_dev_put and hci_conn_put function 
call in hci_conn_cleanup function, because the object is 
freed in hci_conn_del_sysfs function.

Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]

Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
 net/bluetooth/hci_conn.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -128,10 +128,6 @@ static void hci_conn_cleanup(struct hci_
 	hci_conn_del_sysfs(conn);
 
 	debugfs_remove_recursive(conn->debugfs);
-
-	hci_dev_put(hdev);
-
-	hci_conn_put(conn);
 }
 
 static void le_scan_cleanup(struct work_struct *work)