From c24e6d276104044d904c15f96753eee89edcf580 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Apr 20 2023 11:00:08 +0000 Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} (bsc#1012628). --- diff --git a/patches.kernel.org/6.2.12-013-Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_di.patch b/patches.kernel.org/6.2.12-013-Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_di.patch new file mode 100644 index 0000000..26fe1d3 --- /dev/null +++ b/patches.kernel.org/6.2.12-013-Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_di.patch @@ -0,0 +1,104 @@ +From: Luiz Augusto von Dentz +Date: Thu, 6 Apr 2023 09:33:09 -0700 +Subject: [PATCH] Bluetooth: L2CAP: Fix use-after-free in + l2cap_disconnect_{req,rsp} +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: a2a9339e1c9deb7e1e079e12e27a0265aea8421a + +commit a2a9339e1c9deb7e1e079e12e27a0265aea8421a upstream. + +Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free +caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to +prevent referencing a channel that is about to be destroyed. + +Cc: stable@kernel.org +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Min Li +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/bluetooth/l2cap_core.c | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 49926f59..55a72262 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4652,33 +4652,27 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + + BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid); + +- mutex_lock(&conn->chan_lock); +- +- chan = __l2cap_get_chan_by_scid(conn, dcid); ++ chan = l2cap_get_chan_by_scid(conn, dcid); + if (!chan) { +- mutex_unlock(&conn->chan_lock); + cmd_reject_invalid_cid(conn, cmd->ident, dcid, scid); + return 0; + } + +- l2cap_chan_hold(chan); +- l2cap_chan_lock(chan); +- + rsp.dcid = cpu_to_le16(chan->scid); + rsp.scid = cpu_to_le16(chan->dcid); + l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp); + + chan->ops->set_shutdown(chan); + ++ mutex_lock(&conn->chan_lock); + l2cap_chan_del(chan, ECONNRESET); ++ mutex_unlock(&conn->chan_lock); + + chan->ops->close(chan); + + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + +- mutex_unlock(&conn->chan_lock); +- + return 0; + } + +@@ -4698,33 +4692,27 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid); + +- mutex_lock(&conn->chan_lock); +- +- chan = __l2cap_get_chan_by_scid(conn, scid); ++ chan = l2cap_get_chan_by_scid(conn, scid); + if (!chan) { + mutex_unlock(&conn->chan_lock); + return 0; + } + +- l2cap_chan_hold(chan); +- l2cap_chan_lock(chan); +- + if (chan->state != BT_DISCONN) { + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); +- mutex_unlock(&conn->chan_lock); + return 0; + } + ++ mutex_lock(&conn->chan_lock); + l2cap_chan_del(chan, 0); ++ mutex_unlock(&conn->chan_lock); + + chan->ops->close(chan); + + l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + +- mutex_unlock(&conn->chan_lock); +- + return 0; + } + +-- +2.35.3 + diff --git a/series.conf b/series.conf index cf4e40a..b72de46 100644 --- a/series.conf +++ b/series.conf @@ -2240,6 +2240,7 @@ patches.kernel.org/6.2.12-010-ALSA-emu10k1-don-t-create-old-pass-through-pla.patch patches.kernel.org/6.2.12-011-ALSA-hda-sigmatel-fix-S-PDIF-out-on-Intel-D-45.patch patches.kernel.org/6.2.12-012-ALSA-hda-hdmi-disable-KAE-for-Intel-DG2.patch + patches.kernel.org/6.2.12-013-Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_di.patch ######################################################## # Build fixes that apply to the vanilla kernel too.