Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.

Fix by holding the lock.

Fixes: 70c464256310 ("Bluetooth: Refactor connection request handling")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Pauli Virtanen and committed by

Luiz Augusto von Dentz 2 months ago 5c7209a3 12094165

-3

1 changed file

expand all

net

bluetooth

hci_event.c

-3

net/bluetooth/hci_event.c

··· 3340 3340 3341 3341 memcpy(conn->dev_class, ev->dev_class, 3); 3342 3342 3343 - hci_dev_unlock(hdev); 3344 - 3345 3343 if (ev->link_type == ACL_LINK || 3346 3344 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3347 3345 struct hci_cp_accept_conn_req cp; ··· 3373 3375 hci_connect_cfm(conn, 0); 3374 3376 } 3375 3377 3376 - return; 3377 3378 unlock: 3378 3379 hci_dev_unlock(hdev); 3379 3380 }

Configure Feed

Configure Feed