Commit 30bc279
Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
commit 7453847 upstream.
Fixes the following trace where hci_acl_create_conn_sync attempts to
call hci_abort_conn_sync after timeout:
BUG: KASAN: slab-use-after-free in hci_abort_conn_sync
(net/bluetooth/hci_sync.c:5439)
Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26
./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127
lib/dump_stack.c:107)
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? preempt_count_sub (kernel/sched/core.c:5889)
? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1)
./include/linux/rcupdate.h:865 (discriminator 1)
./include/linux/mmzone.h:2026 (discriminator 1)
arch/x86/mm/physaddr.c:65 (discriminator 1))
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
kasan_report (mm/kasan/report.c:603)
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433)
hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681)
Fixes: 4534009 ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>1 parent c4c9d6b commit 30bc279
1 file changed
Lines changed: 4 additions & 9 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6735 | 6735 | | |
6736 | 6736 | | |
6737 | 6737 | | |
6738 | | - | |
6739 | | - | |
6740 | | - | |
6741 | | - | |
6742 | | - | |
6743 | | - | |
6744 | | - | |
6745 | | - | |
6746 | | - | |
| 6738 | + | |
| 6739 | + | |
| 6740 | + | |
| 6741 | + | |
6747 | 6742 | | |
6748 | 6743 | | |
6749 | 6744 | | |
| |||
0 commit comments