From a588d173beaa8f8e505f1d15b80e7cdc2f7179e0 Mon Sep 17 00:00:00 2001 From: Pauli Virtanen Date: Wed, 8 Mar 2023 21:06:58 +0200 Subject: [PATCH] Bluetooth: fix use-after-free in hci_conn_del with ISO connections If hci_conn_del gets called on a LE connection linked to a CIS connection, subsequent hci_conn_del on the CIS connection results to use-after-free [1] as cis->link still points to the deleted connection. This occurs e.g. if hci_cmd_sync_queue fails in hci_le_create_cis. Fix it by doing the same what is done with the SCO+ACL linked connections. [1]: BUG: KASAN: use-after-free in hci_conn_del+0xa4/0x3e0 Write of size 8 at addr ffff8880013d2668 by task iso-tester/29 CPU: 0 PID: 29 Comm: iso-tester Not tainted 6.2.0-rc7-00024-g0e21956501c0-dirty #203 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x19/0x27 print_report+0x160/0x484 ? __virt_addr_valid+0xd4/0x150 ? hci_conn_del+0xa4/0x3e0 kasan_report+0xc7/0xf0 ? hci_conn_del+0xa4/0x3e0 hci_conn_del+0xa4/0x3e0 hci_conn_hash_flush+0xea/0x130 hci_dev_close_sync+0x34f/0x930 hci_unregister_dev+0x104/0x2a0 vhci_release+0x4c/0x90 __fput+0x102/0x410 task_work_run+0xfe/0x180 ? __pfx_task_work_run+0x10/0x10 exit_to_user_mode_prepare+0xfd/0x100 syscall_exit_to_user_mode+0x1c/0x50 do_syscall_64+0x4e/0x90 entry_SYSCALL_64_after_hwframe+0x70/0xda RIP: 0033:0x7f9880de0944 --- net/bluetooth/hci_conn.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 17b946f9ba317c..8479b9eafbb6a2 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1074,8 +1074,16 @@ int hci_conn_del(struct hci_conn *conn) /* Unacked frames */ hdev->acl_cnt += conn->sent; } else if (conn->type == LE_LINK) { + struct hci_conn *iso = conn->link; + cancel_delayed_work(&conn->le_conn_timeout); + if (iso) { + iso->link = NULL; + if (iso->handle == HCI_CONN_HANDLE_UNSET) + hci_conn_del(iso); + } + if (hdev->le_pkts) hdev->le_cnt += conn->sent; else