Bluetooth: hci_sync: Fix UAF on create_le_conn_complete

While waiting for hci_dev_lock the hci_conn object may be cleanup causing the following trace: BUG: KASAN: slab-use-after-free in hci_connect_le_scan_cleanup+0x29/0x350 Read of size 8 at addr ffff888001a50a30 by task kworker/u3:1/111 CPU: 0 PID: 111 Comm: kworker/u3:1 Not tainted 6.8.0-rc2-00701-g8179b15ab3fd-dirty #6418 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x21/0x70 print_report+0xce/0x620 ? preempt_count_sub+0x13/0xc0 ? __virt_addr_valid+0x15f/0x310 ? hci_connect_le_scan_cleanup+0x29/0x350 kasan_report+0xdf/0x110 ? hci_connect_le_scan_cleanup+0x29/0x350 hci_connect_le_scan_cleanup+0x29/0x350 create_le_conn_complete+0x25c/0x2c0 Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection attempt") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
author: Luiz Augusto von Dentz 2024-02-20 13:10:47 -0500
committer: Luiz Augusto von Dentz 2024-03-06 17:25:21 -0500
commit: f7cbce60a38a6589f0dade720d4c2544959ecc0e (patch)
tree: f1172bf9d517f2d1f3c0ef981d5b0e28c9d81cae /net/bluetooth
parent: 7453847fb22c7c45334c43cc6a02ea5df5b9961d (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 4a28aef2f01f..c2d88811d326 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6693,6 +6693,9 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
 
 	hci_dev_lock(hdev);
 
+	if (!hci_conn_valid(hdev, conn))
+		goto done;
+
 	if (!err) {
 		hci_connect_le_scan_cleanup(conn, 0x00);
 		goto done;
author	Luiz Augusto von Dentz	2024-02-20 13:10:47 -0500
committer	Luiz Augusto von Dentz	2024-03-06 17:25:21 -0500
commit	f7cbce60a38a6589f0dade720d4c2544959ecc0e (patch)
tree	f1172bf9d517f2d1f3c0ef981d5b0e28c9d81cae /net/bluetooth
parent	7453847fb22c7c45334c43cc6a02ea5df5b9961d (diff)