--- /dev/null
+From 3d1c16e920c88eb5e583e1b4a10b95a5dc97ec22 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 8 Mar 2024 11:02:48 -0500
+Subject: Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 3d1c16e920c88eb5e583e1b4a10b95a5dc97ec22 upstream.
+
+This fixes the following error caused by hci_conn being freed while
+hcy_acl_create_conn_sync is pending:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
+Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848
+
+CPU: 0 PID: 848 Comm: kworker/u3:0 Not tainted 6.8.0-rc6-g2ab3e8d67fc1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
+04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x21/0x70
+ print_report+0xce/0x620
+ ? preempt_count_sub+0x13/0xc0
+ ? __virt_addr_valid+0x15f/0x310
+ ? hci_acl_create_conn_sync+0xa7/0x2e0
+ kasan_report+0xdf/0x110
+ ? hci_acl_create_conn_sync+0xa7/0x2e0
+ hci_acl_create_conn_sync+0xa7/0x2e0
+ ? __pfx_hci_acl_create_conn_sync+0x10/0x10
+ ? __pfx_lock_release+0x10/0x10
+ ? __pfx_hci_acl_create_conn_sync+0x10/0x10
+ hci_cmd_sync_work+0x138/0x1c0
+ process_one_work+0x405/0x800
+ ? __pfx_lock_acquire+0x10/0x10
+ ? __pfx_process_one_work+0x10/0x10
+ worker_thread+0x37b/0x670
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x19b/0x1e0
+ ? kthread+0xfe/0x1e0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x2f/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+Allocated by task 847:
+ kasan_save_stack+0x33/0x60
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x8f/0xa0
+ hci_conn_add+0xc6/0x970
+ hci_connect_acl+0x309/0x410
+ pair_device+0x4fb/0x710
+ hci_sock_sendmsg+0x933/0xef0
+ sock_write_iter+0x2c3/0x2d0
+ do_iter_readv_writev+0x21a/0x2e0
+ vfs_writev+0x21c/0x7b0
+ do_writev+0x14a/0x180
+ do_syscall_64+0x77/0x150
+ entry_SYSCALL_64_after_hwframe+0x6c/0x74
+
+Freed by task 847:
+ kasan_save_stack+0x33/0x60
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x60
+ __kasan_slab_free+0xfa/0x150
+ kfree+0xcb/0x250
+ device_release+0x58/0xf0
+ kobject_put+0xbb/0x160
+ hci_conn_del+0x281/0x570
+ hci_conn_hash_flush+0xfc/0x130
+ hci_dev_close_sync+0x336/0x960
+ hci_dev_close+0x10e/0x140
+ hci_sock_ioctl+0x14a/0x5c0
+ sock_ioctl+0x58a/0x5d0
+ __x64_sys_ioctl+0x480/0xf60
+ do_syscall_64+0x77/0x150
+ entry_SYSCALL_64_after_hwframe+0x6c/0x74
+
+Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6687,6 +6687,9 @@ static int hci_acl_create_conn_sync(stru
+ struct hci_cp_create_conn cp;
+ int err;
+
++ if (!hci_conn_valid(hdev, conn))
++ return -ECANCELED;
++
+ /* Many controllers disallow HCI Create Connection while it is doing
+ * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
+ * Connection. This may cause the MGMT discovering state to become false
--- /dev/null
+From f7cbce60a38a6589f0dade720d4c2544959ecc0e Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 20 Feb 2024 13:10:47 -0500
+Subject: Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit f7cbce60a38a6589f0dade720d4c2544959ecc0e upstream.
+
+While waiting for hci_dev_lock the hci_conn object may be cleanup
+causing the following trace:
+
+BUG: KASAN: slab-use-after-free in hci_connect_le_scan_cleanup+0x29/0x350
+Read of size 8 at addr ffff888001a50a30 by task kworker/u3:1/111
+
+CPU: 0 PID: 111 Comm: kworker/u3:1 Not tainted
+6.8.0-rc2-00701-g8179b15ab3fd-dirty #6418
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
+04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x21/0x70
+ print_report+0xce/0x620
+ ? preempt_count_sub+0x13/0xc0
+ ? __virt_addr_valid+0x15f/0x310
+ ? hci_connect_le_scan_cleanup+0x29/0x350
+ kasan_report+0xdf/0x110
+ ? hci_connect_le_scan_cleanup+0x29/0x350
+ hci_connect_le_scan_cleanup+0x29/0x350
+ create_le_conn_complete+0x25c/0x2c0
+
+Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection attempt")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6763,6 +6763,9 @@ static void create_le_conn_complete(stru
+
+ hci_dev_lock(hdev);
+
++ if (!hci_conn_valid(hdev, conn))
++ goto done;
++
+ if (!err) {
+ hci_connect_le_scan_cleanup(conn, 0x00);
+ goto done;
--- /dev/null
+From 7453847fb22c7c45334c43cc6a02ea5df5b9961d Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 16 Feb 2024 15:29:55 -0500
+Subject: Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 7453847fb22c7c45334c43cc6a02ea5df5b9961d upstream.
+
+Fixes the following trace where hci_acl_create_conn_sync attempts to
+call hci_abort_conn_sync after timeout:
+
+BUG: KASAN: slab-use-after-free in hci_abort_conn_sync
+(net/bluetooth/hci_sync.c:5439)
+Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36
+
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
+04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+<TASK>
+dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26
+./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127
+lib/dump_stack.c:107)
+print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
+? preempt_count_sub (kernel/sched/core.c:5889)
+? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1)
+./include/linux/rcupdate.h:865 (discriminator 1)
+./include/linux/mmzone.h:2026 (discriminator 1)
+arch/x86/mm/physaddr.c:65 (discriminator 1))
+? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
+kasan_report (mm/kasan/report.c:603)
+? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
+hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
+? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433)
+hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681)
+
+Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6735,15 +6735,10 @@ static int hci_acl_create_conn_sync(stru
+ else
+ cp.role_switch = 0x00;
+
+- err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
+- sizeof(cp), &cp,
+- HCI_EV_CONN_COMPLETE,
+- conn->conn_timeout, NULL);
+-
+- if (err == -ETIMEDOUT)
+- hci_abort_conn_sync(hdev, conn, HCI_ERROR_LOCAL_HOST_TERM);
+-
+- return err;
++ return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
++ sizeof(cp), &cp,
++ HCI_EV_CONN_COMPLETE,
++ conn->conn_timeout, NULL);
+ }
+
+ int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
i2c-smbus-fix-null-function-pointer-dereference.patch
phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch
bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
+bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
+bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
+bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
