Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

hci_conn lookup and field access must be covered by hdev lock in
set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified
concurrently.  Just RCU lock is not suitable here, as we also want to
avoid "tearing" in the configuration.

Fixes: a091289218202 ("Bluetooth: hci_conn: Fix hci_le_set_cig_params")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index e6393f17576b0bc1c181aedee4537b7102432967..11d3ad8d25514598940fd71bc7ebef67c0cb95f5 100644 (file)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1843,9 +1843,13 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
        u8 aux_num_cis = 0;
        u8 cis_id;
 
+       hci_dev_lock(hdev);
+
        conn = hci_conn_hash_lookup_cig(hdev, cig_id);
-       if (!conn)
+       if (!conn) {
+               hci_dev_unlock(hdev);
                return 0;
+       }
 
        qos = &conn->iso_qos;
        pdu->cig_id = cig_id;
@@ -1884,6 +1888,8 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
        }
        pdu->num_cis = aux_num_cis;
 
+       hci_dev_unlock(hdev);
+
        if (!pdu->num_cis)
                return 0;