a85fb91e3d
syzbot reports a slab use-after-free in hci_conn_hash_flush [1]. After releasing an object using hci_conn_del_sysfs in the hci_conn_cleanup function, releasing the same object again using the hci_dev_put and hci_conn_put functions causes a double free. Here's a simplified flow: hci_conn_del_sysfs: hci_dev_put put_device kobject_put kref_put kobject_release kobject_cleanup kfree_const kfree(name) hci_dev_put: ... kfree(name) hci_conn_put: put_device ... kfree(name) This patch drop the hci_dev_put and hci_conn_put function call in hci_conn_cleanup function, because the object is freed in hci_conn_del_sysfs function. This patch also fixes the refcounting in hci_conn_add_sysfs() and hci_conn_del_sysfs() to take into account device_add() failures. This fixes CVE-2023-28464. Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1] Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com> Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
125 lines
2.4 KiB
C
125 lines
2.4 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* Bluetooth HCI driver model support. */
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <net/bluetooth/bluetooth.h>
|
|
#include <net/bluetooth/hci_core.h>
|
|
|
|
static const struct class bt_class = {
|
|
.name = "bluetooth",
|
|
};
|
|
|
|
static void bt_link_release(struct device *dev)
|
|
{
|
|
struct hci_conn *conn = to_hci_conn(dev);
|
|
kfree(conn);
|
|
}
|
|
|
|
static const struct device_type bt_link = {
|
|
.name = "link",
|
|
.release = bt_link_release,
|
|
};
|
|
|
|
/*
|
|
* The rfcomm tty device will possibly retain even when conn
|
|
* is down, and sysfs doesn't support move zombie device,
|
|
* so we should move the device before conn device is destroyed.
|
|
*/
|
|
static int __match_tty(struct device *dev, void *data)
|
|
{
|
|
return !strncmp(dev_name(dev), "rfcomm", 6);
|
|
}
|
|
|
|
void hci_conn_init_sysfs(struct hci_conn *conn)
|
|
{
|
|
struct hci_dev *hdev = conn->hdev;
|
|
|
|
bt_dev_dbg(hdev, "conn %p", conn);
|
|
|
|
conn->dev.type = &bt_link;
|
|
conn->dev.class = &bt_class;
|
|
conn->dev.parent = &hdev->dev;
|
|
|
|
device_initialize(&conn->dev);
|
|
}
|
|
|
|
void hci_conn_add_sysfs(struct hci_conn *conn)
|
|
{
|
|
struct hci_dev *hdev = conn->hdev;
|
|
|
|
bt_dev_dbg(hdev, "conn %p", conn);
|
|
|
|
if (device_is_registered(&conn->dev))
|
|
return;
|
|
|
|
dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
|
|
|
|
if (device_add(&conn->dev) < 0)
|
|
bt_dev_err(hdev, "failed to register connection device");
|
|
}
|
|
|
|
void hci_conn_del_sysfs(struct hci_conn *conn)
|
|
{
|
|
struct hci_dev *hdev = conn->hdev;
|
|
|
|
bt_dev_dbg(hdev, "conn %p", conn);
|
|
|
|
if (!device_is_registered(&conn->dev)) {
|
|
/* If device_add() has *not* succeeded, use *only* put_device()
|
|
* to drop the reference count.
|
|
*/
|
|
put_device(&conn->dev);
|
|
return;
|
|
}
|
|
|
|
while (1) {
|
|
struct device *dev;
|
|
|
|
dev = device_find_child(&conn->dev, NULL, __match_tty);
|
|
if (!dev)
|
|
break;
|
|
device_move(dev, NULL, DPM_ORDER_DEV_LAST);
|
|
put_device(dev);
|
|
}
|
|
|
|
device_unregister(&conn->dev);
|
|
}
|
|
|
|
static void bt_host_release(struct device *dev)
|
|
{
|
|
struct hci_dev *hdev = to_hci_dev(dev);
|
|
|
|
if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
|
|
hci_release_dev(hdev);
|
|
else
|
|
kfree(hdev);
|
|
module_put(THIS_MODULE);
|
|
}
|
|
|
|
static const struct device_type bt_host = {
|
|
.name = "host",
|
|
.release = bt_host_release,
|
|
};
|
|
|
|
void hci_init_sysfs(struct hci_dev *hdev)
|
|
{
|
|
struct device *dev = &hdev->dev;
|
|
|
|
dev->type = &bt_host;
|
|
dev->class = &bt_class;
|
|
|
|
__module_get(THIS_MODULE);
|
|
device_initialize(dev);
|
|
}
|
|
|
|
int __init bt_sysfs_init(void)
|
|
{
|
|
return class_register(&bt_class);
|
|
}
|
|
|
|
void bt_sysfs_cleanup(void)
|
|
{
|
|
class_unregister(&bt_class);
|
|
}
|