Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-01 10:45:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fc666d1b47
linux-stable/net
History
ZhengHan Wang fc666d1b47 Bluetooth: Fix double free in hci_conn_cleanup 
[ Upstream commit a85fb91e3d ]

syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:

hci_conn_del_sysfs:
  hci_dev_put
    put_device
      kobject_put
        kref_put
          kobject_release
            kobject_cleanup
              kfree_const
                kfree(name)

hci_dev_put:
  ...
    kfree(name)

hci_conn_put:
  put_device
    ...
      kfree(name)

This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.

This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.

This fixes CVE-2023-28464.

Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]

Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-11-28 17:14:43 +00:00
..
6lowpan 6lowpan: Remove redundant initialisation. 2023-03-29 08:22:52 +01:00
9p 9p/net: fix possible memory leak in p9_check_errors() 2023-11-20 11:57:17 +01:00
802 treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
8021q Revert "vlan: Fix VLAN 0 memory leak" 2023-08-14 08:14:00 +01:00
appletalk sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
atm sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
ax25 sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
batman-adv batman-adv: Hold rtnl lock during MTU update via netlink 2023-08-22 17:25:10 -07:00
bluetooth Bluetooth: Fix double free in hci_conn_cleanup 2023-11-28 17:14:43 +00:00
bpf bpf: Move kernel test kfuncs to bpf_testmod 2023-05-16 22:09:24 -07:00
bpfilter net: Use umd_cleanup_helper() 2023-05-31 13:06:57 +02:00
bridge neighbour: fix data-races around n->output 2023-10-10 22:03:01 +02:00
caif sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
can can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior 2023-10-19 23:10:59 +02:00
ceph libceph: use kernel_connect() 2023-10-19 23:11:05 +02:00
core net: annotate data-races around sk->sk_dst_pending_confirm 2023-11-28 17:14:42 +00:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-01 21:07:46 -07:00
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-20 11:57:22 +01:00
devlink devlink: Hold devlink lock on health reporter dump get 2023-10-19 23:10:59 +02:00
dns_resolver cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
dsa net: dsa: fix older DSA drivers using phylink 2023-07-27 17:19:46 -07:00
ethernet net: ethernet: use sysfs_emit() to instead of scnprintf() 2022-12-07 20:02:44 -08:00
ethtool ethtool: plca: fix plca enable data type while parsing the value 2023-10-10 22:03:02 +02:00
handshake net/handshake: fix file ref count in handshake_nl_accept_doit() 2023-11-02 09:36:54 +01:00
hsr hsr: Prevent use after free in prp_create_tagged_frame() 2023-11-20 11:57:22 +01:00
ieee802154 sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
ife
ipv4 net: annotate data-races around sk->sk_dst_pending_confirm 2023-11-28 17:14:42 +00:00
ipv6 dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-20 11:57:22 +01:00
iucv net/iucv: Fix size of interrupt data 2023-03-16 17:34:40 -07:00
kcm kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). 2023-09-19 12:30:30 +02:00
key net: af_key: fix sadb_x_filter validation 2023-06-29 10:47:29 +02:00
l2tp udp: annotate data-races around udp->encap_type 2023-11-20 11:56:47 +01:00
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-20 11:57:21 +01:00
mac80211 wifi: mac80211: don't return unset power in ieee80211_get_tx_power() 2023-11-28 17:14:41 +00:00
mac802154 Core WPAN changes: 2023-06-24 15:41:46 -07:00
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-19 23:11:06 +02:00
mpls net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
mptcp mptcp: properly account fastopen data 2023-11-20 11:56:54 +01:00
ncsi ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-10-06 13:16:17 +02:00
netfilter netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses 2023-11-20 11:57:24 +01:00
netlabel netlabel: Reorder fields in 'struct netlbl_domaddr6_map' 2023-06-20 20:06:56 -07:00
netlink netlink: annotate data-races around sk->sk_err 2023-10-10 22:03:03 +02:00
netrom netrom: Deny concurrent connect(). 2023-09-13 09:53:12 +02:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-25 12:16:10 +02:00
nsh net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
openvswitch net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-20 11:57:24 +01:00
packet af_packet: Fix fortified memcpy() without flex array. 2023-10-19 23:11:01 +02:00
phonet sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
psample
qrtr Networking changes for 6.5. 2023-06-28 16:43:10 -07:00
rds net: prevent address rewrite in kernel_bind() 2023-10-19 23:10:56 +02:00
rfkill net: rfkill: reduce data->mtx scope in rfkill_fop_open 2023-10-25 12:16:30 +02:00
rose sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
rxrpc rxrpc: Fix two connection reaping bugs 2023-11-20 11:57:22 +01:00
sched net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-20 11:57:24 +01:00
sctp sctp: update hb timer immediately after users change hb_interval 2023-10-10 22:03:03 +02:00
smc net/smc: put sk reference if close work was canceled 2023-11-20 11:57:23 +01:00
strparser
sunrpc SUNRPC/TLS: Lock the lower_xprt during the tls handshake 2023-10-25 12:16:18 +02:00
switchdev
tipc tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING 2023-11-20 11:57:22 +01:00
tls tls: Use size_add() in call to struct_size() 2023-11-20 11:56:48 +01:00
unix af_unix: Fix data-race around unix_tot_inflight. 2023-09-19 12:30:18 +02:00
vmw_vsock vsock: read from socket's error queue 2023-11-28 17:14:43 +00:00
wireless wifi: cfg80211: fix off-by-one in element defrag 2023-11-20 11:56:46 +01:00
x25 sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
xdp xdp: Fix zero-size allocation warning in xskq_create() 2023-10-19 23:11:00 +02:00
xfrm net: xfrm: skip policies marked as dead while reinserting policies 2023-10-25 12:16:13 +02:00
compat.c net/compat: Update msg_control_is_user when setting a kernel pointer 2023-04-14 11:09:27 +01:00
devres.c
Kconfig net/core: Enable socket busy polling on -RT 2023-05-26 08:51:26 +01:00
Kconfig.debug
Makefile net/handshake: Create a NETLINK service for handling handshake requests 2023-04-19 18:48:48 -07:00
socket.c net: prevent address rewrite in kernel_bind() 2023-10-19 23:10:56 +02:00
sysctl_net.c