| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200823010022.938532-1-coiby.xu@gmail.com>
Date: Sun, 23 Aug 2020 09:00:22 +0800
From: Coiby Xu <coiby.xu@...il.com>
To: linux-bluetooth@...r.kernel.org
Cc: linux-kernel-mentees@...ts.linuxfoundation.org,
gregkh@...uxfoundation.org, syzkaller-bugs@...glegroups.com,
syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com,
Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
netdev@...r.kernel.org (open list:NETWORKING [GENERAL]),
linux-kernel@...r.kernel.org (open list)
Subject: [PATCH] Bluetooth: fix "list_add double add" in hci_conn_complete_evt
When two HCI_EV_CONN_COMPLETE event packets with status=0 of the same
HCI connection are received, device_add would be called twice which
leads to kobject_add being called twice. Thus duplicate
(struct hci_conn *conn)->dev.kobj.entry would be inserted into
(struct hci_conn *conn)->dev.kobj.kset->list.
This issue can be fixed by checking (struct hci_conn *conn)->debugfs.
If it's not NULL, it means the HCI connection has been completed and we
won't duplicate the work as for processing the first
HCI_EV_CONN_COMPLETE event.
Reported-and-tested-by: syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9
Signed-off-by: Coiby Xu <coiby.xu@...il.com>
---
net/bluetooth/hci_event.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..1233739ce760 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2605,6 +2605,11 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
}
if (!ev->status) {
+ if (conn->debugfs) {
+ bt_dev_err(hdev, "The connection has been completed");
+ goto unlock;
+ }
+
conn->handle = __le16_to_cpu(ev->handle);
if (conn->type == ACL_LINK) {
--
2.28.0
Powered by blists - more mailing lists