lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 23 Aug 2020 09:00:22 +0800
From:   Coiby Xu <coiby.xu@...il.com>
To:     linux-bluetooth@...r.kernel.org
Cc:     linux-kernel-mentees@...ts.linuxfoundation.org,
        gregkh@...uxfoundation.org, syzkaller-bugs@...glegroups.com,
        syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com,
        Marcel Holtmann <marcel@...tmann.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        netdev@...r.kernel.org (open list:NETWORKING [GENERAL]),
        linux-kernel@...r.kernel.org (open list)
Subject: [PATCH] Bluetooth: fix "list_add double add" in hci_conn_complete_evt

When two HCI_EV_CONN_COMPLETE event packets with status=0 of the same
HCI connection are received, device_add would be called twice which
leads to kobject_add being called twice. Thus duplicate
(struct hci_conn *conn)->dev.kobj.entry would be inserted into
(struct hci_conn *conn)->dev.kobj.kset->list.

This issue can be fixed by checking (struct hci_conn *conn)->debugfs.
If it's not NULL, it means the HCI connection has been completed and we
won't duplicate the work as for processing the first
HCI_EV_CONN_COMPLETE event.

Reported-and-tested-by: syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9
Signed-off-by: Coiby Xu <coiby.xu@...il.com>
---
 net/bluetooth/hci_event.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..1233739ce760 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2605,6 +2605,11 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 	}

 	if (!ev->status) {
+		if (conn->debugfs) {
+			bt_dev_err(hdev, "The connection has been completed");
+			goto unlock;
+		}
+
 		conn->handle = __le16_to_cpu(ev->handle);

 		if (conn->type == ACL_LINK) {
--
2.28.0

Powered by blists - more mailing lists