lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Aug 2020 09:00:22 +0800 From: Coiby Xu <coiby.xu@...il.com> To: linux-bluetooth@...r.kernel.org Cc: linux-kernel-mentees@...ts.linuxfoundation.org, gregkh@...uxfoundation.org, syzkaller-bugs@...glegroups.com, syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com, Marcel Holtmann <marcel@...tmann.org>, Johan Hedberg <johan.hedberg@...il.com>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@...r.kernel.org (open list) Subject: [PATCH] Bluetooth: fix "list_add double add" in hci_conn_complete_evt When two HCI_EV_CONN_COMPLETE event packets with status=0 of the same HCI connection are received, device_add would be called twice which leads to kobject_add being called twice. Thus duplicate (struct hci_conn *conn)->dev.kobj.entry would be inserted into (struct hci_conn *conn)->dev.kobj.kset->list. This issue can be fixed by checking (struct hci_conn *conn)->debugfs. If it's not NULL, it means the HCI connection has been completed and we won't duplicate the work as for processing the first HCI_EV_CONN_COMPLETE event. Reported-and-tested-by: syzbot+dd768a260f7358adbaf9@...kaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=dd768a260f7358adbaf9 Signed-off-by: Coiby Xu <coiby.xu@...il.com> --- net/bluetooth/hci_event.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 4b7fc430793c..1233739ce760 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2605,6 +2605,11 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) } if (!ev->status) { + if (conn->debugfs) { + bt_dev_err(hdev, "The connection has been completed"); + goto unlock; + } + conn->handle = __le16_to_cpu(ev->handle); if (conn->type == ACL_LINK) { -- 2.28.0
Powered by blists - more mailing lists