lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri,  7 Aug 2020 21:59:17 +0800
From:   Coiby Xu <coiby.xu@...il.com>
To:     linux-bluetooth@...r.kernel.org
Cc:     linux-kernel-mentees@...ts.linuxfoundation.org,
        syzkaller-bugs@...glegroups.com,
        syzbot+305a91e025a73e4fd6ce@...kaller.appspotmail.com,
        Marcel Holtmann <marcel@...tmann.org>,
        Johan Hedberg <johan.hedberg@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        netdev@...r.kernel.org (open list:NETWORKING [GENERAL]),
        linux-kernel@...r.kernel.org (open list)
Subject: [PATCH] Bluetooth: Delete both L2CAP connction and HCI channel when completing destroying logical link in AMP

When destroying a logical link (HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE) in
AMP, L2CAP connection (struct l2cap_conn) should be deleted together with
HCI channel (struct hci_chan). Otherwise HCI channel will be deleted twice
when unregistering a HCI device.

`static void l2cap_conn_del(struct hci_conn *hcon, int err)` could
achieve this purpose. Make it a public function.

Reported-and-tested-by: syzbot+305a91e025a73e4fd6ce@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
Signed-off-by: Coiby Xu <coiby.xu@...il.com>
---
 include/net/bluetooth/l2cap.h | 1 +
 net/bluetooth/amp.c           | 2 +-
 net/bluetooth/l2cap_core.c    | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 8f1e6a7a2df8..8508a433d6ac 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -988,6 +988,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan);
 typedef void (*l2cap_chan_func_t)(struct l2cap_chan *chan, void *data);
 void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
 		     void *data);
+void l2cap_conn_del(struct hci_conn *hcon, int err);
 void l2cap_chan_del(struct l2cap_chan *chan, int err);
 void l2cap_send_conn_req(struct l2cap_chan *chan);
 void l2cap_move_start(struct l2cap_chan *chan);
diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
index 9c711f0dfae3..cee02f009cef 100644
--- a/net/bluetooth/amp.c
+++ b/net/bluetooth/amp.c
@@ -584,5 +584,5 @@ void amp_destroy_logical_link(struct hci_chan *hchan, u8 reason)
 {
 	BT_DBG("hchan %p", hchan);

-	hci_chan_del(hchan);
+	l2cap_conn_del(hchan->conn, bt_to_errno(reason));
 }
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index fe913a5c754a..38f60fb9b515 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1851,7 +1851,7 @@ static void l2cap_unregister_all_users(struct l2cap_conn *conn)
 	}
 }

-static void l2cap_conn_del(struct hci_conn *hcon, int err)
+void l2cap_conn_del(struct hci_conn *hcon, int err)
 {
 	struct l2cap_conn *conn = hcon->l2cap_data;
 	struct l2cap_chan *chan, *l;
--
2.27.0

Powered by blists - more mailing lists