From patchwork Tue May 2 14:57:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruihan Li X-Patchwork-Id: 13229027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8421AC77B7E for ; Tue, 2 May 2023 14:58:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233917AbjEBO6H (ORCPT ); Tue, 2 May 2023 10:58:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234364AbjEBO6B (ORCPT ); Tue, 2 May 2023 10:58:01 -0400 Received: from pku.edu.cn (mx18.pku.edu.cn [162.105.129.181]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CDD1A273A for ; Tue, 2 May 2023 07:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=SLvP7Rm0p5 mMK0mIr4FQLnN1i0z9DL3Tp3K+tqe/eIA=; b=h8e+Y7xfH0Bih7X/qKBRVcpnhw iXeAQFBCKI++TF6ME64yAPLRPbwyxNJzCWG9AsvCLCILupIdcVTOH/PlODzy8O5Q a6RaF5CzTZETWUy6u6UfrvwwMQ9w6pPk0EfFhX+IDwPe46Pq20uH2jNp6/gDaYis nbRv/mu898gkv/Crs= Received: from localhost.localdomain (unknown [10.7.101.92]) by front01 (Coremail) with SMTP id 5oFpogBXX5fjJFFk6i5LAQ--.10226S2; Tue, 02 May 2023 22:57:46 +0800 (CST) From: Ruihan Li To: linux-bluetooth@vger.kernel.org Cc: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Ruihan Li Subject: [PATCH v3 0/6] Bluetooth: Fix potential double free caused by hci_conn_unlink Date: Tue, 2 May 2023 22:57:31 +0800 Message-Id: <20230502145737.140856-1-lrh2000@pku.edu.cn> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-CM-TRANSID: 5oFpogBXX5fjJFFk6i5LAQ--.10226S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Ww1kZw1DCr1DZry8tF4ktFb_yoW8Xw18pa y3uas8Xa1kJrySqr43Awn7WrWFqws5Zryakrn2q34rJ3yYva18AwsY9Fyj9rWDurZ7GF10 yF1ktrnrKF1DArDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvE1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1l84ACjcxK6I8E 87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1lnxkEFVAIw20F6c xK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2Wl Yx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbV WUJVW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc2xSY4AK6svP MxAIw28IcxkI7VAKI48JMxAIw28IcVCjz48v1sIEY20_Kr1UJr1l4I8I3I0E4IkC6x0Yz7 v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF 1VAY17CE14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIx AIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI 42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWI evJa73UjIFyTuYvjfUFYFADUUUU X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEPBVPy77wh+AAWs0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org This patch series contains six fixes related to hci_conn_unlink. The purpose is to prevent merge conflicts between each other. I'm not intentially linking them together. So if any patch is not suitable, please just let me know (I'll be grateful if you can explain the reason). The first three patches are the most important, each fixing a triggerable use-after-free bug (see the report URL for details). And the fourth through sixth patches are a bit more minor, containing mostly tweaks and refactorings. Changes since v2: * Put all fixes, adjustments, and refactorings about hci_conn_unlink in one patch series. Link to v2: * https://lore.kernel.org/linux-bluetooth/20230430180535.168270-1-lrh2000@pku.edu.cn/ See also: * https://lore.kernel.org/linux-bluetooth/20230430171847.156825-1-lrh2000@pku.edu.cn/ Changes since v1: * Resolve merge conflicts. Link to v1: * https://lore.kernel.org/linux-bluetooth/20230430172937.157999-1-lrh2000@pku.edu.cn/ Ruihan Li (6): Bluetooth: Fix potential double free caused by hci_conn_unlink Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Bluetooth: Fix UAF in hci_conn_hash_flush again Bluetooth: Perform hci_conn_drop in hci_conn_unlink Bluetooth: Unlink CISes when LE disconnects in hci_conn_del Bluetooth: Avoid recursion in hci_conn_unlink include/net/bluetooth/hci_core.h | 2 +- net/bluetooth/hci_conn.c | 96 ++++++++++++++++++-------------- 2 files changed, 54 insertions(+), 44 deletions(-)