Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails

[ Upstream commit 1fa20d7d4aad02206e84b74915819fbe9f81dab3 ]

The use of l2cap_chan_del is not safe under a loop using
list_for_each_entry.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index cdc3863..1752013 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6237,7 +6237,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
                                         struct l2cap_cmd_hdr *cmd, u16 cmd_len,
                                         u8 *data)
 {
-       struct l2cap_chan *chan;
+       struct l2cap_chan *chan, *tmp;
        struct l2cap_ecred_conn_rsp *rsp = (void *) data;
        u16 result;
 
@@ -6251,7 +6251,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
        if (!result)
                return 0;
 
-       list_for_each_entry(chan, &conn->chan_l, list) {
+       list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
                if (chan->ident != cmd->ident)
                        continue;