Bluetooth: hci_sync: always check if connection is alive before deleting

In hci_abort_conn_sync it is possible that conn is deleted concurrently
by something else, also e.g. when waiting for hdev->lock.  This causes
double deletion of the conn, so UAF or conn_hash.list corruption.

Fix by having all code paths check that the connection is still in
conn_hash before deleting it, while holding hdev->lock which prevents
any races.

Log (when powering off while BAP streaming, occurs rarely):
=======================================================================
kernel BUG at lib/list_debug.c:56!
...
 ? __list_del_entry_valid (lib/list_debug.c:56)
 hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth
 hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth
 ? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth]
 ? lock_release+0x1d5/0x3c0
 ? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth]
 ? __pfx_lock_release+0x10/0x10
 ? __kmem_cache_free+0x14d/0x2e0
 hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth]
 ? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth]
 ? hci_clear_adv_sync+0x14f/0x170 [bluetooth]
 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
 hci_set_powered_sync+0x293/0x450 [bluetooth]
=======================================================================

Fixes: 94d9ba9f9888 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index d06e07a..a15ab0b 100644 (file)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5369,6 +5369,7 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
 {
        int err = 0;
        u16 handle = conn->handle;
+       bool disconnect = false;
        struct hci_conn *c;
 
        switch (conn->state) {
@@ -5399,24 +5400,15 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
                hci_dev_unlock(hdev);
                return 0;
        case BT_BOUND:
-               hci_dev_lock(hdev);
-               hci_conn_failed(conn, reason);
-               hci_dev_unlock(hdev);
-               return 0;
+               break;
        default:
-               hci_dev_lock(hdev);
-               conn->state = BT_CLOSED;
-               hci_disconn_cfm(conn, reason);
-               hci_conn_del(conn);
-               hci_dev_unlock(hdev);
-               return 0;
+               disconnect = true;
+               break;
        }
 
        hci_dev_lock(hdev);
 
-       /* Check if the connection hasn't been cleanup while waiting
-        * commands to complete.
-        */
+       /* Check if the connection has been cleaned up concurrently */
        c = hci_conn_hash_lookup_handle(hdev, handle);
        if (!c || c != conn) {
                err = 0;
@@ -5428,7 +5420,13 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
         * or in case of LE it was still scanning so it can be cleanup
         * safely.
         */
-       hci_conn_failed(conn, reason);
+       if (disconnect) {
+               conn->state = BT_CLOSED;
+               hci_disconn_cfm(conn, reason);
+               hci_conn_del(conn);
+       } else {
+               hci_conn_failed(conn, reason);
+       }
 
 unlock:
        hci_dev_unlock(hdev);