mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-12-28 06:44:36 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
79a2d4678ba90bdba577dc3af88cc900d6dcd5ee
linux/net
History
Pauli Virtanen 79a2d4678b Bluetooth: hci_core: lookup hci_conn on RX path on protocol side 
The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't
ensure hci_conn* is not concurrently modified/deleted. This locking
appears to be leftover from before conn_hash started using RCU
commit bf4c632524 ("Bluetooth: convert conn hash to RCU")
and not clear if it had purpose since then.

Currently, there are code paths that delete hci_conn* from elsewhere
than the ordered hdev->workqueue where the RX work runs in. E.g.
commit 5af1f84ed1 ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
introduced some of these, and there probably were a few others before
it.  It's better to do the locking so that even if these run
concurrently no UAF is possible.

Move the lookup of hci_conn and associated socket-specific conn to
protocol recv handlers, and do them within a single critical section
to cover hci_conn* usage and lookup.

syzkaller has reported a crash that appears to be this issue:

    [Task hdev->workqueue]          [Task 2]
                                    hci_disconnect_all_sync
    l2cap_recv_acldata(hcon)
                                      hci_conn_get(hcon)
                                      hci_abort_conn_sync(hcon)
                                        hci_dev_lock
      hci_dev_lock
                                        hci_conn_del(hcon)
      v-------------------------------- hci_dev_unlock
                                      hci_conn_put(hcon)
      conn = hcon->l2cap_data (UAF)

Fixes: 5af1f84ed1 ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync")
Reported-by: syzbot+d32d77220b92eddd89ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d32d77220b92eddd89ad
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2025-11-20 17:01:09 -05:00
..
6lowpan
net: replace ND_PRINTK with dynamic debug
2025-07-10 15:27:32 -07:00
9p
9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN
2025-09-19 16:34:51 +09:00
802
8021q
net: vlan: sync VLAN features with lower device
2025-10-31 17:42:35 -07:00
appletalk
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2025-07-24 11:10:46 -07:00
atm
net: atm: fix memory leak in atm_register_sysfs when device_register fail
2025-09-04 09:53:44 +02:00
ax25
ax25: properly unshare skbs in ax25_kiss_rcv()
2025-09-03 17:06:30 -07:00
batman-adv
Merge tag 'batadv-net-pullrequest-20251024' of https://git.open-mesh.org/linux-merge
2025-10-27 18:00:54 -07:00
bluetooth
Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
2025-11-20 17:01:09 -05:00
bpf
bpf: Do not disable preemption in bpf_test_run().
2025-10-17 11:29:35 -07:00
bridge
net: bridge: fix MST static key usage
2025-11-06 07:32:17 -08:00
caif
caif: Replace memset(0) + strscpy() with strscpy_pad()
2025-08-12 14:08:56 -07:00
can
can: j1939: add missing calls in NETDEV_UNREGISTER notification handler
2025-10-13 21:26:31 +02:00
ceph
Merge tag 'ceph-for-6.18-rc1' of https://github.com/ceph/ceph-client
2025-10-10 11:30:19 -07:00
core
net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
2025-11-13 17:23:21 -08:00
dcb
Revert "Documentation: net: add flow control guide and document ethtool API"
2025-10-01 09:48:21 +02:00
devlink
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
2025-11-18 17:12:21 -08:00
dns_resolver
dsa
net: dsa: tag_brcm: do not mark link local traffic as offloaded
2025-11-10 17:04:19 -08:00
ethernet
ethernet: Extend device_get_mac_address() to use NVMEM
2025-09-15 18:34:08 -07:00
ethtool
Revert "Documentation: net: add flow control guide and document ethtool API"
2025-10-01 09:48:21 +02:00
handshake
net/handshake: Fix memory leak in tls_handshake_accept()
2025-11-10 17:53:47 -08:00
hsr
hsr: Follow standard for HSRv0 supervision frames
2025-11-13 15:55:04 +01:00
ieee802154
ife
ipv4
Merge tag 'ipsec-2025-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
2025-11-18 17:58:44 -08:00
ipv6
xfrm: Determine inner GSO type from packet inner protocol
2025-10-30 11:52:31 +01:00
iucv
net: add sk_drops_read(), sk_drops_inc() and sk_drops_reset() helpers
2025-08-28 13:14:50 +02:00
kcm
net: kcm: Fix race condition in kcm_unattach()
2025-08-13 18:18:33 -07:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2025-07-24 11:10:46 -07:00
l2tp
l2tp: reset skb control buffer on xmit
2025-11-20 11:52:24 +01:00
l3mdev
lapb
llc
net: make sk->sk_rcvtimeo lockless
2025-06-23 17:05:12 -07:00
mac80211
wifi: mac80211: skip rate verification for not captured PSDUs
2025-11-11 09:25:17 +01:00
mac802154
mctp
net: mctp: fix typo in comment
2025-09-08 17:47:57 -07:00
mpls
net: s/dev_get_flags/netif_get_flags/
2025-07-18 17:27:47 -07:00
mptcp
Merge tag 'net-6.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2025-11-20 08:52:07 -08:00
ncsi
net: ncsi: Fix buffer overflow in fetching version id
2025-06-12 18:21:59 -07:00
netfilter
netfilter: nft_ct: add seqadj extension for natted connections
2025-10-29 14:47:59 +01:00
netlabel
audit: add record for multiple task security contexts
2025-08-30 10:15:30 -04:00
netlink
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2025-09-11 17:40:13 -07:00
netrom
nfc
net: nfc: nci: Add parameter validation for packet data
2025-09-30 10:27:14 +02:00
nsh
openvswitch
net: openvswitch: remove never-working support for setting nsh fields
2025-11-14 18:13:24 -08:00
packet
net: af_packet: Use hrtimer to do the retire operation
2025-09-11 18:40:06 -07:00
phonet
net: add sk_drops_read(), sk_drops_inc() and sk_drops_reset() helpers
2025-08-28 13:14:50 +02:00
psample
psp
net: psp: don't assume reply skbs will have a socket
2025-10-03 10:23:50 -07:00
qrtr
rds
net: WQ_PERCPU added to alloc_workqueue users
2025-09-22 17:40:30 -07:00
rfkill
net: replace use of system_wq with system_percpu_wq
2025-09-22 17:40:30 -07:00
rose
net: rose: fix a typo in rose_clear_routes()
2025-08-27 17:27:52 -07:00
rxrpc
net: WQ_PERCPU added to alloc_workqueue users
2025-09-22 17:40:30 -07:00
sched
Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
2025-11-14 15:39:39 -08:00
sctp
sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
2025-11-10 16:21:05 -08:00
shaper
smc
net/smc: fix mismatch between CLC header and proposal
2025-11-10 17:52:09 -08:00
strparser
strparser: Fix signed/unsigned mismatch bug
2025-11-07 18:17:16 -08:00
sunrpc
Merge tag 'nfsd-6.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2025-11-12 18:41:01 -08:00
switchdev
tipc
tipc: Fix use-after-free in tipc_mon_reinit_self().
2025-11-10 18:14:40 -08:00
tls
net: tls: Cancel RX async resync request on rcd_delta overflow
2025-10-29 18:32:18 -07:00
unix
af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic().
2025-11-18 19:19:09 -08:00
vmw_vsock
vsock: Ignore signal/timeout on connect() if already established
2025-11-20 07:40:06 -08:00
wireless
wifi: cfg80211: add an hrtimer based delayed work item
2025-10-28 14:56:30 +01:00
x25
net/x25: Remove unused x25_terminate_link()
2025-07-14 17:19:13 -07:00
xdp
xsk: Harden userspace-supplied xdp_desc validation
2025-10-10 10:07:48 -07:00
xfrm
Merge tag 'ipsec-2025-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
2025-11-18 17:58:44 -08:00
compat.c
devres.c
Kconfig
dibs: Create drivers/dibs
2025-09-23 11:13:21 +02:00
Kconfig.debug
Makefile
psp: base PSP device support
2025-09-18 12:32:06 +02:00
socket.c
Merge tag 'net-next-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2025-10-02 15:17:01 -07:00
sysctl_net.c