github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux/net/bluetooth
History
Michael Bommarito c5d415596c Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem 
Commit dbf666e4fc ("Bluetooth: HIDP: Fix possible UAF") made
hidp_session_remove() drop the L2CAP reference and set
session->conn = NULL once the session is considered removed, and
added a bare if (session->conn) guard around the kthread-exit
l2cap_unregister_user() call in hidp_session_thread().  The sibling
ioctl site in hidp_connection_del() still reads session->conn
unlocked and unguarded, and the kthread-exit guard itself is a
lockless double-read.

hidp_session_find() drops hidp_session_sem before returning, so
hidp_session_remove() can null session->conn between the lookup and
the call in hidp_connection_del().  Worse, since commit 752a6c9596
("Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user")
takes mutex_lock(&conn->lock) inside l2cap_unregister_user(), a
stale non-NULL snapshot also UAFs on conn->lock.  v1 only added an
if (session->conn) guard at the ioctl site, which doesn't address
either race; Luiz suggested snapshotting session->conn under the
sem and clearing it before the call.

Taking hidp_session_sem across l2cap_unregister_user() would be
wrong: l2cap_conn_del() already establishes the lock order

  conn->lock -> hidp_session_sem

via l2cap_unregister_all_users() -> user->remove ==
hidp_session_remove(), so taking hidp_session_sem before conn->lock
would AB/BA deadlock.

Factor a helper hidp_session_unregister_conn() that under
down_write(&hidp_session_sem) snapshots session->conn and clears
the member, then outside the sem calls l2cap_unregister_user() and
l2cap_conn_put() on the snapshot.  Call it from both
hidp_connection_del() and hidp_session_thread()'s exit path.  At
most one consumer wins the write-sem; later callers observe
session->conn == NULL and skip the unregister and put, so the
reference hidp_session_new() took via l2cap_conn_get() is consumed
exactly once.  session_free() already tolerates a NULL session->conn.

Fixes: dbf666e4fc ("Bluetooth: HIDP: Fix possible UAF")
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Link: https://lore.kernel.org/all/20260422011437.176643-1-michael.bommarito@gmail.com/
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-05-06 16:27:53 -04:00
..
bnep Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling 2026-05-06 16:19:09 -04:00
hidp Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem 2026-05-06 16:27:53 -04:00
rfcomm Bluetooth: RFCOMM: pull credit byte with skb_pull_data() 2026-05-06 16:23:20 -04:00
6lowpan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
af_bluetooth.c net: change sock.sk_ino and sock_i_ino() to u64 2026-03-06 14:31:26 +01:00
aosp.c Bluetooth: aosp: Fix typo in comment 2025-07-23 10:30:18 -04:00
aosp.h
coredump.c Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv 2025-07-23 10:33:57 -04:00
ecdh_helper.c Bluetooth: Use crypto_wait_req 2023-02-13 18:34:48 +08:00
ecdh_helper.h
eir.c Bluetooth: eir: Fix possible crashes on eir_create_adv_data 2025-06-11 16:29:22 -04:00
eir.h Bluetooth: eir: Fix possible crashes on eir_create_adv_data 2025-06-11 16:29:22 -04:00
hci_codec.c
hci_codec.h
hci_conn.c Bluetooth: l2cap: defer conn param update to avoid conn->lock/hdev->lock inversion 2026-05-06 16:20:51 -04:00
hci_core.c Bluetooth: hci_core: Rate limit the logging of invalid ISO handle 2026-04-10 10:20:04 -04:00
hci_debugfs.c Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap 2025-07-16 15:37:53 -04:00
hci_debugfs.h
hci_drv.c Bluetooth: Introduce HCI Driver protocol 2025-05-21 10:28:07 -04:00
hci_event.c Bluetooth: hci_event: fix memset typo 2026-05-06 16:27:29 -04:00
hci_sock.c Bluetooth: purge error queues in socket destructors 2026-02-23 15:30:16 -05:00
hci_sync.c Bluetooth: hci_sync: make hci_cmd_sync_run_once return -EEXIST if exists 2026-04-13 09:18:16 -04:00
hci_sysfs.c Bluetooth: Allow reset via sysfs 2025-01-15 10:37:07 -05:00
iso.c Bluetooth: ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths 2026-05-06 16:22:05 -04:00
Kconfig net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
l2cap_core.c Bluetooth: l2cap: defer conn param update to avoid conn->lock/hdev->lock inversion 2026-05-06 16:20:51 -04:00
l2cap_sock.c Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() 2026-05-06 16:21:09 -04:00
leds.c Bluetooth: Use led_set_brightness() in LED trigger activate() callback 2024-09-10 13:06:11 -04:00
leds.h
lib.c Bluetooth: Fix typos in comments 2025-07-23 10:30:48 -04:00
Makefile net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
mgmt_config.c Bluetooth: mgmt: Add idle_timeout to configurable system parameters 2026-01-29 13:24:22 -05:00
mgmt_config.h
mgmt_util.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
mgmt_util.h Bluetooth: MGMT: Fix possible UAFs 2025-09-22 10:30:00 -04:00
mgmt.c Bluetooth: MGMT: validate mesh send advertising payload length 2026-04-01 16:47:19 -04:00
msft.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
msft.h Bluetooth: msft: fix slab-use-after-free in msft_do_close() 2024-05-03 13:05:28 -04:00
sco.c Bluetooth: SCO: hold sk properly in sco_conn_ready 2026-05-06 16:21:25 -04:00
selftest.c
selftest.h
smp.c Bluetooth: SMP: derive legacy responder STK authentication from MITM state 2026-04-01 16:48:06 -04:00
smp.h Bluetooth: SMP: If an unallowed command is received consider it a failure 2025-07-16 15:33:30 -04:00