[PATCH] Bluetooth: hci_conn: fix potential double free in le_scan_cleanup()

From: Jianglei Nie
Date: Thu May 26 2022 - 05:50:18 EST

Next message: Mark Rutland: "Re: [PATCH -next v4 3/7] arm64: add support for machine check error safe"
Previous message: Xu Kuohai: "Re: [PATCH bpf-next v5 4/6] bpf, arm64: Impelment bpf_arch_text_poke() for arm64"
Next in thread: Paolo Abeni: "Re: [PATCH] Bluetooth: hci_conn: fix potential double free in le_scan_cleanup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When "c == conn" is true, hci_conn_cleanup() is called. The
hci_conn_cleanup() calls hci_dev_put() and hci_conn_put() in
its function implementation. hci_dev_put() and hci_conn_put()
will free the relevant resource if the reference count reaches
zero, which may lead to a double free when hci_dev_put() and
hci_conn_put() are called again.

We should add a return to this function after hci_conn_cleanup()
is called.

Signed-off-by: Jianglei Nie <niejianglei2021@xxxxxxx>
---
net/bluetooth/hci_conn.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index fe803bee419a..7b3e91eb9fa3 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -166,6 +166,7 @@ static void le_scan_cleanup(struct work_struct *work)
if (c == conn) {
hci_connect_le_scan_cleanup(conn);
hci_conn_cleanup(conn);
+ return;
}

hci_dev_unlock(hdev);
--
2.25.1

Next message: Mark Rutland: "Re: [PATCH -next v4 3/7] arm64: add support for machine check error safe"
Previous message: Xu Kuohai: "Re: [PATCH bpf-next v5 4/6] bpf, arm64: Impelment bpf_arch_text_poke() for arm64"
Next in thread: Paolo Abeni: "Re: [PATCH] Bluetooth: hci_conn: fix potential double free in le_scan_cleanup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]