diff options
| author |   Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2023-08-03 11:04:51 -0700 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2023-08-11 11:53:30 -0700 |
| commit | 5af1f84ed13a416297ab9ced7537f4d5ae7f329a (patch) | |
| tree | da60012b3761c73840e92ff09f07ada2c3bed564 /tools/perf/scripts/python/exported-sql-viewer.py | |
| parent | Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL (diff) | |
| download | wireguard-linux-5af1f84ed13a416297ab9ced7537f4d5ae7f329a.tar.xz wireguard-linux-5af1f84ed13a416297ab9ced7537f4d5ae7f329a.zip | |
Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
Connections may be cleanup while waiting for the commands to complete so
this attempts to check if the connection handle remains valid in case of
errors that would lead to call hci_conn_failed:
BUG: KASAN: slab-use-after-free in hci_conn_failed+0x1f/0x160
Read of size 8 at addr ffff888001376958 by task kworker/u3:0/52
CPU: 0 PID: 52 Comm: kworker/u3:0 Not tainted
6.5.0-rc1-00527-g2dfe76d58d3a #5615
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x1d/0x70
print_report+0xce/0x620
? __virt_addr_valid+0xd4/0x150
? hci_conn_failed+0x1f/0x160
kasan_report+0xd1/0x100
? hci_conn_failed+0x1f/0x160
hci_conn_failed+0x1f/0x160
hci_abort_conn_sync+0x237/0x360
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'tools/perf/scripts/python/exported-sql-viewer.py')
0 files changed, 0 insertions, 0 deletions