Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO.  In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.

Fix by holding the lock.

Fixes: 70c464256310 ("Bluetooth: Refactor connection request handling")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 3ebc5e6d45d98a061809d90847a13894d27518be..83248085dd4f217e6065454ae544459e94a18374 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3340,8 +3340,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
 
        memcpy(conn->dev_class, ev->dev_class, 3);
 
-       hci_dev_unlock(hdev);
-
        if (ev->link_type == ACL_LINK ||
            (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
                struct hci_cp_accept_conn_req cp;
@@ -3375,7 +3373,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
                hci_connect_cfm(conn, 0);
        }
 
-       return;
 unlock:
        hci_dev_unlock(hdev);
 }