[PW_SID:1069344] Bluetooth: L2CAP: Fix use-after-free in l2cap_chan_timeout()

[BluezTestBot]

l2cap_chan_timeout() reads chan->conn without holding any lock and
without taking a reference on the connection. If l2cap_conn_del()
frees the connection concurrently, mutex_lock(&conn->lock) operates
on freed memory. The existing NULL check is insufficient as it cannot
prevent the connection from being freed after the check passes, and
the early return also leaks the channel reference held by the timer.

Fix by reading chan->conn under l2cap_chan_lock() and holding the
connection with l2cap_conn_get(). After acquiring locks in the correct
order (conn->lock then chan->lock), re-verify chan->conn in case
l2cap_conn_del() already cleaned up the channel.

Fixes: 3df91ea ("Bluetooth: Revert to mutexes from RCU list")
Signed-off-by: Hyunwoo Kim imv4bel@gmail.com

net/bluetooth/l2cap_core.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)

[github-actions]

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.43 seconds
Result: PENDING

[github-actions]

GitLint
Desc: Run gitlint
Duration: 0.35 seconds
Result: PENDING

[github-actions]

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.10 seconds
Result: PASS

[github-actions]

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.02 seconds
Result: PASS

[github-actions]

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.79 seconds
Result: PASS

[github-actions]

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 26.74 seconds
Result: PASS

[github-actions]

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.54 seconds
Result: PASS

[github-actions]

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 530.44 seconds
Result: PASS

[github-actions]

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 27.95 seconds
Result: PASS

[github-actions]

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 31.28 seconds
Result: FAIL
Output:

BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0

[github-actions]

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.51 seconds
Result: PASS

[github-actions]

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 112.54 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.106 seconds

[github-actions]

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.59 seconds
Result: PASS

[github-actions]

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.31 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

[github-actions]

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.19 seconds
Result: PASS

[github-actions]

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 12.46 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.754 seconds
Mesh - Send cancel - 2                               Timed out    2.000 seconds

[github-actions]

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 10.69 seconds
Result: PASS

[github-actions]

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.99 seconds
Result: PASS

[github-actions]

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.80 seconds
Result: PENDING