tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once

hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".

Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.

Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue")
Reported-by: Cen Zhang <zzzccc427@163.com>
Signed-off-by: Cen Zhang <zzzccc427@163.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Cen Zhang and committed by
Luiz Augusto von Dentz 09b0cd12 1ab66581

+10 -4
+10 -4
net/bluetooth/hci_sync.c
··· 863 863 { 864 864 struct hci_cmd_sync_work_entry *entry; 865 865 866 - entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy); 867 - if (!entry) 868 - return false; 866 + mutex_lock(&hdev->cmd_sync_work_lock); 869 867 870 - hci_cmd_sync_cancel_entry(hdev, entry); 868 + entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy); 869 + if (!entry) { 870 + mutex_unlock(&hdev->cmd_sync_work_lock); 871 + return false; 872 + } 873 + 874 + _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED); 875 + 876 + mutex_unlock(&hdev->cmd_sync_work_lock); 871 877 872 878 return true; 873 879 }