diff options
| author |   Lin Ma <linma@zju.edu.cn> | 2021-05-30 21:37:43 +0800 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-06-10 13:37:09 +0200 |
| commit | b6f97555c71f78288682bc967121572f10715c89 (patch) | |
| tree | 8200689e7512b780bdceb3254c78babc5b77f7e3 | |
| parent | Bluetooth: fix the erroneous flush_work() order (diff) | |
| download | wireguard-linux-b6f97555c71f78288682bc967121572f10715c89.tar.xz wireguard-linux-b6f97555c71f78288682bc967121572f10715c89.zip | |
Bluetooth: use correct lock to prevent UAF of hdev object
commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
The hci_sock_dev_event() function will cleanup the hdev object for
sockets even if this object may still be in used within the
hci_sock_bound_ioctl() function, result in UAF vulnerability.
This patch replace the BH context lock to serialize these affairs
and prevent the race condition.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/bluetooth/hci_sock.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 8159b344deef..8d2c26c4b6d3 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { - bh_lock_sock_nested(sk); + lock_sock(sk); if (hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; @@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) hci_dev_put(hdev); } - bh_unlock_sock(sk); + release_sock(sk); } read_unlock(&hci_sk_list.lock); } |