Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once - wireguard-linux

diff options

author	Cen Zhang <zzzccc427@163.com>	2025-09-29 05:30:17 +0000
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2025-10-24 10:20:15 -0400
commit	09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 (patch)
tree	5b11afe1ca5cc08cbdb03979683bb9b57e80566b /include/uapi/linux/byteorder/ssh:/git@git.zx2c4.com
parent	virtio-net: drop the multi-buffer XDP packet in zerocopy (diff)

Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once

hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently. Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue") Reported-by: Cen Zhang <zzzccc427@163.com> Signed-off-by: Cen Zhang <zzzccc427@163.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Diffstat (limited to 'include/uapi/linux/byteorder/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: