Bluetooth: use correct lock to prevent UAF of hdev object

commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream. The hci_sock_dev_event() function will cleanup the hdev object for sockets even if this object may still be in used within the hci_sock_bound_ioctl() function, result in UAF vulnerability. This patch replace the BH context lock to serialize these affairs and prevent the race condition. Signed-off-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Lin Ma <linma@zju.edu.cn> 2021-05-30 16:37:43 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-10 14:24:05 +0300
commit: 2b9e9c2ed0f1910b5201c5d37b355b60201df415 (patch)
tree: ba67fa9d8cdeb4424aec42efbcb1f375bbc16d94
parent: 64700748e8a7af4883538c72ada57999d9a78e92 (diff)
download: linux-2b9e9c2ed0f1910b5201c5d37b355b60201df415.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index e506c51ff765..06156de24c50 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 		/* Detach sockets from device */
 		read_lock(&hci_sk_list.lock);
 		sk_for_each(sk, &hci_sk_list.head) {
-			bh_lock_sock_nested(sk);
+			lock_sock(sk);
 			if (hci_pi(sk)->hdev == hdev) {
 				hci_pi(sk)->hdev = NULL;
 				sk->sk_err = EPIPE;
@@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 
 				hci_dev_put(hdev);
 			}
-			bh_unlock_sock(sk);
+			release_sock(sk);
 		}
 		read_unlock(&hci_sk_list.lock);
 	}
author	Lin Ma <linma@zju.edu.cn>	2021-05-30 16:37:43 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 14:24:05 +0300
commit	2b9e9c2ed0f1910b5201c5d37b355b60201df415 (patch)
tree	ba67fa9d8cdeb4424aec42efbcb1f375bbc16d94
parent	64700748e8a7af4883538c72ada57999d9a78e92 (diff)
download	linux-2b9e9c2ed0f1910b5201c5d37b355b60201df415.tar.xz