Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed
in the following patch and can be cleanly applied to 6.1 stable tree.
Due to some technical rearrangement, the fix for older stable branches
requires a different patch which I'll send you in another thread.
From: Archie Pusaka <[email protected]>
commit 97dfaf073f5881c624856ef293be307b6166115c upstream.
If a command is already sent, we take care of freeing it, but we
also need to cancel the timeout as well.
Signed-off-by: Archie Pusaka <[email protected]>
Reviewed-by: Abhishek Pandit-Subedi <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Signed-off-by: Fedor Pchelkin <[email protected]>
---
net/bluetooth/hci_sync.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 8d6c8cbfe1de..aab3d85f4637 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -4703,6 +4703,7 @@ int hci_dev_open_sync(struct hci_dev *hdev)
hdev->flush(hdev);
if (hdev->sent_cmd) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
kfree_skb(hdev->sent_cmd);
hdev->sent_cmd = NULL;
}
--
2.34.1
On Thu, Jan 26, 2023 at 04:36:12PM +0300, Fedor Pchelkin wrote:
>Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed
>in the following patch and can be cleanly applied to 6.1 stable tree.
>
>Due to some technical rearrangement, the fix for older stable branches
>requires a different patch which I'll send you in another thread.
Queued up, thanks!
--
Thanks,
Sasha