Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3394249pxj; Mon, 7 Jun 2021 09:31:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhKCWQ2igh6ePElqkVfUlOYl+3Jb2gvu8/AnWrfHrxeqXS9I6EvWLZJXt5MV+2KB0c8KT9 X-Received: by 2002:aa7:d6ca:: with SMTP id x10mr20823281edr.182.1623083474453; Mon, 07 Jun 2021 09:31:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623083474; cv=none; d=google.com; s=arc-20160816; b=MWhS168ELvJhi9pmrhMxHnrlw2Eb2w3F6yciTegJdVZ7Xcxe+3rcL5RKu9Q6hvPGNw /ya2QNc8u9Aqp4kH+PD1gcRWzrcgYFWUNYc1jDhFudQ5Rhz3XqBVLrPJB50m8d1Crc1h A2VmQcpO7dAuPOee5pUIPrVlxLZ+T4PWhu1mth48hCKWNHg6d1keKknOPXea1xUEy65A z7UaEaGrVouNItRU6ONuMlZFV6zb4FemgjbX5wtZY3EtytBRRbJfaRZO9GyXU04/b3hy 71DAUjVMlYC/opbTj0QKnF3clnPPmerwhAEIX7DwuOyYQqY86C0WDki6fel5iC8Z+zHg UEKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=a5T+y5D7BqpzSsrqfo5sNmJgYQY/hpt4TF19uv+aDmQ=; b=QTp29ZRSsF4pa9KPlR5xI7ta6NsUkMsxUStRgEgbB+tlBbK3Vp+f9FqfgSC1AdcP83 3zMuLUqtAChaheZqjWEHgo+oy0j1gvM+Y19ML9VKW9WJVVP8FbQ6jnh4U+JDmM+UXldO Mw6zgI/jrvbCKopxBRyRxUmjPp6H5OdJIw93wufXu+lgypqFs2iEf1swgpo+LdyXO4Kl Z6aKyJ1nv0kfQGGdtO5QdgiD1SFjqmJnod8AfrJSs5jE1f1lfwxRWL1j0jmG7rllGYop 2r4gDACRfyVzyu+X93CyGwVJCZ3qczpp/9TgXTikA2HLiPwJXw9AvXd9ip01Pgj77V1A Gglg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JBFyyEBg; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j6si12833148edv.294.2021.06.07.09.30.48; Mon, 07 Jun 2021 09:31:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JBFyyEBg; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232192AbhFGQ21 (ORCPT + 99 others); Mon, 7 Jun 2021 12:28:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:60478 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233764AbhFGQY2 (ORCPT ); Mon, 7 Jun 2021 12:24:28 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CF37F61949; Mon, 7 Jun 2021 16:15:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1623082555; bh=QJbYxkmjGTiKMFT/ADimCcoSFQEo3WxH3FOOmcIHplA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JBFyyEBgTHc0lRU6TBiOi+WTmdIdKJfzW2mRts+u8cf0eVYB5ptglhGo1SGHYm6ET anM7B82bG7Gm6pPvTlrfd+AysV2O7lkVTZJx+lV4+S6UaE6sHtjMNsXxo5b7s1l/Vt f4+GSmVfBVQ3YDYY4/MmUv+36prnUFi8D2Q5MJykq445YEWduyBgQ0nwPqFhCD76M5 1Idvdnt+X7Y5a4Mw3q2vGWCL5qQGM+SDDZz7aB2qzPOWjczCvfFOqqw2hXZaWivwO8 MelZI+0Qyp04xa76uAv67U1sDGOC+5ulV+xsJcl6G3DCGrRR49IyXth3rGAUV90bxS NoHx202WR95Zg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lin Ma , Marcel Holtmann , Sasha Levin , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.9 08/15] Bluetooth: use correct lock to prevent UAF of hdev object Date: Mon, 7 Jun 2021 12:15:36 -0400 Message-Id: <20210607161543.3584778-8-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210607161543.3584778-1-sashal@kernel.org> References: <20210607161543.3584778-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Lin Ma [ Upstream commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 ] The hci_sock_dev_event() function will cleanup the hdev object for sockets even if this object may still be in used within the hci_sock_bound_ioctl() function, result in UAF vulnerability. This patch replace the BH context lock to serialize these affairs and prevent the race condition. Signed-off-by: Lin Ma Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- net/bluetooth/hci_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 44b3146c6117..35f5585188de 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { - bh_lock_sock_nested(sk); + lock_sock(sk); if (hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; @@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) hci_dev_put(hdev); } - bh_unlock_sock(sk); + release_sock(sk); } read_unlock(&hci_sk_list.lock); } -- 2.30.2