Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5103331rwd; Tue, 23 May 2023 18:32:39 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ72X9U7ZGCjjLX0g1hk/PHo+2zyiW+ZfE281Mc3WAYkzlcD9J6X6wocqkDy1E55L30v85Px X-Received: by 2002:a17:903:32c8:b0:1aa:e938:3ddf with SMTP id i8-20020a17090332c800b001aae9383ddfmr21584373plr.7.1684891959586; Tue, 23 May 2023 18:32:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684891959; cv=none; d=google.com; s=arc-20160816; b=UZSlAGhu4C6ENBi2L4Yxsx/ZglRBDkVpc6zSmFbG0QOsDrEBOI/O+nQcs0d+76w0u5 ems+rcXEw3jMjMW0Bp9ECjnuU6+A8PhW+JN/stS1/rZphTPDNlOqF2A/isHvlTw/vzfK EP30oVMxWZw2eH34BKc7nKlbVO4Eija6B+UdWH89iJPAUKDWLcj+9MJtE/g3tGfGcloI JksQhJmmhkKrZn3CsbSAoTVma5WATvXyasATobYZ48l0KHP/F1TW+7I60ha7FcUSEwlr HZQ2s8Qe3Db+8afZdHgOSpjFsIkQr9+wnVM0/6qDkcBEeEOoSs/fppA03ioeftMRgoCb wIDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=1orZJfj9173C/tsIWjEiuAZodQHp/rpo+HkDtAUGe9c=; b=diD200AhkEPP56dgu5PPIxZwZdYiinkbWuh57J1u55C1FMc3BM5fpk3nXJrG23uQuG BTwOf3+0hO+73XJ9F8dRywQO7vJn+B3uPVXhzEVkdaYWWuZMuqxonoAvlFCeFxe7YS2H HvLFzdtBJVh4hU6iw9HHj/WRH7Lnii9ChcX8PTZkcMjB1SIrMW3OsZno2Ca/Gy5q2W9O mmSGCGou+NP8khLqTqOv5Gy2N7mH43ZGzGtdpJV5FTZ29CUlNLW81n/ktsQn0ro9vb4b cHZRTOCfOWrfd6gx5FIOdvAWhDbKadmw2Ve5opYWjyFUgLT38kAbmtUhV13Q9ApPqWiD GXew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Wvg1be6m; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ij25-20020a170902ab5900b001aaf59c9633si2347038plb.565.2023.05.23.18.32.13; Tue, 23 May 2023 18:32:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Wvg1be6m; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233253AbjEXBad (ORCPT + 99 others); Tue, 23 May 2023 21:30:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230359AbjEXBac (ORCPT ); Tue, 23 May 2023 21:30:32 -0400 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F02F130; Tue, 23 May 2023 18:30:31 -0700 (PDT) Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-253310a0df7so87802a91.1; Tue, 23 May 2023 18:30:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684891830; x=1687483830; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1orZJfj9173C/tsIWjEiuAZodQHp/rpo+HkDtAUGe9c=; b=Wvg1be6m+luhUM/A/XmwRXRZImnIJo4V+5DbKCPLw9+VJlXba/ecE8yW1qwAX6+uMD LD5GvZf0i0iYuurDQcKZkO56SDlJe727FG+rHhGg7Les2v6glqWM+ttx6JLhiogd24LP atIXv8KzUVMQwPR7tCifnBz7PDjpucvYsTQNvyVDwxuz7vDYT/MCzy+RIH1GO7ckv9xa 8EVoaX7vnWC6WAg1gUq0Xi3+BAbn8oVVu4j8kA7vaf8hVsoPYVnlx1dFi0h6sYKzhnyx ras+P4V56EASMdygabBXz5ScRbkAxJtjd52WDlgqhWdGJbklpwnGaEpjtB158D43Kz/P WtRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684891830; x=1687483830; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1orZJfj9173C/tsIWjEiuAZodQHp/rpo+HkDtAUGe9c=; b=KaAV5eT2hGhLrLZ10FtUIMIkW0wWG3RJmlCC9TKvCKPmdnvhQhD2JI9Q4wkXC46J6g THHRMMaxfajJSdlF0mbq1mqLas+MsB9K2/PmWFzvRR1Rd+QjvdFWKmo9URGPexGhSJXa zQV9ieqLtUccXr0prdeIME0G4gt+Q+KQHA4atCWLA/MLxMsUV6EuR2C7Q0hDW9VzmNIA lgXlp8f4l1sOta1Xhfk6jvbRdcDhDfvVH1jPLg6vSbK+OTYqzSHeQPKruREdIqgmnNLe vWMLH3/Xh1wMSh+qWJgXq5RkC88iTN9IY2NlNi06sjbRV/hLZv5wuGpnROPjjluzATyv NgiA== X-Gm-Message-State: AC+VfDzK8p+G5Rpw/f4/fxBBtKYAH9C7PCV6E7oTHaC5iVbPt9ZSbwFj RI8wISCqZrkT9PW6n14oH3OC2UWyP4UK0SCWzxA= X-Received: by 2002:a17:90b:1bc1:b0:252:b875:6a57 with SMTP id oa1-20020a17090b1bc100b00252b8756a57mr1058324pjb.3.1684891830336; Tue, 23 May 2023 18:30:30 -0700 (PDT) Received: from ubuntu.localdomain ([103.114.158.1]) by smtp.gmail.com with ESMTPSA id d27-20020a630e1b000000b0052cbd854927sm6484727pgl.18.2023.05.23.18.30.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 May 2023 18:30:29 -0700 (PDT) From: Min Li To: luiz.dentz@gmail.com Cc: marcel@holtmann.org, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Bluetooth: HCI: fix use-after-free in hci_remove_ltk/hci_remove_irk Date: Tue, 23 May 2023 19:56:37 +0800 Message-Id: <20230523115637.14541-1-lm0963hack@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DATE_IN_PAST_12_24, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Similar to commit 0f7d9b31ce7a ("netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()"). We can not access k after kfree_rcu() call. Signed-off-by: Min Li --- net/bluetooth/hci_core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index a856b1051d35..0164b56de12d 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1416,10 +1416,10 @@ int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type) { - struct smp_ltk *k; + struct smp_ltk *k, *tmp; int removed = 0; - list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { + list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type) continue; @@ -1435,9 +1435,9 @@ int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type) void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type) { - struct smp_irk *k; + struct smp_irk *k, *tmp; - list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) { + list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type) continue; -- 2.34.1