Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp6772036rdb; Fri, 15 Dec 2023 08:00:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IHh6Th+QksGgnYO7njlAjlWPwhVTAEVybNF5InZT6mANU4aIGt6Bw9upeAKigaX35Jdljz3 X-Received: by 2002:a17:906:2241:b0:a1a:c370:221f with SMTP id 1-20020a170906224100b00a1ac370221fmr5067266ejr.28.1702656033058; Fri, 15 Dec 2023 08:00:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702656033; cv=none; d=google.com; s=arc-20160816; b=AAR+Pny174E0ze8X96ZFDgBl6bYmlUJyZucVUPfDpr5BgZDcYzbuygCPCssD0d9kFy gfrWryaQL+yd0Wt20LJPtfqEngOvkaSRYME3HfdNafCMBB/OvbhzpV2Hg41onPdOfGNr YwtmRZL36qSGHjsHe6iwH3QEoBgteSdbzKuMC3154HmL8rFeEhwHmB10H8HFKFa15Q7r 22DTc6Rl/Gxc64Yk5w+qk/8txlNY5dtnNpABI7FXI3tg9+Uiro301JNwDXoDau89U+MR amoMtP264GrrLRaBdWkhNMdfRJENPj0vOYQpcAiBJDeNK0yNTXe0IWWXsE74vZre+3Nb ddRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:in-reply-to:references:date:message-id:from:subject :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=drLJjboAQFYzjctN4HIRkiaMqvMNIGWCRfrK1rvm06Y=; fh=YU91YMpInMTQhCvj6TvAnuJ2vmb+Y6aSvZtHxx0AjYs=; b=HFmij9SjZS4KWjltHP7hbNsd3eu8/FzEqx4HVmyi10SI+HYhL4DQiMMe1XxoD4YZMQ hADSnY13jYFIFszSbwnVDSJoLQ3Luamjnh8lXjc8IYaKaagS9kAxqyRiARBbXcgMVURp yNcrTHGccrVPwfBwtDMAzv7jY7B44RO0qo97H1gWfKpSflkJUWkv6tDwPj4bbsJ2ZWsK IcyjI8Jm5VR2qil7bIj7yowVIsggRNHTfPqWGOaqs0/DxUOpGhzSwVWvtPPMFJMx5b3H AUdFobhHN9w2z77hMU8TrjF9MiXhe6rcnL8t3M8RavVexkjWYSP9WiZxub1lmp+N3ZG5 s0Cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sZaQGjR9; spf=pass (google.com: domain of linux-bluetooth+bounces-613-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-613-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id p7-20020a17090628c700b00a23169c0d3fsi923360ejd.802.2023.12.15.08.00.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Dec 2023 08:00:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-613-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sZaQGjR9; spf=pass (google.com: domain of linux-bluetooth+bounces-613-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-613-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D027D1F24981 for ; Fri, 15 Dec 2023 16:00:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F41EF39FEA; Fri, 15 Dec 2023 16:00:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="sZaQGjR9" X-Original-To: linux-bluetooth@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 670033A8D5 for ; Fri, 15 Dec 2023 16:00:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPS id F2360C433C8; Fri, 15 Dec 2023 16:00:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702656026; bh=9sVGji5Epvw1S7eapYLpbTwoM5al5bNEOTgtt4SOvO4=; h=Subject:From:Date:References:In-Reply-To:To:Cc:From; b=sZaQGjR9c19TdkTCnv0APKaXz+aNXo1egGCrRP7PaLlFtS/yNUuuC7uUtiLzPISea ZYTRnWNS32VuCDe57So0v5RHvOYzpMn/qiu3nEqDZTxZFg3LQIE4qquNZBt58SmRpj 7dp9GH+j+i8D/5FbgjqUJse4bYhjOVup+vuQ1ubrJluk3CJbvRbkpNXJJoxWKKAwH8 wBSqWuFaaHFbrGrjDSp+A0ie71kaF6RppZv6HTIynoQRBL+puTtRx2/4wB67+vRXBS B41ZfAFv0e/SPJx/qJsYC8cZ/C7+0XehuDRDLZyHCWt5ubJp2YBLkipGXeZj1Z7ZgP Hy58XOrL+8RFQ== Received: from aws-us-west-2-korg-oddjob-1.ci.codeaurora.org (localhost.localdomain [127.0.0.1]) by aws-us-west-2-korg-oddjob-1.ci.codeaurora.org (Postfix) with ESMTP id DC0FDC4166E; Fri, 15 Dec 2023 16:00:25 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [PATCH v2] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg From: patchwork-bot+bluetooth@kernel.org Message-Id: <170265602589.22720.8309217075489314107.git-patchwork-notify@kernel.org> Date: Fri, 15 Dec 2023 16:00:25 +0000 References: <20231209105518.GA408904@v4bel-B760M-AORUS-ELITE-AX> In-Reply-To: <20231209105518.GA408904@v4bel-B760M-AORUS-ELITE-AX> To: Hyunwoo Kim Cc: marcel@holtmann.org, luiz.dentz@gmail.com, imv4bel@gmail.com, johan.hedberg@gmail.com, linux-bluetooth@vger.kernel.org Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz : On Sat, 9 Dec 2023 05:55:18 -0500 you wrote: > This can cause a race with bt_sock_ioctl() because > bt_sock_recvmsg() gets the skb from sk->sk_receive_queue > and then frees it without holding lock_sock. > A use-after-free for a skb occurs with the following flow. > ``` > bt_sock_recvmsg() -> skb_recv_datagram() -> skb_free_datagram() > bt_sock_ioctl() -> skb_peek() > ``` > Add lock_sock to bt_sock_recvmsg() to fix this issue. > > [...] Here is the summary with links: - [v2] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg https://git.kernel.org/bluetooth/bluetooth-next/c/63b55655d30b You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html