| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250928110740.137220-1-zzzccc427@163.com>
Date: Sun, 28 Sep 2025 11:07:40 +0000
From: Cen Zhang <zzzccc427@....com>
To: Luiz Augusto von Dentz <luiz.dentz@...il.com>,
johan.hedberg@...il.com,
marcel@...tmann.org
Cc: linux-kernel@...r.kernel.org,
linux-bluetooth@...r.kernel.org,
Cen Zhang <zzzccc427@...il.com>
Subject: [PATCH] Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
From: Cen Zhang <zzzccc427@...il.com>
hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".
Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.
Reported-by: Cen Zhang <zzzccc427@...il.com>
Signed-off-by: Cen Zhang <zzzccc427@...il.com>
---
net/bluetooth/hci_sync.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index b6f888d83..f059b19fe 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -862,12 +862,13 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
void *data, hci_cmd_sync_work_destroy_t destroy)
{
struct hci_cmd_sync_work_entry *entry;
-
- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+ mutex_lock(&hdev->cmd_sync_work_lock);
+ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
if (!entry)
return false;
- hci_cmd_sync_cancel_entry(hdev, entry);
+ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+ mutex_unlock(&hdev->cmd_sync_work_lock);
return true;
}
--
2.43.0
Powered by blists - more mailing lists