Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-10-23 13:40:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
f7b94bdc1e
linux/net/bluetooth
History
Luiz Augusto von Dentz f7b94bdc1e Bluetooth: af_bluetooth: Fix deadlock 
Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:

INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
      Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __schedule+0x37d/0xa00
 schedule+0x32/0xe0
 __lock_sock+0x68/0xa0
 ? __pfx_autoremove_wake_function+0x10/0x10
 lock_sock_nested+0x43/0x50
 l2cap_sock_recv_cb+0x21/0xa0
 l2cap_recv_frame+0x55b/0x30a0
 ? psi_task_switch+0xeb/0x270
 ? finish_task_switch.isra.0+0x93/0x2a0
 hci_rx_work+0x33a/0x3f0
 process_one_work+0x13a/0x2f0
 worker_thread+0x2f0/0x410
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xe0/0x110
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x2c/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>

Fixes: 2e07e8348e ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2024-03-06 17:26:25 -05:00
..
bnep Bluetooth: bnep: Fix out-of-bound access 2024-03-06 17:26:24 -05:00
cmtp Merge branch 'signal-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2022-01-17 05:49:30 +02:00
hidp Bluetooth: Init sk_peer_* on bt_sock_alloc 2023-08-11 11:37:22 -07:00
rfcomm Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security 2024-02-28 09:42:26 -05:00
6lowpan.c Bluetooth: constify the struct device_type usage 2024-03-06 17:24:07 -05:00
af_bluetooth.c Bluetooth: af_bluetooth: Fix deadlock 2024-03-06 17:26:25 -05:00
aosp.c Bluetooth: Fix null pointer deref on unexpected status event 2022-08-08 17:04:37 -07:00
aosp.h Bluetooth: aosp: Support AOSP Bluetooth Quality Report 2021-11-02 19:37:52 +01:00
coredump.c Bluetooth: Remove unnecessary NULL check before vfree() 2023-08-11 11:56:54 -07:00
ecdh_helper.c Bluetooth: Use crypto_wait_req 2023-02-13 18:34:48 +08:00
ecdh_helper.h Fix misc new gcc warnings 2021-04-27 17:05:53 -07:00
eir.c Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH 2023-08-24 12:22:05 -07:00
eir.h Bluetooth: Add initial implementation of BIS connections 2022-07-22 17:13:56 -07:00
hci_codec.c Bluetooth: Fix support for Read Local Supported Codecs V2 2022-12-02 13:09:31 -08:00
hci_codec.h Bluetooth: Add support for Read Local Supported Codecs V2 2021-09-07 14:09:18 -07:00
hci_conn.c Bluetooth: hci_sync: Fix overwriting request callback 2024-03-06 17:26:20 -05:00
hci_core.c Bluetooth: hci_core: Fix possible buffer overflow 2024-03-06 17:26:22 -05:00
hci_debugfs.c Bluetooth: Fix atomicity violation in {min,max}_key_size_set 2023-12-22 13:00:36 -05:00
hci_debugfs.h Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c 2021-09-22 16:17:13 +02:00
hci_event.c Bluetooth: hci_sync: Fix overwriting request callback 2024-03-06 17:26:20 -05:00
hci_request.c Bluetooth: hci_core: Cancel request on command timeout 2024-03-06 17:22:38 -05:00
hci_request.h Bluetooth: Delete unused hci_req_prepare_suspend() declaration 2023-09-20 10:55:29 -07:00
hci_sock.c Bluetooth: Remove usage of the deprecated ida_simple_xx() API 2024-03-06 17:22:38 -05:00
hci_sync.c Bluetooth: hci_sync: Fix overwriting request callback 2024-03-06 17:26:20 -05:00
hci_sysfs.c Bluetooth: Fix double free in hci_conn_cleanup 2023-10-23 11:05:11 -07:00
iso.c Bluetooth: ISO: Reassemble PA data for bcast sink 2024-03-06 17:26:19 -05:00
Kconfig Bluetooth: Remove BT_HS 2024-03-06 17:22:39 -05:00
l2cap_core.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
l2cap_sock.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
leds.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
leds.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lib.c Bluetooth: Add documentation to exported functions in lib 2023-12-22 12:54:55 -05:00
Makefile Bluetooth: Remove BT_HS 2024-03-06 17:22:39 -05:00
mgmt_config.c Bluetooth: mgmt: Use the correct print format 2021-06-26 07:12:42 +02:00
mgmt_config.h Bluetooth: mgmt: Add commands for runtime configuration 2020-06-18 13:11:03 +03:00
mgmt_util.c Bluetooth: Implement support for Mesh 2022-09-06 13:18:24 -07:00
mgmt_util.h Bluetooth: Fix a buffer overflow in mgmt_mesh_add() 2023-01-17 15:50:10 -08:00
mgmt.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
msft.c Bluetooth: msft: Fix memory leak 2024-03-06 17:26:23 -05:00
msft.h Bluetooth: hci_sync: Refactor remove Adv Monitor 2022-07-21 17:14:55 -07:00
sco.c Bluetooth: hci_conn: Always use sk_timeo as conn_timeout 2024-03-06 17:22:41 -05:00
selftest.c crypto: ecdh - move curve_id of ECDH from the key to algorithm name 2021-03-13 00:04:03 +11:00
selftest.h
smp.c Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE 2023-12-15 11:53:09 -05:00
smp.h Bluetooth: use inclusive language in SMP 2021-06-26 07:12:37 +02:00