Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed in the following patch and can be cleanly applied to 6.1 stable tree.
Due to some technical rearrangement, the fix for older stable branches requires a different patch which I'll send you in another thread.
From: Archie Pusaka apusaka@chromium.org
commit 97dfaf073f5881c624856ef293be307b6166115c upstream.
If a command is already sent, we take care of freeing it, but we also need to cancel the timeout as well.
Signed-off-by: Archie Pusaka apusaka@chromium.org Reviewed-by: Abhishek Pandit-Subedi abhishekpandit@google.com Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com Signed-off-by: Fedor Pchelkin pchelkin@ispras.ru --- net/bluetooth/hci_sync.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 8d6c8cbfe1de..aab3d85f4637 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -4703,6 +4703,7 @@ int hci_dev_open_sync(struct hci_dev *hdev) hdev->flush(hdev);
if (hdev->sent_cmd) { + cancel_delayed_work_sync(&hdev->cmd_timer); kfree_skb(hdev->sent_cmd); hdev->sent_cmd = NULL; }
On Thu, Jan 26, 2023 at 04:36:12PM +0300, Fedor Pchelkin wrote:
Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed in the following patch and can be cleanly applied to 6.1 stable tree.
Due to some technical rearrangement, the fix for older stable branches requires a different patch which I'll send you in another thread.
Queued up, thanks!
linux-stable-mirror@lists.linaro.org
-
Fedor Pchelkin -
Sasha Levin