Message ID | 20220127012100.3128690-1-luiz.dentz@gmail.com |
---|---|
State | New |
Headers | show |
Series | Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=608888 ---Test result--- Test Summary: CheckPatch PASS 0.76 seconds GitLint PASS 0.40 seconds SubjectPrefix PASS 0.22 seconds BuildKernel PASS 38.03 seconds BuildKernel32 PASS 34.01 seconds Incremental Build with patchesPASS 45.70 seconds TestRunner: Setup PASS 587.10 seconds TestRunner: l2cap-tester PASS 15.08 seconds TestRunner: bnep-tester PASS 6.72 seconds TestRunner: mgmt-tester PASS 122.54 seconds TestRunner: rfcomm-tester PASS 8.72 seconds TestRunner: sco-tester PASS 9.04 seconds TestRunner: smp-tester PASS 8.86 seconds TestRunner: userchan-tester PASS 7.34 seconds --- Regards, Linux Bluetooth
Hi Luiz, > hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has > been set as that means hci_unregister_dev has been called so it will > likely cause a uaf after the timeout as the hdev will be freed. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > --- > net/bluetooth/hci_sync.c | 3 +++ > 1 file changed, 3 insertions(+) patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 87c46b04b9ff..af16b1018c35 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -382,6 +382,9 @@ int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func, { struct hci_cmd_sync_work_entry *entry; + if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) + return -ENODEV; + entry = kmalloc(sizeof(*entry), GFP_KERNEL); if (!entry) return -ENOMEM;