Patch "Bluetooth: hci_sock: purge socket queues in the destruct() callback" has been added to the 5.16-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 Jan 2022 10:10:50 -0500

This is a note to let you know that I've just added the patch titled

    Bluetooth: hci_sock: purge socket queues in the destruct() callback

to the 5.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-hci_sock-purge-socket-queues-in-the-destru.patch
and it can be found in the queue-5.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 44faae29a0b9a1ef40d4fe0f067bca75ad75db96
Author: Nguyen Dinh Phi <phind.uet@xxxxxxxxx>
Date:   Fri Oct 8 03:04:24 2021 +0800

    Bluetooth: hci_sock: purge socket queues in the destruct() callback
    
    [ Upstream commit 709fca500067524381e28a5f481882930eebac88 ]
    
    The receive path may take the socket right before hci_sock_release(),
    but it may enqueue the packets to the socket queues after the call to
    skb_queue_purge(), therefore the socket can be destroyed without clear
    its queues completely.
    
    Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
    issue, because nothing is referencing the socket at this point.
    
    Signed-off-by: Nguyen Dinh Phi <phind.uet@xxxxxxxxx>
    Reported-by: syzbot+4c4ffd1e1094dae61035@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index f2506e656f3e4..33b3c0ffc3399 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -889,10 +889,6 @@ static int hci_sock_release(struct socket *sock)
 	}
 
 	sock_orphan(sk);
-
-	skb_queue_purge(&sk->sk_receive_queue);
-	skb_queue_purge(&sk->sk_write_queue);
-
 	release_sock(sk);
 	sock_put(sk);
 	return 0;
@@ -2059,6 +2055,12 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
 	return err;
 }
 
+static void hci_sock_destruct(struct sock *sk)
+{
+	skb_queue_purge(&sk->sk_receive_queue);
+	skb_queue_purge(&sk->sk_write_queue);
+}
+
 static const struct proto_ops hci_sock_ops = {
 	.family		= PF_BLUETOOTH,
 	.owner		= THIS_MODULE,
@@ -2112,6 +2114,7 @@ static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
 
 	sock->state = SS_UNCONNECTED;
 	sk->sk_state = BT_OPEN;
+	sk->sk_destruct = hci_sock_destruct;
 
 	bt_sock_link(&hci_sk_list, sk);
 	return 0;






