This is a note to let you know that I've just added the patch titled
Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
to the 6.3-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-fix-use-after-free-in-hci_remove_ltk-hci_remove_irk.patch
and it can be found in the queue-6.3 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From c5d2b6fa26b5b8386a9cc902cdece3a46bef2bd2 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date: Tue, 30 May 2023 13:48:44 -0700
Subject: Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
commit c5d2b6fa26b5b8386a9cc902cdece3a46bef2bd2 upstream.
Similar to commit 0f7d9b31ce7a ("netfilter: nf_tables: fix use-after-free
in nft_set_catchall_destroy()"). We can not access k after kfree_rcu()
call.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Min Li <lm0963hack@xxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/hci_core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1416,10 +1416,10 @@ int hci_remove_link_key(struct hci_dev *
int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
{
- struct smp_ltk *k;
+ struct smp_ltk *k, *tmp;
int removed = 0;
- list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
+ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
continue;
@@ -1435,9 +1435,9 @@ int hci_remove_ltk(struct hci_dev *hdev,
void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
{
- struct smp_irk *k;
+ struct smp_irk *k, *tmp;
- list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
+ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
continue;
Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are
queue-6.3/bluetooth-hci_qca-fix-debugfs-registration.patch
queue-6.3/bluetooth-fix-l2cap_disconnect_req-deadlock.patch
queue-6.3/bluetooth-iso-use-correct-cis-order-in-set-cig-param.patch
queue-6.3/bluetooth-fix-debugfs-registration.patch
queue-6.3/bluetooth-split-bt_iso_qos-into-dedicated-structures.patch
queue-6.3/bluetooth-iso-fix-cig-auto-allocation-to-select-conf.patch
queue-6.3/bluetooth-fix-use-after-free-in-hci_remove_ltk-hci_remove_irk.patch
queue-6.3/bluetooth-iso-consider-right-cis-when-removing-cig-a.patch
queue-6.3/bluetooth-hci_conn-fix-not-matching-by-cis-id.patch
queue-6.3/bluetooth-iso-don-t-try-to-remove-cig-if-there-are-b.patch
queue-6.3/bluetooth-hci_conn-add-support-for-linking-multiple-.patch
queue-6.3/bluetooth-hci_sync-add-lock-to-protect-hci_unregiste.patch
queue-6.3/bluetooth-l2cap-add-missing-checks-for-invalid-dcid.patch
