* [PATCH] Bluetooth: Fix potential use-after-free when clear keys
@ 2023-08-07 11:07 Min Li
2023-08-07 12:02 ` bluez.test.bot
2023-08-07 22:50 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Min Li @ 2023-08-07 11:07 UTC (permalink / raw)
To: luiz.dentz; +Cc: marcel, johan.hedberg, linux-bluetooth, linux-kernel
Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in
hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu()
call.
Fixes: d7d41682efc2 ("Bluetooth: Fix Suspicious RCU usage warnings")
Signed-off-by: Min Li <lm0963hack@gmail.com>
---
net/bluetooth/hci_core.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index a856b1051d35..bae8a9919dbe 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1074,9 +1074,9 @@ void hci_uuids_clear(struct hci_dev *hdev)
void hci_link_keys_clear(struct hci_dev *hdev)
{
- struct link_key *key;
+ struct link_key *key, *tmp;
- list_for_each_entry(key, &hdev->link_keys, list) {
+ list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
list_del_rcu(&key->list);
kfree_rcu(key, rcu);
}
@@ -1084,9 +1084,9 @@ void hci_link_keys_clear(struct hci_dev *hdev)
void hci_smp_ltks_clear(struct hci_dev *hdev)
{
- struct smp_ltk *k;
+ struct smp_ltk *k, *tmp;
- list_for_each_entry(k, &hdev->long_term_keys, list) {
+ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
list_del_rcu(&k->list);
kfree_rcu(k, rcu);
}
@@ -1094,9 +1094,9 @@ void hci_smp_ltks_clear(struct hci_dev *hdev)
void hci_smp_irks_clear(struct hci_dev *hdev)
{
- struct smp_irk *k;
+ struct smp_irk *k, *tmp;
- list_for_each_entry(k, &hdev->identity_resolving_keys, list) {
+ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
list_del_rcu(&k->list);
kfree_rcu(k, rcu);
}
@@ -1104,9 +1104,9 @@ void hci_smp_irks_clear(struct hci_dev *hdev)
void hci_blocked_keys_clear(struct hci_dev *hdev)
{
- struct blocked_key *b;
+ struct blocked_key *b, *tmp;
- list_for_each_entry(b, &hdev->blocked_keys, list) {
+ list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
list_del_rcu(&b->list);
kfree_rcu(b, rcu);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: Fix potential use-after-free when clear keys
2023-08-07 11:07 [PATCH] Bluetooth: Fix potential use-after-free when clear keys Min Li
@ 2023-08-07 12:02 ` bluez.test.bot
2023-08-07 22:50 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2023-08-07 12:02 UTC (permalink / raw)
To: linux-bluetooth, lm0963hack
[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=773609
---Test result---
Test Summary:
CheckPatch PASS 0.65 seconds
GitLint PASS 0.29 seconds
SubjectPrefix PASS 0.10 seconds
BuildKernel PASS 34.64 seconds
CheckAllWarning PASS 38.75 seconds
CheckSparse PASS 45.45 seconds
CheckSmatch PASS 125.79 seconds
BuildKernel32 PASS 37.24 seconds
TestRunnerSetup PASS 545.64 seconds
TestRunner_l2cap-tester PASS 25.96 seconds
TestRunner_iso-tester PASS 50.74 seconds
TestRunner_bnep-tester PASS 11.92 seconds
TestRunner_mgmt-tester PASS 228.35 seconds
TestRunner_rfcomm-tester PASS 17.79 seconds
TestRunner_sco-tester PASS 20.39 seconds
TestRunner_ioctl-tester PASS 19.50 seconds
TestRunner_mesh-tester PASS 15.40 seconds
TestRunner_smp-tester PASS 16.13 seconds
TestRunner_userchan-tester PASS 12.86 seconds
IncrementalBuild PASS 35.33 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: Fix potential use-after-free when clear keys
2023-08-07 11:07 [PATCH] Bluetooth: Fix potential use-after-free when clear keys Min Li
2023-08-07 12:02 ` bluez.test.bot
@ 2023-08-07 22:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2023-08-07 22:50 UTC (permalink / raw)
To: Min Li; +Cc: luiz.dentz, marcel, johan.hedberg, linux-bluetooth, linux-kernel
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 7 Aug 2023 19:07:41 +0800 you wrote:
> Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in
> hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu()
> call.
>
> Fixes: d7d41682efc2 ("Bluetooth: Fix Suspicious RCU usage warnings")
> Signed-off-by: Min Li <lm0963hack@gmail.com>
>
> [...]
Here is the summary with links:
- Bluetooth: Fix potential use-after-free when clear keys
https://git.kernel.org/bluetooth/bluetooth-next/c/2e4504460992
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-07 22:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-07 11:07 [PATCH] Bluetooth: Fix potential use-after-free when clear keys Min Li
2023-08-07 12:02 ` bluez.test.bot
2023-08-07 22:50 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox