| Message ID | 20230221160910.kernel.v1.1.If0578b001c1f12567f2ebcac5856507f1adee745@changeid |
|---|---|
| State | New |
| Headers | show |
| Series | Clear workqueue to avoid use-after-free | expand |
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 117eedb6f709..6609434e3125 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -4840,6 +4840,8 @@ int hci_dev_close_sync(struct hci_dev *hdev) auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF); + hci_cmd_sync_clear(hdev); + if (!auto_off && hdev->dev_type == HCI_PRIMARY && !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && hci_dev_test_flag(hdev, HCI_MGMT))
Clear cmd_sync_work queue before clearing the mgmt cmd list to avoid racing conditions which cause use-after-free. When powering off the adapter, the mgmt cmd list will be cleared. If a work is queued in the cmd_sync_work queue at the same time, it will cause the risk of use-after-free, as the cmd pointer is not checked before use. Signed-off-by: Zhengping Jiang <jiangzp@google.com> --- Changes in v1: - Clear cmd_sync_work queue before clearing the mgmt cmd list net/bluetooth/hci_sync.c | 2 ++ 1 file changed, 2 insertions(+)