| Message ID | 20230523115637.14541-1-lm0963hack@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | Bluetooth: HCI: fix use-after-free in hci_remove_ltk/hci_remove_irk | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=750457 ---Test result--- Test Summary: CheckPatch PASS 0.66 seconds GitLint PASS 0.26 seconds SubjectPrefix PASS 0.09 seconds BuildKernel PASS 41.83 seconds CheckAllWarning PASS 45.95 seconds CheckSparse PASS 51.32 seconds CheckSmatch PASS 139.19 seconds BuildKernel32 PASS 40.19 seconds TestRunnerSetup PASS 580.00 seconds TestRunner_l2cap-tester PASS 20.75 seconds TestRunner_iso-tester PASS 28.64 seconds TestRunner_bnep-tester PASS 7.25 seconds TestRunner_mgmt-tester PASS 140.80 seconds TestRunner_rfcomm-tester PASS 11.32 seconds TestRunner_sco-tester PASS 10.43 seconds TestRunner_ioctl-tester PASS 12.18 seconds TestRunner_mesh-tester PASS 9.19 seconds TestRunner_smp-tester PASS 10.39 seconds TestRunner_userchan-tester PASS 7.73 seconds IncrementalBuild PASS 38.00 seconds --- Regards, Linux Bluetooth
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index a856b1051d35..0164b56de12d 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1416,10 +1416,10 @@ int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type) { - struct smp_ltk *k; + struct smp_ltk *k, *tmp; int removed = 0; - list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { + list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type) continue; @@ -1435,9 +1435,9 @@ int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type) void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type) { - struct smp_irk *k; + struct smp_irk *k, *tmp; - list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) { + list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type) continue;
Similar to commit 0f7d9b31ce7a ("netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()"). We can not access k after kfree_rcu() call. Signed-off-by: Min Li <lm0963hack@gmail.com> --- net/bluetooth/hci_core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)