1. Patchew
  2. linux
  3. View series

[PATCH] Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once

Cen Zhang posted 1 patch 3 days, 9 hours ago
There is a newer version of this series
net/bluetooth/hci_sync.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
[PATCH] Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
Posted by Cen Zhang 3 days, 9 hours ago 
From: Cen Zhang <zzzccc427@gmail.com>

hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".

Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.

Reported-by: Cen Zhang <zzzccc427@gmail.com>
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
 net/bluetooth/hci_sync.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index b6f888d83..f059b19fe 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -862,12 +862,13 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
 			       void *data, hci_cmd_sync_work_destroy_t destroy)
 {
 	struct hci_cmd_sync_work_entry *entry;
-
-	entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+	mutex_lock(&hdev->cmd_sync_work_lock);
+	entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
 	if (!entry)
 		return false;
 
-	hci_cmd_sync_cancel_entry(hdev, entry);
+	_hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+	mutex_unlock(&hdev->cmd_sync_work_lock);
 
 	return true;
 }
-- 
2.43.0
Re: [PATCH] Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
Posted by Markus Elfring 3 days, 8 hours ago 
> hci_cmd_sync_dequeue_once() does lookup and then cancel
> the entry under two separate lock sections. Meanwhile,
> hci_cmd_sync_work() can also delete the same entry,
> leading to double list_del() and "UAF".

You may occasionally put more than 55 characters into text lines
of such a change description.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.17-rc7#n658


> Fix this by holding cmd_sync_work_lock across both
> lookup and cancel, so that the entry cannot be removed
> concurrently.
…
> +++ b/net/bluetooth/hci_sync.c
> @@ -862,12 +862,13 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
…

* How do you think about to add any tags (like “Fixes” and “Cc”) accordingly?

* Under which circumstances would you become interested to apply a call
  like “scoped_guard(mutex, &hdev->cmd_sync_work_lock)”?
  https://elixir.bootlin.com/linux/v6.17-rc7/source/include/linux/mutex.h#L228


Regards,
Markus

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.