From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Jun 2021 12:13:53 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.272~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc66944daa042b5daad026f359cb6c56ecc9fe53;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
---

diff --git a/queue-5.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch b/queue-5.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
new file mode 100644
index 00000000000..a8a7c8f38c7
--- /dev/null
+++ b/queue-5.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
@@ -0,0 +1,43 @@
+From e305509e678b3a4af2b3cfd410f409f7cdaabb52 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Sun, 30 May 2021 21:37:43 +0800
+Subject: Bluetooth: use correct lock to prevent UAF of hdev object
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
+
+The hci_sock_dev_event() function will cleanup the hdev object for
+sockets even if this object may still be in used within the
+hci_sock_bound_ioctl() function, result in UAF vulnerability.
+
+This patch replace the BH context lock to serialize these affairs
+and prevent the race condition.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 		/* Detach sockets from device */
+ 		read_lock(&hci_sk_list.lock);
+ 		sk_for_each(sk, &hci_sk_list.head) {
+-			bh_lock_sock_nested(sk);
++			lock_sock(sk);
+ 			if (hci_pi(sk)->hdev == hdev) {
+ 				hci_pi(sk)->hdev = NULL;
+ 				sk->sk_err = EPIPE;
+@@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 
+ 				hci_dev_put(hdev);
+ 			}
+-			bh_unlock_sock(sk);
++			release_sock(sk);
+ 		}
+ 		read_unlock(&hci_sk_list.lock);
+ 	}
diff --git a/queue-5.4/series b/queue-5.4/series
index 4897b96d32d..9fd4e29abbd 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -36,3 +36,4 @@ bus-ti-sysc-fix-flakey-idling-of-uarts-and-stop-usin.patch
 tipc-add-extack-messages-for-bearer-media-failure.patch
 tipc-fix-unique-bearer-names-sanity-check.patch
 bluetooth-fix-the-erroneous-flush_work-order.patch
+bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch