From 16708add3ed6292c059dd4dd5b150c62b2880715 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Jun 2021 14:13:37 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
---
 ...t-lock-to-prevent-uaf-of-hdev-object.patch | 43 +++++++++++++++++++
 queue-4.19/series                             |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 queue-4.19/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch

diff --git a/queue-4.19/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch b/queue-4.19/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
new file mode 100644
index 00000000000..a8a7c8f38c7
--- /dev/null
+++ b/queue-4.19/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
@@ -0,0 +1,43 @@
+From e305509e678b3a4af2b3cfd410f409f7cdaabb52 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Sun, 30 May 2021 21:37:43 +0800
+Subject: Bluetooth: use correct lock to prevent UAF of hdev object
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
+
+The hci_sock_dev_event() function will cleanup the hdev object for
+sockets even if this object may still be in used within the
+hci_sock_bound_ioctl() function, result in UAF vulnerability.
+
+This patch replace the BH context lock to serialize these affairs
+and prevent the race condition.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 		/* Detach sockets from device */
+ 		read_lock(&hci_sk_list.lock);
+ 		sk_for_each(sk, &hci_sk_list.head) {
+-			bh_lock_sock_nested(sk);
++			lock_sock(sk);
+ 			if (hci_pi(sk)->hdev == hdev) {
+ 				hci_pi(sk)->hdev = NULL;
+ 				sk->sk_err = EPIPE;
+@@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 
+ 				hci_dev_put(hdev);
+ 			}
+-			bh_unlock_sock(sk);
++			release_sock(sk);
+ 		}
+ 		read_unlock(&hci_sk_list.lock);
+ 	}
diff --git a/queue-4.19/series b/queue-4.19/series
index e6171387509..ccf23a61e22 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -17,3 +17,4 @@ ixgbevf-add-correct-exception-tracing-for-xdp.patch
 tipc-add-extack-messages-for-bearer-media-failure.patch
 tipc-fix-unique-bearer-names-sanity-check.patch
 bluetooth-fix-the-erroneous-flush_work-order.patch
+bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
-- 
2.47.3