From 898b46c10e8bb86116a2e61572b53700199bb4aa Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Jun 2021 14:12:37 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
---
 ...t-lock-to-prevent-uaf-of-hdev-object.patch | 43 +++++++++++++++++++
 queue-4.4/series                              |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 queue-4.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch

diff --git a/queue-4.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch b/queue-4.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
new file mode 100644
index 00000000000..aab16d335e4
--- /dev/null
+++ b/queue-4.4/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
@@ -0,0 +1,43 @@
+From e305509e678b3a4af2b3cfd410f409f7cdaabb52 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Sun, 30 May 2021 21:37:43 +0800
+Subject: Bluetooth: use correct lock to prevent UAF of hdev object
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
+
+The hci_sock_dev_event() function will cleanup the hdev object for
+sockets even if this object may still be in used within the
+hci_sock_bound_ioctl() function, result in UAF vulnerability.
+
+This patch replace the BH context lock to serialize these affairs
+and prevent the race condition.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -483,7 +483,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 		/* Detach sockets from device */
+ 		read_lock(&hci_sk_list.lock);
+ 		sk_for_each(sk, &hci_sk_list.head) {
+-			bh_lock_sock_nested(sk);
++			lock_sock(sk);
+ 			if (hci_pi(sk)->hdev == hdev) {
+ 				hci_pi(sk)->hdev = NULL;
+ 				sk->sk_err = EPIPE;
+@@ -492,7 +492,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 
+ 				hci_dev_put(hdev);
+ 			}
+-			bh_unlock_sock(sk);
++			release_sock(sk);
+ 		}
+ 		read_unlock(&hci_sk_list.lock);
+ 	}
diff --git a/queue-4.4/series b/queue-4.4/series
index cf17bf38772..7748a8ebe1b 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -7,3 +7,4 @@ netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch
 ieee802154-fix-error-return-code-in-ieee802154_add_i.patch
 ieee802154-fix-error-return-code-in-ieee802154_llsec.patch
 bluetooth-fix-the-erroneous-flush_work-order.patch
+bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
-- 
2.47.3