From 9724f5ecc918e29daea729658a51e7b79246bd8f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 10 Mar 2023 13:00:17 +0100 Subject: [PATCH] 5.4-stable patches added patches: bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch --- ...cket-queues-in-the-destruct-callback.patch | 60 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 61 insertions(+) create mode 100644 queue-5.4/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch diff --git a/queue-5.4/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch b/queue-5.4/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch new file mode 100644 index 00000000000..208bf27ae7e --- /dev/null +++ b/queue-5.4/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch @@ -0,0 +1,60 @@ +From 709fca500067524381e28a5f481882930eebac88 Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Fri, 8 Oct 2021 03:04:24 +0800 +Subject: Bluetooth: hci_sock: purge socket queues in the destruct() callback + +From: Nguyen Dinh Phi + +commit 709fca500067524381e28a5f481882930eebac88 upstream. + +The receive path may take the socket right before hci_sock_release(), +but it may enqueue the packets to the socket queues after the call to +skb_queue_purge(), therefore the socket can be destroyed without clear +its queues completely. + +Moving these skb_queue_purge() to the hci_sock_destruct() will fix this +issue, because nothing is referencing the socket at this point. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com +Signed-off-by: Marcel Holtmann +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sock.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -881,10 +881,6 @@ static int hci_sock_release(struct socke + } + + sock_orphan(sk); +- +- skb_queue_purge(&sk->sk_receive_queue); +- skb_queue_purge(&sk->sk_write_queue); +- + release_sock(sk); + sock_put(sk); + return 0; +@@ -1985,6 +1981,12 @@ done: + return err; + } + ++static void hci_sock_destruct(struct sock *sk) ++{ ++ skb_queue_purge(&sk->sk_receive_queue); ++ skb_queue_purge(&sk->sk_write_queue); ++} ++ + static const struct proto_ops hci_sock_ops = { + .family = PF_BLUETOOTH, + .owner = THIS_MODULE, +@@ -2035,6 +2037,7 @@ static int hci_sock_create(struct net *n + + sock->state = SS_UNCONNECTED; + sk->sk_state = BT_OPEN; ++ sk->sk_destruct = hci_sock_destruct; + + bt_sock_link(&hci_sk_list, sk); + return 0; diff --git a/queue-5.4/series b/queue-5.4/series index 39163bab60f..6f223ace33a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -349,3 +349,4 @@ phy-rockchip-typec-fix-unsigned-comparison-with-less.patch net-tls-avoid-hanging-tasks-on-the-tx_lock.patch x86-resctrl-apply-read_once-write_once-to-task_struct.-rmid-closid.patch x86-resctl-fix-scheduler-confusion-with-current.patch +bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch -- 2.47.3