From b31ec5bea9bd9ad9d97b0c14e9d391636f1ef90e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 10 Mar 2023 13:00:26 +0100 Subject: [PATCH] 5.10-stable patches added patches: bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch --- ...cket-queues-in-the-destruct-callback.patch | 60 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 61 insertions(+) create mode 100644 queue-5.10/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch diff --git a/queue-5.10/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch b/queue-5.10/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch new file mode 100644 index 00000000000..b3dc5a2b04f --- /dev/null +++ b/queue-5.10/bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch @@ -0,0 +1,60 @@ +From 709fca500067524381e28a5f481882930eebac88 Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Fri, 8 Oct 2021 03:04:24 +0800 +Subject: Bluetooth: hci_sock: purge socket queues in the destruct() callback + +From: Nguyen Dinh Phi + +commit 709fca500067524381e28a5f481882930eebac88 upstream. + +The receive path may take the socket right before hci_sock_release(), +but it may enqueue the packets to the socket queues after the call to +skb_queue_purge(), therefore the socket can be destroyed without clear +its queues completely. + +Moving these skb_queue_purge() to the hci_sock_destruct() will fix this +issue, because nothing is referencing the socket at this point. + +Signed-off-by: Nguyen Dinh Phi +Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com +Signed-off-by: Marcel Holtmann +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sock.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -888,10 +888,6 @@ static int hci_sock_release(struct socke + } + + sock_orphan(sk); +- +- skb_queue_purge(&sk->sk_receive_queue); +- skb_queue_purge(&sk->sk_write_queue); +- + release_sock(sk); + sock_put(sk); + return 0; +@@ -2012,6 +2008,12 @@ done: + return err; + } + ++static void hci_sock_destruct(struct sock *sk) ++{ ++ skb_queue_purge(&sk->sk_receive_queue); ++ skb_queue_purge(&sk->sk_write_queue); ++} ++ + static const struct proto_ops hci_sock_ops = { + .family = PF_BLUETOOTH, + .owner = THIS_MODULE, +@@ -2065,6 +2067,7 @@ static int hci_sock_create(struct net *n + + sock->state = SS_UNCONNECTED; + sk->sk_state = BT_OPEN; ++ sk->sk_destruct = hci_sock_destruct; + + bt_sock_link(&hci_sk_list, sk); + return 0; diff --git a/queue-5.10/series b/queue-5.10/series index 67c184f3884..152f647ea45 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -515,3 +515,4 @@ x86-resctrl-apply-read_once-write_once-to-task_struct.-rmid-closid.patch x86-resctl-fix-scheduler-confusion-with-current.patch drm-display-dp_mst-fix-down-up-message-handling-after-sink-disconnect.patch drm-display-dp_mst-fix-down-message-handling-after-a-packet-reception-error.patch +bluetooth-hci_sock-purge-socket-queues-in-the-destruct-callback.patch -- 2.47.3