From: Greg Kroah-Hartman Date: Fri, 25 Apr 2025 08:16:08 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.135~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ea691b4e8d884a91a91a7ea7dea8a48f93ea768;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bluetooth-sco-fix-uaf-on-sco_sock_timeout.patch --- diff --git a/queue-5.15/bluetooth-sco-fix-uaf-on-sco_sock_timeout.patch b/queue-5.15/bluetooth-sco-fix-uaf-on-sco_sock_timeout.patch new file mode 100644 index 0000000000..b95851aad6 --- /dev/null +++ b/queue-5.15/bluetooth-sco-fix-uaf-on-sco_sock_timeout.patch @@ -0,0 +1,109 @@ +From 1bf4470a3939c678fb822073e9ea77a0560bc6bb Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 22 Oct 2024 12:31:08 -0400 +Subject: Bluetooth: SCO: Fix UAF on sco_sock_timeout + +From: Luiz Augusto von Dentz + +commit 1bf4470a3939c678fb822073e9ea77a0560bc6bb upstream. + +conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock +so this checks if the conn->sk is still valid by checking if it part of +sco_sk_list. + +Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com +Tested-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 +Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Xiangyu Chen +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/bluetooth.h | 1 + + net/bluetooth/af_bluetooth.c | 22 ++++++++++++++++++++++ + net/bluetooth/sco.c | 18 ++++++++++++------ + 3 files changed, 35 insertions(+), 6 deletions(-) + +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -314,6 +314,7 @@ int bt_sock_register(int proto, const s + void bt_sock_unregister(int proto); + void bt_sock_link(struct bt_sock_list *l, struct sock *s); + void bt_sock_unlink(struct bt_sock_list *l, struct sock *s); ++bool bt_sock_linked(struct bt_sock_list *l, struct sock *s); + int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + int flags); + int bt_sock_stream_recvmsg(struct socket *sock, struct msghdr *msg, +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -154,6 +154,28 @@ void bt_sock_unlink(struct bt_sock_list + } + EXPORT_SYMBOL(bt_sock_unlink); + ++bool bt_sock_linked(struct bt_sock_list *l, struct sock *s) ++{ ++ struct sock *sk; ++ ++ if (!l || !s) ++ return false; ++ ++ read_lock(&l->lock); ++ ++ sk_for_each(sk, &l->head) { ++ if (s == sk) { ++ read_unlock(&l->lock); ++ return true; ++ } ++ } ++ ++ read_unlock(&l->lock); ++ ++ return false; ++} ++EXPORT_SYMBOL(bt_sock_linked); ++ + void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh) + { + BT_DBG("parent %p, sk %p", parent, sk); +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -76,6 +76,16 @@ struct sco_pinfo { + #define SCO_CONN_TIMEOUT (HZ * 40) + #define SCO_DISCONN_TIMEOUT (HZ * 2) + ++static struct sock *sco_sock_hold(struct sco_conn *conn) ++{ ++ if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk)) ++ return NULL; ++ ++ sock_hold(conn->sk); ++ ++ return conn->sk; ++} ++ + static void sco_sock_timeout(struct work_struct *work) + { + struct sco_conn *conn = container_of(work, struct sco_conn, +@@ -87,9 +97,7 @@ static void sco_sock_timeout(struct work + sco_conn_unlock(conn); + return; + } +- sk = conn->sk; +- if (sk) +- sock_hold(sk); ++ sk = sco_sock_hold(conn); + sco_conn_unlock(conn); + + if (!sk) +@@ -191,9 +199,7 @@ static void sco_conn_del(struct hci_conn + + /* Kill socket */ + sco_conn_lock(conn); +- sk = conn->sk; +- if (sk) +- sock_hold(sk); ++ sk = sco_sock_hold(conn); + sco_conn_unlock(conn); + + if (sk) { diff --git a/queue-5.15/series b/queue-5.15/series index f74f123c4e..7d02dbd7d8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -251,3 +251,4 @@ f2fs-check-validation-of-fault-attrs-in-f2fs_build_fault_attr.patch pmdomain-ti-add-a-null-pointer-check-to-the-omap_prm_domain_init.patch scsi-lpfc-fix-null-pointer-dereference-after-failing-to-issue-flogi-and-plogi.patch f2fs-add-inline-to-f2fs_build_fault_attr-stub.patch +bluetooth-sco-fix-uaf-on-sco_sock_timeout.patch