From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Jun 2021 12:13:20 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.272~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=498be73e95b94ed1c7caeb27e82fc04c284c2111;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
---

diff --git a/queue-4.14/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch b/queue-4.14/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
new file mode 100644
index 00000000000..28c74ae05c1
--- /dev/null
+++ b/queue-4.14/bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
@@ -0,0 +1,43 @@
+From e305509e678b3a4af2b3cfd410f409f7cdaabb52 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Sun, 30 May 2021 21:37:43 +0800
+Subject: Bluetooth: use correct lock to prevent UAF of hdev object
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
+
+The hci_sock_dev_event() function will cleanup the hdev object for
+sockets even if this object may still be in used within the
+hci_sock_bound_ioctl() function, result in UAF vulnerability.
+
+This patch replace the BH context lock to serialize these affairs
+and prevent the race condition.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sock.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 		/* Detach sockets from device */
+ 		read_lock(&hci_sk_list.lock);
+ 		sk_for_each(sk, &hci_sk_list.head) {
+-			bh_lock_sock_nested(sk);
++			lock_sock(sk);
+ 			if (hci_pi(sk)->hdev == hdev) {
+ 				hci_pi(sk)->hdev = NULL;
+ 				sk->sk_err = EPIPE;
+@@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *
+ 
+ 				hci_dev_put(hdev);
+ 			}
+-			bh_unlock_sock(sk);
++			release_sock(sk);
+ 		}
+ 		read_unlock(&hci_sk_list.lock);
+ 	}
diff --git a/queue-4.14/series b/queue-4.14/series
index 00104e1d334..0428320440c 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -11,3 +11,4 @@ netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch
 ieee802154-fix-error-return-code-in-ieee802154_add_i.patch
 ieee802154-fix-error-return-code-in-ieee802154_llsec.patch
 bluetooth-fix-the-erroneous-flush_work-order.patch
+bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch