diff options
| author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2024-03-01 20:58:11 +0300 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2024-03-27 01:19:38 +0300 |
| commit | 64be3c6154886200708da0dfe259705fb992416c (patch) | |
| tree | e70f93325b54e9b7cf6f2902e7da17ccead4dbbf /security/security.c | |
| parent | 620b9e60e4b55fa55540ce852a0f3c9e6091dbbc (diff) | |
| download | linux-64be3c6154886200708da0dfe259705fb992416c.tar.xz | |
Bluetooth: af_bluetooth: Fix deadlock
[ Upstream commit f7b94bdc1ec107c92262716b073b3e816d4784fb ]
Attemting to do sock_lock on .recvmsg may cause a deadlock as shown
bellow, so instead of using sock_sock this uses sk_receive_queue.lock
on bt_sock_ioctl to avoid the UAF:
INFO: task kworker/u9:1:121 blocked for more than 30 seconds.
Not tainted 6.7.6-lemon #183
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__schedule+0x37d/0xa00
schedule+0x32/0xe0
__lock_sock+0x68/0xa0
? __pfx_autoremove_wake_function+0x10/0x10
lock_sock_nested+0x43/0x50
l2cap_sock_recv_cb+0x21/0xa0
l2cap_recv_frame+0x55b/0x30a0
? psi_task_switch+0xeb/0x270
? finish_task_switch.isra.0+0x93/0x2a0
hci_rx_work+0x33a/0x3f0
process_one_work+0x13a/0x2f0
worker_thread+0x2f0/0x410
? __pfx_worker_thread+0x10/0x10
kthread+0xe0/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: 2e07e8348ea4 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'security/security.c')
0 files changed, 0 insertions, 0 deletions