mirror of
https://github.com/torvalds/linux.git
synced 2026-05-30 18:13:41 +02:00
bluetooth pull request for net:
- vhci: Prevent use-after-free by removing debugfs files early - L2CAP: Fix use-after-free in l2cap_sock_cleanup_listen() -----BEGIN PGP SIGNATURE----- iQJNBAABCgA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmix9zgZHGx1aXoudm9u LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKWjLD/9tyXf6EGbkZphp/eP3fJj/ 0mne9vD7A5biP/kosOTbUrbw8XgPSNzMl64L/w7AXJAIFytjtv6azg+V71r8AM98 bjQfilA3qkM2AR8wKx9rmyFmr6/R5NcOpKIsqE/9c7kex9EuVz5fV/scHo3yHbMX 92ebfwVzp6P1LfAPWl8S/ASscrqe19NIecbuFDk7x/V5ZcSfwctXM83miArr3b6e oduD9LPwbhvvj86L3HNptXuTQZ5V2oGkMYPQ13vltIFwgXBcQ3WuqW3Qo3FdNLDb KY6zlXy0+fgz5ewMKe0OB0EEgaPcfQGCxqtsYHkTR5QK7gPnWtm+1Sv1zn+f1Cfh 6LAjqPrDjR00LC6yQXzoGFFtKvpux7fwvKlDj7vTgbloT6+Cj29N3WRk4Z8Xhgy2 DZWOZ0IDLyCYWMFdf5WGs/pEQq2MxHJ+HsDzFJmjQf3O32hT+ZGX6JOBLmctmNgK AMn3NQS9ALNdXEXH8rpFilBNdHsGOPtRvTyNejLsS1Xn4andDflRbVGYNMBR7JER hsXfu8uv6RNWzNhEx25DXOh6PZAOQOc2vi09t95B/KxoIJQqak24LvVYlqqnlSJT n7Xvxlt+mhuSukrAavnB/ul0fQ7mvXTI3NrS5o68OeUqujdnl+5+trF0Kuxq1q+Q fVFl5OdTbij9AgaWqGTWJA== =EyL4 -----END PGP SIGNATURE----- Merge tag 'for-net-2025-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - vhci: Prevent use-after-free by removing debugfs files early - L2CAP: Fix use-after-free in l2cap_sock_cleanup_listen() * tag 'for-net-2025-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Bluetooth: vhci: Prevent use-after-free by removing debugfs files early ==================== Link: https://patch.msgid.link/20250829191210.1982163-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski
commit
0dffd938db
|
|
@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = {
|
|||
.write = force_devcd_write,
|
||||
};
|
||||
|
||||
static void vhci_debugfs_init(struct vhci_data *data)
|
||||
{
|
||||
struct hci_dev *hdev = data->hdev;
|
||||
|
||||
debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
|
||||
&force_suspend_fops);
|
||||
|
||||
debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
|
||||
&force_wakeup_fops);
|
||||
|
||||
if (IS_ENABLED(CONFIG_BT_MSFTEXT))
|
||||
debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
|
||||
&msft_opcode_fops);
|
||||
|
||||
if (IS_ENABLED(CONFIG_BT_AOSPEXT))
|
||||
debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
|
||||
&aosp_capable_fops);
|
||||
|
||||
debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
|
||||
&force_devcoredump_fops);
|
||||
}
|
||||
|
||||
static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
|
||||
{
|
||||
struct hci_dev *hdev;
|
||||
|
|
@ -434,22 +456,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
|
|||
return -EBUSY;
|
||||
}
|
||||
|
||||
debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
|
||||
&force_suspend_fops);
|
||||
|
||||
debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
|
||||
&force_wakeup_fops);
|
||||
|
||||
if (IS_ENABLED(CONFIG_BT_MSFTEXT))
|
||||
debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
|
||||
&msft_opcode_fops);
|
||||
|
||||
if (IS_ENABLED(CONFIG_BT_AOSPEXT))
|
||||
debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
|
||||
&aosp_capable_fops);
|
||||
|
||||
debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
|
||||
&force_devcoredump_fops);
|
||||
if (!IS_ERR_OR_NULL(hdev->debugfs))
|
||||
vhci_debugfs_init(data);
|
||||
|
||||
hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
|
||||
|
||||
|
|
@ -651,6 +659,21 @@ static int vhci_open(struct inode *inode, struct file *file)
|
|||
return 0;
|
||||
}
|
||||
|
||||
static void vhci_debugfs_remove(struct hci_dev *hdev)
|
||||
{
|
||||
debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
|
||||
|
||||
debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
|
||||
|
||||
if (IS_ENABLED(CONFIG_BT_MSFTEXT))
|
||||
debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
|
||||
|
||||
if (IS_ENABLED(CONFIG_BT_AOSPEXT))
|
||||
debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
|
||||
|
||||
debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
|
||||
}
|
||||
|
||||
static int vhci_release(struct inode *inode, struct file *file)
|
||||
{
|
||||
struct vhci_data *data = file->private_data;
|
||||
|
|
@ -662,6 +685,8 @@ static int vhci_release(struct inode *inode, struct file *file)
|
|||
hdev = data->hdev;
|
||||
|
||||
if (hdev) {
|
||||
if (!IS_ERR_OR_NULL(hdev->debugfs))
|
||||
vhci_debugfs_remove(hdev);
|
||||
hci_unregister_dev(hdev);
|
||||
hci_free_dev(hdev);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1422,7 +1422,10 @@ static int l2cap_sock_release(struct socket *sock)
|
|||
if (!sk)
|
||||
return 0;
|
||||
|
||||
lock_sock_nested(sk, L2CAP_NESTING_PARENT);
|
||||
l2cap_sock_cleanup_listen(sk);
|
||||
release_sock(sk);
|
||||
|
||||
bt_sock_unlink(&l2cap_sk_list, sk);
|
||||
|
||||
err = l2cap_sock_shutdown(sock, SHUT_RDWR);
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user