[PATCH openEuler-1.0-LTS] Bluetooth: L2CAP: Fix use-after-free
From: Zhengping Jiang <jiangzp@google.com> stable inclusion from stable-v4.19.293 commit 1a40c56e8bff3e424724d78a9a6b3272dd8a371d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYBVV CVE: CVE-2023-53305 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit f752a0b334bb95fe9b42ecb511e0864e2768046f ] Fix potential use-after-free in l2cap_le_command_rej. Signed-off-by: Zhengping Jiang <jiangzp@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Yuan Can <yuancan@huawei.com> --- net/bluetooth/l2cap_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 22e971808536..cdb0a9f6f9fd 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -5712,9 +5712,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn, if (!chan) goto done; + chan = l2cap_chan_hold_unless_zero(chan); + if (!chan) + goto done; + l2cap_chan_lock(chan); l2cap_chan_del(chan, ECONNREFUSED); l2cap_chan_unlock(chan); + l2cap_chan_put(chan); done: mutex_unlock(&conn->chan_lock); -- 2.22.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/18603 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/NVE... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/18603 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/NVE...
participants (2)
-
patchwork bot -
Yuan Can