Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set

hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will likely cause a uaf after the timeout as the hdev will be freed. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-01-26 17:21:00 -0800
committer: Marcel Holtmann <marcel@holtmann.org> 2022-01-27 17:40:18 +0100
commit: 0b94f2651f56b9e4aa5f012b0d7eb57308c773cf (patch)
tree: 4ad85c6a18e6e8547a20795b883a48e340a49236 /net/bluetooth
parent: adce573b927adf827f2f8627f05c2ba90031ebc9 (diff)
download: linux-0b94f2651f56b9e4aa5f012b0d7eb57308c773cf.tar.gz
linux-0b94f2651f56b9e4aa5f012b0d7eb57308c773cf.tar.bz2
linux-0b94f2651f56b9e4aa5f012b0d7eb57308c773cf.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 2fe8c60dc62b..6e71aa6b6fea 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -382,6 +382,9 @@ int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
 {
 	struct hci_cmd_sync_work_entry *entry;
 
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+		return -ENODEV;
+
 	entry = kmalloc(sizeof(*entry), GFP_KERNEL);
 	if (!entry)
 		return -ENOMEM;
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-01-26 17:21:00 -0800
committer	Marcel Holtmann <marcel@holtmann.org>	2022-01-27 17:40:18 +0100
commit	0b94f2651f56b9e4aa5f012b0d7eb57308c773cf (patch)
tree	4ad85c6a18e6e8547a20795b883a48e340a49236 /net/bluetooth
parent	adce573b927adf827f2f8627f05c2ba90031ebc9 (diff)
download	linux-0b94f2651f56b9e4aa5f012b0d7eb57308c773cf.tar.gz linux-0b94f2651f56b9e4aa5f012b0d7eb57308c773cf.tar.bz2 linux-0b94f2651f56b9e4aa5f012b0d7eb57308c773cf.zip