Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set

PlaidCat · PlaidCat · commit a735bb19801f · 2025-09-09T18:55:18.000-04:00
jira VULN-50082 jira VULN-50081 cve CVE-2022-49136 commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com> commit 0b94f26 hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will likely cause a uaf after the timeout as the hdev will be freed. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> (cherry picked from commit 0b94f26) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
@@ -379,6 +379,9 @@ int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
 {
 	struct hci_cmd_sync_work_entry *entry;
 
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+		return -ENODEV;
+
 	entry = kmalloc(sizeof(*entry), GFP_KERNEL);
 	if (!entry)
 		return -ENOMEM;

Original file line number	Diff line number	Diff line change
`@@ -379,6 +379,9 @@ int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,`
`379`	`379`	`{`
`380`	`380`	`struct hci_cmd_sync_work_entry *entry;`
`381`	`381`
	`382`	`+ if (hci_dev_test_flag(hdev, HCI_UNREGISTER))`
	`383`	`+ return -ENODEV;`
	`384`	`+`
`382`	`385`	`entry = kmalloc(sizeof(*entry), GFP_KERNEL);`
`383`	`386`	`if (!entry)`
`384`	`387`	`return -ENOMEM;`