Skip to content

Commit

Permalink
Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set
Browse files Browse the repository at this point in the history 
hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has
been set as that means hci_unregister_dev has been called so it will
likely cause a uaf after the timeout as the hdev will be freed.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
  • Loading branch information
Luiz Augusto von Dentz authored and Marcel Holtmann committed Jan 27, 2022
1 parent adce573 commit 0b94f26
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions net/bluetooth/hci_sync.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,9 @@ int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
{
struct hci_cmd_sync_work_entry *entry;

if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
return -ENODEV;

entry = kmalloc(sizeof(*entry), GFP_KERNEL);
if (!entry)
return -ENOMEM;
Expand Down

0 comments on commit 0b94f26

Please sign in to comment.