Bluetooth: Fix potential use-after-free when clear keys

PlaidCat · PlaidCat · commit ab4b0b06e473 · 2025-10-30T13:29:50.000-04:00
jira LE-4623 cve CVE-2023-53386 Rebuild_History Non-Buildable kernel-4.18.0-553.81.1.el8_10 commit-author Min Li <lm0963hack@gmail.com> commit 3673952 Similar to commit c5d2b6f ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call. Fixes: d7d4168 ("Bluetooth: Fix Suspicious RCU usage warnings") Signed-off-by: Min Li <lm0963hack@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 3673952) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
@@ -1072,39 +1072,39 @@ void hci_uuids_clear(struct hci_dev *hdev)
 
 void hci_link_keys_clear(struct hci_dev *hdev)
 {
-	struct link_key *key;
+	struct link_key *key, *tmp;
 
-	list_for_each_entry(key, &hdev->link_keys, list) {
+	list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
 		list_del_rcu(&key->list);
 		kfree_rcu(key, rcu);
 	}
 }
 
 void hci_smp_ltks_clear(struct hci_dev *hdev)
 {
-	struct smp_ltk *k;
+	struct smp_ltk *k, *tmp;
 
-	list_for_each_entry(k, &hdev->long_term_keys, list) {
+	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
 		list_del_rcu(&k->list);
 		kfree_rcu(k, rcu);
 	}
 }
 
 void hci_smp_irks_clear(struct hci_dev *hdev)
 {
-	struct smp_irk *k;
+	struct smp_irk *k, *tmp;
 
-	list_for_each_entry(k, &hdev->identity_resolving_keys, list) {
+	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
 		list_del_rcu(&k->list);
 		kfree_rcu(k, rcu);
 	}
 }
 
 void hci_blocked_keys_clear(struct hci_dev *hdev)
 {
-	struct blocked_key *b;
+	struct blocked_key *b, *tmp;
 
-	list_for_each_entry(b, &hdev->blocked_keys, list) {
+	list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
 		list_del_rcu(&b->list);
 		kfree_rcu(b, rcu);
 	}

Original file line number	Diff line number	Diff line change
`@@ -1072,39 +1072,39 @@ void hci_uuids_clear(struct hci_dev *hdev)`
`1072`	`1072`
`1073`	`1073`	`void hci_link_keys_clear(struct hci_dev *hdev)`
`1074`	`1074`	`{`
`1075`		`- struct link_key *key;`
	`1075`	`+ struct link_key key, tmp;`
`1076`	`1076`
`1077`		`- list_for_each_entry(key, &hdev->link_keys, list) {`
	`1077`	`+ list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {`
`1078`	`1078`	`list_del_rcu(&key->list);`
`1079`	`1079`	`kfree_rcu(key, rcu);`
`1080`	`1080`	`}`
`1081`	`1081`	`}`
`1082`	`1082`
`1083`	`1083`	`void hci_smp_ltks_clear(struct hci_dev *hdev)`
`1084`	`1084`	`{`
`1085`		`- struct smp_ltk *k;`
	`1085`	`+ struct smp_ltk k, tmp;`
`1086`	`1086`
`1087`		`- list_for_each_entry(k, &hdev->long_term_keys, list) {`
	`1087`	`+ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {`
`1088`	`1088`	`list_del_rcu(&k->list);`
`1089`	`1089`	`kfree_rcu(k, rcu);`
`1090`	`1090`	`}`
`1091`	`1091`	`}`
`1092`	`1092`
`1093`	`1093`	`void hci_smp_irks_clear(struct hci_dev *hdev)`
`1094`	`1094`	`{`
`1095`		`- struct smp_irk *k;`
	`1095`	`+ struct smp_irk k, tmp;`
`1096`	`1096`
`1097`		`- list_for_each_entry(k, &hdev->identity_resolving_keys, list) {`
	`1097`	`+ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {`
`1098`	`1098`	`list_del_rcu(&k->list);`
`1099`	`1099`	`kfree_rcu(k, rcu);`
`1100`	`1100`	`}`
`1101`	`1101`	`}`
`1102`	`1102`
`1103`	`1103`	`void hci_blocked_keys_clear(struct hci_dev *hdev)`
`1104`	`1104`	`{`
`1105`		`- struct blocked_key *b;`
	`1105`	`+ struct blocked_key b, tmp;`
`1106`	`1106`
`1107`		`- list_for_each_entry(b, &hdev->blocked_keys, list) {`
	`1107`	`+ list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {`
`1108`	`1108`	`list_del_rcu(&b->list);`
`1109`	`1109`	`kfree_rcu(b, rcu);`
`1110`	`1110`	`}`