Bluetooth: Fix potential use-after-free when clear keys

PlaidCat · PlaidCat · commit 139c55fe9830 · 2025-12-05T17:21:22.000-05:00
jira VULN-155797 cve CVE-2023-53386 commit-author Min Li <lm0963hack@gmail.com> commit 3673952 Similar to commit c5d2b6f ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call. Fixes: d7d4168 ("Bluetooth: Fix Suspicious RCU usage warnings") Signed-off-by: Min Li <lm0963hack@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 3673952) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
@@ -2346,39 +2346,39 @@ void hci_uuids_clear(struct hci_dev *hdev)
 
 void hci_link_keys_clear(struct hci_dev *hdev)
 {
-	struct link_key *key;
+	struct link_key *key, *tmp;
 
-	list_for_each_entry(key, &hdev->link_keys, list) {
+	list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
 		list_del_rcu(&key->list);
 		kfree_rcu(key, rcu);
 	}
 }
 
 void hci_smp_ltks_clear(struct hci_dev *hdev)
 {
-	struct smp_ltk *k;
+	struct smp_ltk *k, *tmp;
 
-	list_for_each_entry(k, &hdev->long_term_keys, list) {
+	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
 		list_del_rcu(&k->list);
 		kfree_rcu(k, rcu);
 	}
 }
 
 void hci_smp_irks_clear(struct hci_dev *hdev)
 {
-	struct smp_irk *k;
+	struct smp_irk *k, *tmp;
 
-	list_for_each_entry(k, &hdev->identity_resolving_keys, list) {
+	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
 		list_del_rcu(&k->list);
 		kfree_rcu(k, rcu);
 	}
 }
 
 void hci_blocked_keys_clear(struct hci_dev *hdev)
 {
-	struct blocked_key *b;
+	struct blocked_key *b, *tmp;
 
-	list_for_each_entry(b, &hdev->blocked_keys, list) {
+	list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
 		list_del_rcu(&b->list);
 		kfree_rcu(b, rcu);
 	}

Original file line number	Diff line number	Diff line change
`@@ -2346,39 +2346,39 @@ void hci_uuids_clear(struct hci_dev *hdev)`
`2346`	`2346`
`2347`	`2347`	`void hci_link_keys_clear(struct hci_dev *hdev)`
`2348`	`2348`	`{`
`2349`		`- struct link_key *key;`
	`2349`	`+ struct link_key key, tmp;`
`2350`	`2350`
`2351`		`- list_for_each_entry(key, &hdev->link_keys, list) {`
	`2351`	`+ list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {`
`2352`	`2352`	`list_del_rcu(&key->list);`
`2353`	`2353`	`kfree_rcu(key, rcu);`
`2354`	`2354`	`}`
`2355`	`2355`	`}`
`2356`	`2356`
`2357`	`2357`	`void hci_smp_ltks_clear(struct hci_dev *hdev)`
`2358`	`2358`	`{`
`2359`		`- struct smp_ltk *k;`
	`2359`	`+ struct smp_ltk k, tmp;`
`2360`	`2360`
`2361`		`- list_for_each_entry(k, &hdev->long_term_keys, list) {`
	`2361`	`+ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {`
`2362`	`2362`	`list_del_rcu(&k->list);`
`2363`	`2363`	`kfree_rcu(k, rcu);`
`2364`	`2364`	`}`
`2365`	`2365`	`}`
`2366`	`2366`
`2367`	`2367`	`void hci_smp_irks_clear(struct hci_dev *hdev)`
`2368`	`2368`	`{`
`2369`		`- struct smp_irk *k;`
	`2369`	`+ struct smp_irk k, tmp;`
`2370`	`2370`
`2371`		`- list_for_each_entry(k, &hdev->identity_resolving_keys, list) {`
	`2371`	`+ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {`
`2372`	`2372`	`list_del_rcu(&k->list);`
`2373`	`2373`	`kfree_rcu(k, rcu);`
`2374`	`2374`	`}`
`2375`	`2375`	`}`
`2376`	`2376`
`2377`	`2377`	`void hci_blocked_keys_clear(struct hci_dev *hdev)`
`2378`	`2378`	`{`
`2379`		`- struct blocked_key *b;`
	`2379`	`+ struct blocked_key b, tmp;`
`2380`	`2380`
`2381`		`- list_for_each_entry(b, &hdev->blocked_keys, list) {`
	`2381`	`+ list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {`
`2382`	`2382`	`list_del_rcu(&b->list);`
`2383`	`2383`	`kfree_rcu(b, rcu);`
`2384`	`2384`	`}`