Commit 4b88cc90 authored Nov 02, 2024 by Chen Zhongjin Committed by Wang Liang Nov 02, 2024

Bluetooth: Fix not cleanup led when bt_init fails

stable inclusion
from stable-v4.19.269
commit 8a66c3a94285552f6a8e45d73b34ebbad11d388b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRIP
CVE: CVE-2022-48971

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8a66c3a94285552f6a8e45d73b34ebbad11d388b



--------------------------------

[ Upstream commit 2f3957c7 ]

bt_init() calls bt_leds_init() to register led, but if it fails later,
bt_leds_cleanup() is not called to unregister it.

This can cause panic if the argument "bluetooth-power" in text is freed
and then another led_trigger_register() tries to access it:

BUG: unable to handle page fault for address: ffffffffc06d3bc0
RIP: 0010:strcmp+0xc/0x30
  Call Trace:
    <TASK>
    led_trigger_register+0x10d/0x4f0
    led_trigger_register_simple+0x7d/0x100
    bt_init+0x39/0xf7 [bluetooth]
    do_one_initcall+0xd0/0x4e0

Fixes: e64c97b5 ("Bluetooth: Add combined LED trigger for controller power")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Liang <wangliang74@huawei.com>

parent fc269dcb

net/bluetooth/af_bluetooth.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -744,7 +744,7 @@ static int __init bt_init(void)

		err = bt_sysfs_init();
		if (err < 0)
		return err;
		goto cleanup_led;

		err = sock_register(&bt_sock_family_ops);
		if (err)
		@@ -780,6 +780,8 @@ static int __init bt_init(void)
		sock_unregister(PF_BLUETOOTH);
		cleanup_sysfs:
		bt_sysfs_cleanup();
		cleanup_led:
		bt_leds_cleanup();
		return err;
		}