Unverified Commit 69e92f85 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14714 Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync 

Merge Pull Request from: @ci-robot 
 
PR sync from: Wang Wensheng <wangwensheng4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BVPEAN7RWVB3QOR6CL674URB77WQV4L6/ 
 
https://gitee.com/openeuler/kernel/issues/IBA6RL 
 
Link:https://gitee.com/openeuler/kernel/pulls/14714

 

Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 80215d85 73aa9203

net/bluetooth/mgmt.c

+9 −2
Original line number Diff line number Diff line
@@ -1318,7 +1318,8 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) 
	struct mgmt_mode *cp;



	/* Make sure cmd still outstanding. */

	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))

	if (err == -ECANCELED ||

	    cmd != pending_find(MGMT_OP_SET_POWERED, hdev))

		return;



	cp = cmd->param;
@@ -1351,7 +1352,13 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) 
static int set_powered_sync(struct hci_dev *hdev, void *data)

{

	struct mgmt_pending_cmd *cmd = data;

	struct mgmt_mode *cp = cmd->param;

	struct mgmt_mode *cp;



	/* Make sure cmd still outstanding. */

	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))

		return -ECANCELED;



	cp = cmd->param;



	BT_DBG("%s", hdev->name);