Bluetooth: Fix potential use-after-free when clear keys

shreeya-patel98 · shreeya-patel98 · commit bff6dd6cffd1 · 2025-11-18T15:21:04.000+05:30
jira VULN-155798 cve CVE-2023-53386 commit-author Min Li <lm0963hack@gmail.com> commit 3673952 Similar to commit c5d2b6f ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call. Fixes: d7d4168 ("Bluetooth: Fix Suspicious RCU usage warnings") Signed-off-by: Min Li <lm0963hack@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> (cherry picked from commit 3673952) Signed-off-by: Shreeya Patel <spatel@ciq.com>
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
@@ -1074,39 +1074,39 @@ void hci_uuids_clear(struct hci_dev *hdev)
 
 void hci_link_keys_clear(struct hci_dev *hdev)
 {
-	struct link_key *key;
+	struct link_key *key, *tmp;
 
-	list_for_each_entry(key, &hdev->link_keys, list) {
+	list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
 		list_del_rcu(&key->list);
 		kfree_rcu(key, rcu);
 	}
 }
 
 void hci_smp_ltks_clear(struct hci_dev *hdev)
 {
-	struct smp_ltk *k;
+	struct smp_ltk *k, *tmp;
 
-	list_for_each_entry(k, &hdev->long_term_keys, list) {
+	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
 		list_del_rcu(&k->list);
 		kfree_rcu(k, rcu);
 	}
 }
 
 void hci_smp_irks_clear(struct hci_dev *hdev)
 {
-	struct smp_irk *k;
+	struct smp_irk *k, *tmp;
 
-	list_for_each_entry(k, &hdev->identity_resolving_keys, list) {
+	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
 		list_del_rcu(&k->list);
 		kfree_rcu(k, rcu);
 	}
 }
 
 void hci_blocked_keys_clear(struct hci_dev *hdev)
 {
-	struct blocked_key *b;
+	struct blocked_key *b, *tmp;
 
-	list_for_each_entry(b, &hdev->blocked_keys, list) {
+	list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
 		list_del_rcu(&b->list);
 		kfree_rcu(b, rcu);
 	}

Original file line number	Diff line number	Diff line change
`@@ -1074,39 +1074,39 @@ void hci_uuids_clear(struct hci_dev *hdev)`
`1074`	`1074`
`1075`	`1075`	`void hci_link_keys_clear(struct hci_dev *hdev)`
`1076`	`1076`	`{`
`1077`		`- struct link_key *key;`
	`1077`	`+ struct link_key key, tmp;`
`1078`	`1078`
`1079`		`- list_for_each_entry(key, &hdev->link_keys, list) {`
	`1079`	`+ list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {`
`1080`	`1080`	`list_del_rcu(&key->list);`
`1081`	`1081`	`kfree_rcu(key, rcu);`
`1082`	`1082`	`}`
`1083`	`1083`	`}`
`1084`	`1084`
`1085`	`1085`	`void hci_smp_ltks_clear(struct hci_dev *hdev)`
`1086`	`1086`	`{`
`1087`		`- struct smp_ltk *k;`
	`1087`	`+ struct smp_ltk k, tmp;`
`1088`	`1088`
`1089`		`- list_for_each_entry(k, &hdev->long_term_keys, list) {`
	`1089`	`+ list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {`
`1090`	`1090`	`list_del_rcu(&k->list);`
`1091`	`1091`	`kfree_rcu(k, rcu);`
`1092`	`1092`	`}`
`1093`	`1093`	`}`
`1094`	`1094`
`1095`	`1095`	`void hci_smp_irks_clear(struct hci_dev *hdev)`
`1096`	`1096`	`{`
`1097`		`- struct smp_irk *k;`
	`1097`	`+ struct smp_irk k, tmp;`
`1098`	`1098`
`1099`		`- list_for_each_entry(k, &hdev->identity_resolving_keys, list) {`
	`1099`	`+ list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {`
`1100`	`1100`	`list_del_rcu(&k->list);`
`1101`	`1101`	`kfree_rcu(k, rcu);`
`1102`	`1102`	`}`
`1103`	`1103`	`}`
`1104`	`1104`
`1105`	`1105`	`void hci_blocked_keys_clear(struct hci_dev *hdev)`
`1106`	`1106`	`{`
`1107`		`- struct blocked_key *b;`
	`1107`	`+ struct blocked_key b, tmp;`
`1108`	`1108`
`1109`		`- list_for_each_entry(b, &hdev->blocked_keys, list) {`
	`1109`	`+ list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {`
`1110`	`1110`	`list_del_rcu(&b->list);`
`1111`	`1111`	`kfree_rcu(b, rcu);`
`1112`	`1112`	`}`