CVE-2023-53016
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix possible deadlock in rfcomm_sk_state_change syzbot reports a possible deadlock in rfcomm_sk_state_change [1]. While rfcomm_sock_connect acquires the sk lock and waits for the rfcomm lock, rfcomm_sock_release could have the rfcomm lock and hit a deadlock for acquiring the sk lock. Here's a simplified flow: rfcomm_sock_connect: lock_sock(sk) rfcomm_dlc_open: rfcomm_lock() rfcomm_sock_release: rfcomm_sock_shutdown: rfcomm_lock() __rfcomm_dlc_close: rfcomm_k_state_change: lock_sock(sk) This patch drops the sk lock before calling rfcomm_dlc_open to avoid the possible deadlock and holds sk's reference count to prevent use-after-free after rfcomm_dlc_open completes.
Reserved 2025-03-27 | Published 2025-03-27 | Updated 2025-05-04 | Assigner Linuxgit.kernel.org/...c/98aec50ff7f60cc6f2d6a4396b475c547e58b04d
git.kernel.org/...c/17511bd84871f4a6106cb335616e086880313f3f
git.kernel.org/...c/1d80d57ffcb55488f0ec0b77928d4f82d16b6a90
Support options
