CVE-2024-41062

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bluetooth/l2cap: sync sock recv cb and release<br /> <br /> The problem occurs between the system call to close the sock and hci_rx_work,<br /> where the former releases the sock and the latter accesses it without lock protection.<br /> <br /> CPU0 CPU1<br /> ---- ----<br /> sock_close hci_rx_work<br /> l2cap_sock_release hci_acldata_packet<br /> l2cap_sock_kill l2cap_recv_frame<br /> sk_free l2cap_conless_channel<br /> l2cap_sock_recv_cb<br /> <br /> If hci_rx_work processes the data that needs to be received before the sock is<br /> closed, then everything is normal; Otherwise, the work thread may access the<br /> released sock when receiving data.<br /> <br /> Add a chan mutex in the rx callback of the sock to achieve synchronization between<br /> the sock release and recv cb.<br /> <br /> Sock is dead, so set chan data to NULL, avoid others use invalid sock pointer.