From c0dded0f8b1510c1b5ef3554a044de37567ace78 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 16 May 2024 13:43:47 +0000 Subject: [PATCH] Revert "Bluetooth: fix use-after-free in accessing skb after sending it" This reverts commit 715264ad09fd4004e347cdb79fa58a4f2344f13f which is commit 947ec0d002dce8577b655793dcc6fc78d67b7cb6 upstream. It breaks the Android kernel abi and can be brought back in the future in an abi-safe way if it is really needed. Bug: 161946584 Change-Id: Icc979230a67566ee6a64cee43c91ec710c53c019 Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 050fae54946b..824dde465dd1 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -4174,7 +4174,7 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) if (hci_req_status_pend(hdev) && !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { kfree_skb(hdev->req_skb); - hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); + hdev->req_skb = skb_clone(skb, GFP_KERNEL); } atomic_dec(&hdev->cmd_cnt);