* [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
@ 2023-01-26 13:36 Fedor Pchelkin
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
2023-01-27 2:07 ` [PATCH 6.1 0/1] " Sasha Levin
0 siblings, 2 replies; 6+ messages in thread
From: Fedor Pchelkin @ 2023-01-26 13:36 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Fedor Pchelkin, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project
Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed
in the following patch and can be cleanly applied to 6.1 stable tree.
Due to some technical rearrangement, the fix for older stable branches
requires a different patch which I'll send you in another thread.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 6.1 1/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
2023-01-26 13:36 [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Fedor Pchelkin
@ 2023-01-26 13:36 ` Fedor Pchelkin
2023-01-26 13:38 ` [PATCH 4.14/4.19/5.4/5.10/5.15] " Fedor Pchelkin
2023-01-26 13:43 ` bluez.test.bot
2023-01-27 2:07 ` [PATCH 6.1 0/1] " Sasha Levin
1 sibling, 2 replies; 6+ messages in thread
From: Fedor Pchelkin @ 2023-01-26 13:36 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Fedor Pchelkin, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project,
Luiz Augusto von Dentz
From: Archie Pusaka <apusaka@chromium.org>
commit 97dfaf073f5881c624856ef293be307b6166115c upstream.
If a command is already sent, we take care of freeing it, but we
also need to cancel the timeout as well.
Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
net/bluetooth/hci_sync.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 8d6c8cbfe1de..aab3d85f4637 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -4703,6 +4703,7 @@ int hci_dev_open_sync(struct hci_dev *hdev)
hdev->flush(hdev);
if (hdev->sent_cmd) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
kfree_skb(hdev->sent_cmd);
hdev->sent_cmd = NULL;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4.14/4.19/5.4/5.10/5.15] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
@ 2023-01-26 13:38 ` Fedor Pchelkin
2023-01-26 13:43 ` Bluetooth: hci_sync: cancel cmd_timer if hci_open failed, RE: [4.14/4.19/5.4/5.10/5.15] " bluez.test.bot
0 siblings, 1 reply; 6+ messages in thread
From: Fedor Pchelkin @ 2023-01-26 13:38 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Fedor Pchelkin, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project,
Luiz Augusto von Dentz
From: Archie Pusaka <apusaka@chromium.org>
commit 97dfaf073f5881c624856ef293be307b6166115c upstream.
If a command is already sent, we take care of freeing it, but we
also need to cancel the timeout as well.
Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
net/bluetooth/hci_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index a41b4dcf1a7a..cabe8eb4c14f 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1632,6 +1632,7 @@ static int hci_dev_do_open(struct hci_dev *hdev)
hdev->flush(hdev);
if (hdev->sent_cmd) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
kfree_skb(hdev->sent_cmd);
hdev->sent_cmd = NULL;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
2023-01-26 13:38 ` [PATCH 4.14/4.19/5.4/5.10/5.15] " Fedor Pchelkin
@ 2023-01-26 13:43 ` bluez.test.bot
1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-01-26 13:43 UTC (permalink / raw)
To: linux-bluetooth, pchelkin
[-- Attachment #1: Type: text/plain, Size: 551 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: net/bluetooth/hci_sync.c:4703
error: net/bluetooth/hci_sync.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Bluetooth: hci_sync: cancel cmd_timer if hci_open failed, RE: [4.14/4.19/5.4/5.10/5.15] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
2023-01-26 13:38 ` [PATCH 4.14/4.19/5.4/5.10/5.15] " Fedor Pchelkin
@ 2023-01-26 13:43 ` bluez.test.bot
0 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2023-01-26 13:43 UTC (permalink / raw)
To: linux-bluetooth, pchelkin, linux-bluetooth, pchelkin
[-- Attachment #1: Type: text/plain, Size: 551 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: net/bluetooth/hci_sync.c:4703
error: net/bluetooth/hci_sync.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
[-- Attachment #2: Type: text/plain, Size: 551 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: net/bluetooth/hci_core.c:1632
error: net/bluetooth/hci_core.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
2023-01-26 13:36 [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Fedor Pchelkin
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
@ 2023-01-27 2:07 ` Sasha Levin
1 sibling, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-01-27 2:07 UTC (permalink / raw)
To: Fedor Pchelkin
Cc: stable, Greg Kroah-Hartman, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project
On Thu, Jan 26, 2023 at 04:36:12PM +0300, Fedor Pchelkin wrote:
>Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed
>in the following patch and can be cleanly applied to 6.1 stable tree.
>
>Due to some technical rearrangement, the fix for older stable branches
>requires a different patch which I'll send you in another thread.
Queued up, thanks!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-01-27 2:08 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-26 13:36 [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Fedor Pchelkin
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
2023-01-26 13:38 ` [PATCH 4.14/4.19/5.4/5.10/5.15] " Fedor Pchelkin
2023-01-26 13:43 ` Bluetooth: hci_sync: cancel cmd_timer if hci_open failed, RE: [4.14/4.19/5.4/5.10/5.15] " bluez.test.bot
2023-01-26 13:43 ` bluez.test.bot
2023-01-27 2:07 ` [PATCH 6.1 0/1] " Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.