From: Greg KH <gregkh@linuxfoundation.org>
To: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Cc: stable@vger.kernel.org, sashal@kernel.org,
Lin Ma <linma@zju.edu.cn>, Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [PATCH for 4.4] bluetooth: eliminate the potential race condition when removing the HCI controller
Date: Mon, 31 May 2021 13:54:34 +0200 [thread overview]
Message-ID: <YLTOeqxO5j7DigUU@kroah.com> (raw)
In-Reply-To: <20210528085224.1021277-1-nobuhiro1.iwamatsu@toshiba.co.jp>
On Fri, May 28, 2021 at 05:52:24PM +0900, Nobuhiro Iwamatsu wrote:
> From: Lin Ma <linma@zju.edu.cn>
>
> commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
>
> There is a possible race condition vulnerability between issuing a HCI
> command and removing the cont. Specifically, functions hci_req_sync()
> and hci_dev_do_close() can race each other like below:
>
> thread-A in hci_req_sync() | thread-B in hci_dev_do_close()
> | hci_req_sync_lock(hdev);
> test_bit(HCI_UP, &hdev->flags); |
> ... | test_and_clear_bit(HCI_UP, &hdev->flags)
> hci_req_sync_lock(hdev); |
> |
> In this commit we alter the sequence in function hci_req_sync(). Hence,
> the thread-A cannot issue th.
>
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> Cc: Marcel Holtmann <marcel@holtmann.org>
> Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> [iwamatsu: adjust filename, arguments of __hci_req_sync(). CVE-2021-32399]
> Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
> ---
> net/bluetooth/hci_core.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2021-05-31 11:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-28 8:52 [PATCH for 4.4] bluetooth: eliminate the potential race condition when removing the HCI controller Nobuhiro Iwamatsu
2021-05-31 11:54 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YLTOeqxO5j7DigUU@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linma@zju.edu.cn \
--cc=marcel@holtmann.org \
--cc=nobuhiro1.iwamatsu@toshiba.co.jp \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.