From: Greg KH <gregkh@linuxfoundation.org>
To: xu.xin16@zte.com.cn
Cc: luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org,
marcel@holtmann.org, johan.hedberg@gmail.com,
chen.junlin@zte.com.cn, stable@vger.kernel.org
Subject: Re: [PATCH linux-stable 6.6] Bluetooth: hci_conn: avoid queue when deleting hci connection
Date: Tue, 19 Aug 2025 16:38:14 +0200 [thread overview]
Message-ID: <2025081914-steadfast-ruckus-22bd@gregkh> (raw)
In-Reply-To: <20250819221605072sYBtQfxeXfCoV3_kHWRry@zte.com.cn>
On Tue, Aug 19, 2025 at 10:16:05PM +0800, xu.xin16@zte.com.cn wrote:
> From: Chen Junlin <chen.junlin@zte.com.cn>
>
> Although the upstream commit 2b0f2fc9ed62 ("Bluetooth: hci_conn:
> Use disable_delayed_work_sync") has fixed the issue CVE-2024-56591, that
> patch depends on the implementaion of disable/enable_work() of workqueue
> [1], which are merged into 6.9/6.10 and so on. But for branch linux-6.6,
> there's no these feature of workqueue.
html marker in a changelog text?
> To solve CVE-2024-56591 without backport too many feature patches about
> workqueue, we can set a new flag HCI_CONN_DELETE when hci_conn_dell() is
> called, and the subsequent queuing of work will be ignored.
How was this tested?
>
> [1] https://lore.kernel.org/all/20240216180559.208276-1-tj@kernel.org/
>
> Signed-off-by: Chen Junlin <chen.junlin@zte.com.cn>
> Signed-off-by: xu xin <xu.xin16@zte.com.cn>
What commit id does this fix? Why only 6.6 for it?
> ---
> include/net/bluetooth/hci_core.h | 8 +++++++-
> net/bluetooth/hci_conn.c | 1 +
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> index 4f067599e6e9..9a3ec55079a1 100644
> --- a/include/net/bluetooth/hci_core.h
> +++ b/include/net/bluetooth/hci_core.h
> @@ -954,6 +954,7 @@ enum {
> HCI_CONN_BIG_SYNC_FAILED,
> HCI_CONN_PA_SYNC,
> HCI_CONN_PA_SYNC_FAILED,
> + HCI_CONN_DELETE,
> };
>
> static inline bool hci_conn_ssp_enabled(struct hci_conn *conn)
> @@ -1575,7 +1576,12 @@ static inline void hci_conn_drop(struct hci_conn *conn)
> }
>
> cancel_delayed_work(&conn->disc_work);
> - queue_delayed_work(conn->hdev->workqueue,
> + /*
> + * When HCI_CONN_DELETE is set, the conn is goint to be freed.
> + * Don't queue the work to avoid noisy WARNing about refcnt < 0.
Again, html text in a comment?
How does that happen?
thanks,
greg k-h
next prev parent reply other threads:[~2025-08-19 14:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-19 14:16 [PATCH linux-stable 6.6] Bluetooth: hci_conn: avoid queue when deleting hci connection xu.xin16
2025-08-19 14:38 ` Greg KH [this message]
2025-08-20 1:52 ` 答复: " xu.xin16
-- strict thread matches above, loose matches on Subject: below --
2025-08-19 14:13 xu.xin16
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025081914-steadfast-ruckus-22bd@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=chen.junlin@zte.com.cn \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
--cc=xu.xin16@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox