[PATCH linux-stable 6.6] Bluetooth: hci_conn: avoid queue when deleting hci connection

[PATCH linux-stable 6.6] Bluetooth: hci_conn: avoid queue when deleting hci connection

[xu.xin16]

From: Chen Junlin <chen.junlin@zte.com.cn>

Although the upstream commit 2b0f2fc9ed62 ("Bluetooth: hci_conn:
Use disable_delayed_work_sync") has fixed the issue CVE-2024-56591, that
patch depends on the implementaion of disable/enable_work() of workqueue
[1], which are merged into 6.9/6.10 and so on. But for branch linux-6.6,
there's no these feature of workqueue.

To solve CVE-2024-56591 without backport too many feature patches about
workqueue, we can set a new flag HCI_CONN_DELETE when hci_conn_dell() is
called, and the subsequent queuing of work will be ignored.

[1] https://lore.kernel.org/all/20240216180559.208276-1-tj@kernel.org/

Signed-off-by: Chen Junlin <chen.junlin@zte.com.cn>
Signed-off-by: xu xin <xu.xin16@zte.com.cn>
---
 include/net/bluetooth/hci_core.h | 8 +++++++-
 net/bluetooth/hci_conn.c         | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 4f067599e6e9..9a3ec55079a1 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -954,6 +954,7 @@ enum {
 	HCI_CONN_BIG_SYNC_FAILED,
 	HCI_CONN_PA_SYNC,
 	HCI_CONN_PA_SYNC_FAILED,
+	HCI_CONN_DELETE,
 };

 static inline bool hci_conn_ssp_enabled(struct hci_conn *conn)
@@ -1575,7 +1576,12 @@ static inline void hci_conn_drop(struct hci_conn *conn)
 		}

 		cancel_delayed_work(&conn->disc_work);
-		queue_delayed_work(conn->hdev->workqueue,
+		/*
+		 * When HCI_CONN_DELETE is set, the conn is goint to be freed.
+		 * Don't queue the work to avoid noisy WARNing about refcnt < 0.
+		 */
+		if (!test_bit(HCI_CONN_DELETE, &conn->flags))
+			queue_delayed_work(conn->hdev->workqueue,
 				   &conn->disc_work, timeo);
 	}
 }
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 549ee9e87d63..67a6513bb01c 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1112,6 +1112,7 @@ void hci_conn_del(struct hci_conn *conn)

 	hci_conn_unlink(conn);

+	set_bit(HCI_CONN_DELETE, &conn->flags);
 	cancel_delayed_work_sync(&conn->disc_work);
 	cancel_delayed_work_sync(&conn->auto_accept_work);
 	cancel_delayed_work_sync(&conn->idle_work);
-- 
2.15.2

RE: [linux-stable,6.6] Bluetooth: hci_conn: avoid queue when deleting hci connection

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: include/net/bluetooth/hci_core.h:954
error: include/net/bluetooth/hci_core.h: patch does not apply
error: patch failed: net/bluetooth/hci_conn.c:1112
error: net/bluetooth/hci_conn.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth