* (no subject)
@ 2025-03-02 9:57 Takashi Iwai
0 siblings, 0 replies; only message in thread
From: Takashi Iwai @ 2025-03-02 9:57 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, linux-kernel
Hi Luiz,
due to the CVE assignment, I stumbled on the recent fix for BT
hci_core, the commit 4d94f0555827 ("Bluetooth: hci_core: Fix sleeping
function called from invalid context"), and wonder whether it's really
safe.
As already asked question at the patch review:
https://patchwork.kernel.org/comment/26147087/
the code allows the callbacks to be called even after
hci_unregister_cb() returns.
Your assumption was that it's never called without the module removal,
but isn't hci_unregister_cb() also called from iso_exit() which can be
triggered via set_iso_socket_func() in mgmt.c? Also, any 3rd party
module could call hci_unregister_cb() in a wild way, too -- even if
the function still remains, it doesn't mean that you can call it
safely if the caller already assumes it being unregistered.
In addition to that, I feel what the patch does as a bit too
heavy-lifting: it does kmalloc() and copy the whole hci_cb object,
which isn't quite small for each. If the callback is still safe to
call after RCU protection, you may just keep the hci_cb pointer
instead of copying the whole content, too?
I couldn't find v1 patch in the patchwork, so not sure whether this
has been already discussed. If so, let me know.
Thanks!
Takashi
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-03-02 9:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-02 9:57 Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox