* [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
@ 2023-01-26 13:36 Fedor Pchelkin
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
2023-01-27 2:07 ` [PATCH 6.1 0/1] " Sasha Levin
0 siblings, 2 replies; 3+ messages in thread
From: Fedor Pchelkin @ 2023-01-26 13:36 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Fedor Pchelkin, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project
Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed
in the following patch and can be cleanly applied to 6.1 stable tree.
Due to some technical rearrangement, the fix for older stable branches
requires a different patch which I'll send you in another thread.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 6.1 1/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
2023-01-26 13:36 [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Fedor Pchelkin
@ 2023-01-26 13:36 ` Fedor Pchelkin
2023-01-27 2:07 ` [PATCH 6.1 0/1] " Sasha Levin
1 sibling, 0 replies; 3+ messages in thread
From: Fedor Pchelkin @ 2023-01-26 13:36 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Fedor Pchelkin, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project,
Luiz Augusto von Dentz
From: Archie Pusaka <apusaka@chromium.org>
commit 97dfaf073f5881c624856ef293be307b6166115c upstream.
If a command is already sent, we take care of freeing it, but we
also need to cancel the timeout as well.
Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
net/bluetooth/hci_sync.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 8d6c8cbfe1de..aab3d85f4637 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -4703,6 +4703,7 @@ int hci_dev_open_sync(struct hci_dev *hdev)
hdev->flush(hdev);
if (hdev->sent_cmd) {
+ cancel_delayed_work_sync(&hdev->cmd_timer);
kfree_skb(hdev->sent_cmd);
hdev->sent_cmd = NULL;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
2023-01-26 13:36 [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Fedor Pchelkin
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
@ 2023-01-27 2:07 ` Sasha Levin
1 sibling, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2023-01-27 2:07 UTC (permalink / raw)
To: Fedor Pchelkin
Cc: stable, Greg Kroah-Hartman, Archie Pusaka, Abhishek Pandit-Subedi,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, linux-bluetooth, netdev,
linux-kernel, Alexey Khoroshilov, lvc-project
On Thu, Jan 26, 2023 at 04:36:12PM +0300, Fedor Pchelkin wrote:
>Syzkaller reports use-after-free in hci_cmd_timeout(). The bug was fixed
>in the following patch and can be cleanly applied to 6.1 stable tree.
>
>Due to some technical rearrangement, the fix for older stable branches
>requires a different patch which I'll send you in another thread.
Queued up, thanks!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-27 2:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-26 13:36 [PATCH 6.1 0/1] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Fedor Pchelkin
2023-01-26 13:36 ` [PATCH 6.1 1/1] " Fedor Pchelkin
2023-01-27 2:07 ` [PATCH 6.1 0/1] " Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox