Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: "Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)" 
	<deeratho@cisco.com>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
Date: Mon, 11 Sep 2023 15:23:06 +0200	[thread overview]
Message-ID: <2023091116-disband-modulator-e451@gregkh> (raw)
In-Reply-To: <DM4PR11MB61891026BF701EB7254CECF4C4F2A@DM4PR11MB6189.namprd11.prod.outlook.com>

On Mon, Sep 11, 2023 at 01:17:47PM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> -----Original Message-----
> From: Greg KH <gregkh@linuxfoundation.org> 
> Sent: Monday, September 11, 2023 1:56 AM
> To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com>
> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
> 
> On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote:
> > From: Zheng Wang <zyytlz.wz@163.com>
> > 
> > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
> > 
> > In btsdio_probe, the data->work is bound with btsdio_work. It will be 
> > started in btsdio_send_frame.
> > 
> > If the btsdio_remove runs with a unfinished work, there may be a race 
> > condition that hdev is freed but used in btsdio_work. Fix it by 
> > canceling the work before do cleanup in btsdio_remove.
> > 
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> 
> > Meta-comment, are you SURE you want this applied?  If so, why was it reverted upstream in 6.4 in commit db2bf510bd5d ("Revert "Bluetooth:
> > btsdio: fix use after free bug in btsdio_remove due to unfinished
> > work"")
> 
> > What testing did you do that determined this should be added to the tree?  How did you come up with just this one commit to be requested to be applied to just this one branch?
> 
> > thanks,
> 
> > greg k-h-
> 
> Hi Greg,
> 
> Yes. I am sure that this fix should be applied to v6.1 stable branch. Our CVERT tool reported kernel CVE CVE-2023-1989 on v6.1 kernel and this fix is also missing in upstream kernel v6.1 as well.

I have no idea what a CVERT tool is, only that you can almost guarantee
that it will not work well for kernel cves given the way that cves are
broken for the kernel.  But good luck with it!  :)

> In the reverted upstream commit db2bf510bd5d ("Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work""), it is clearly mentioned that this commit db2bf510bd5d is causing null-ptr-def problem and fixed bug by this patch have resolved by another commit 73f7b171b7c0. I have backported same commit 73f7b171b7c0 and sent this for review. Please see the below commit message of commit db2bf510bd5d:

So, can you verify that the latest 6.1.y released kernel is correct now?

thanks,

greg k-h

     prev parent reply	other threads:[~2023-09-11 21:20 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-06 12:15 [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition Deepak Rathore
2023-09-06 12:20 ` kernel test robot
2023-09-07 10:16 ` Greg KH
2023-09-08  4:18   ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-08  6:06     ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-08  6:48       ` Greg KH
2023-09-08  6:54         ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-08  7:08           ` Greg KH
2023-09-09  8:49             ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-09 11:22               ` Salvatore Bonaccorso
2023-09-09 11:47               ` Greg KH
2023-09-10  6:25                 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-10  6:59                   ` Greg KH
2023-09-10 20:25 ` Greg KH
2023-09-11 13:17   ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-11 13:23     ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2023091116-disband-modulator-e451@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=deeratho@cisco.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox