From: Salvatore Bonaccorso <carnil@debian.org>
To: "Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)"
<deeratho@cisco.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
Date: Sat, 9 Sep 2023 13:22:01 +0200 [thread overview]
Message-ID: <ZPxVWVEfGnsoLeDc@eldamar.lan> (raw)
In-Reply-To: <DM4PR11MB61897793502F49240BCA903CC4ECA@DM4PR11MB6189.namprd11.prod.outlook.com>
On Sat, Sep 09, 2023 at 08:49:52AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> -----Original Message-----
> From: Greg KH <gregkh@linuxfoundation.org>
> Sent: Friday, September 8, 2023 12:39 PM
> To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com>
> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
>
> > A: http://en.wikipedia.org/wiki/Top_post
> > Q: Were do I find info about this thing called top-posting?
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> > A: Top-posting.
> > Q: What is the most annoying thing in e-mail?
>
> > A: No.
> > Q: Should I include quotations after my reply?
>
>
> > http://daringfireball.net/2007/07/on_top
>
> On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> > Hi Greg,
> >
> > This change is required to fix kernel CVE: CVE-2023-1989 which is
> > reported in v6.1 kernel version.
>
> > Which change?
>
> [Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel.
>
> Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
>
> From: Zheng Wang <zyytlz.wz@163.com>
>
> [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
>
> If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
>
> diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644
> --- a/drivers/bluetooth/btsdio.c
> +++ b/drivers/bluetooth/btsdio.c
> @@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func)
> if (!data)
> return;
>
> + cancel_work_sync(&data->work);
> hdev = data->hdev;
>
> sdio_set_drvdata(func, NULL);
> --
> 2.35.6
>
>
> > It is fixed in upstream starting from v6.3 kernel version and required
> > to fix in 6.1 kernel version as well so we have backported this from
> > v6.3 kernel version to v6.1 and I have sent this patch for review and
> > merging.
>
> > Again, what commit are you referring to here.
>
> > confused,
>
> > greg k-h
>
> [Deepak]: Sorry for the inconvenience that my message did not provide all the details.
> The kernel CVE: CVE-2023-1989 is fixed in upstream with this commit: https://github.com/torvalds/linux/commit/73f7b171b7c09139eb3c6a5677c200dc1be5f318
> Starting from v6.3 kernel and we have to fix this in 6.1 kernel as well, so we have backported this from v6.3 kernel version to v6.1 kernel.
This change was already backported to 6.1.y and released in v6.1.52?
It is commit 179c65828593aff1f444e15debd40a477cb23cf4 .
Regards,
Salvatore
next prev parent reply other threads:[~2023-09-09 11:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 12:15 [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition Deepak Rathore
2023-09-06 12:20 ` kernel test robot
2023-09-07 10:16 ` Greg KH
2023-09-08 4:18 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-08 6:06 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-08 6:48 ` Greg KH
2023-09-08 6:54 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-08 7:08 ` Greg KH
2023-09-09 8:49 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-09 11:22 ` Salvatore Bonaccorso [this message]
2023-09-09 11:47 ` Greg KH
2023-09-10 6:25 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-10 6:59 ` Greg KH
2023-09-10 20:25 ` Greg KH
2023-09-11 13:17 ` Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
2023-09-11 13:23 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZPxVWVEfGnsoLeDc@eldamar.lan \
--to=carnil@debian.org \
--cc=deeratho@cisco.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox