RE: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
Date: Sat Sep 09 2023 - 04:49:59 EST
-----Original Message-----
From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Sent: Friday, September 8, 2023 12:39 PM
To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
> A: http://en.wikipedia.org/wiki/Top_post
> Q: Were do I find info about this thing called top-posting?
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> A: No.
> Q: Should I include quotations after my reply?
> http://daringfireball.net/2007/07/on_top
On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> Hi Greg,
>
> This change is required to fix kernel CVE: CVE-2023-1989 which is
> reported in v6.1 kernel version.
> Which change?
[Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel.
Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Zheng Wang <zyytlz.wz@xxxxxxx>
[ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Deepak Rathore <deeratho@xxxxxxxxx>
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644
--- a/drivers/bluetooth/btsdio.c
+++ b/drivers/bluetooth/btsdio.c
@@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func)
if (!data)
return;
+ cancel_work_sync(&data->work);
hdev = data->hdev;
sdio_set_drvdata(func, NULL);
--
2.35.6
> It is fixed in upstream starting from v6.3 kernel version and required
> to fix in 6.1 kernel version as well so we have backported this from
> v6.3 kernel version to v6.1 and I have sent this patch for review and
> merging.
> Again, what commit are you referring to here.
> confused,
> greg k-h
[Deepak]: Sorry for the inconvenience that my message did not provide all the details.
The kernel CVE: CVE-2023-1989 is fixed in upstream with this commit: https://github.com/torvalds/linux/commit/73f7b171b7c09139eb3c6a5677c200dc1be5f318
Starting from v6.3 kernel and we have to fix this in 6.1 kernel as well, so we have backported this from v6.3 kernel version to v6.1 kernel.
Regards,
Deepak