RE: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
Date: Mon Sep 11 2023 - 18:24:49 EST
-----Original Message-----
From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Sent: Monday, September 11, 2023 1:56 AM
To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote:
> From: Zheng Wang <zyytlz.wz@xxxxxxx>
>
> [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> In btsdio_probe, the data->work is bound with btsdio_work. It will be
> started in btsdio_send_frame.
>
> If the btsdio_remove runs with a unfinished work, there may be a race
> condition that hdev is freed but used in btsdio_work. Fix it by
> canceling the work before do cleanup in btsdio_remove.
>
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> Signed-off-by: Deepak Rathore <deeratho@xxxxxxxxx>
> Meta-comment, are you SURE you want this applied? If so, why was it reverted upstream in 6.4 in commit db2bf510bd5d ("Revert "Bluetooth:
> btsdio: fix use after free bug in btsdio_remove due to unfinished
> work"")
> What testing did you do that determined this should be added to the tree? How did you come up with just this one commit to be requested to be applied to just this one branch?
> thanks,
> greg k-h-
Hi Greg,
Yes. I am sure that this fix should be applied to v6.1 stable branch. Our CVERT tool reported kernel CVE CVE-2023-1989 on v6.1 kernel and this fix is also missing in upstream kernel v6.1 as well.
In the reverted upstream commit db2bf510bd5d ("Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work""), it is clearly mentioned that this commit db2bf510bd5d is causing null-ptr-def problem and fixed bug by this patch have resolved by another commit 73f7b171b7c0. I have backported same commit 73f7b171b7c0 and sent this for review. Please see the below commit message of commit db2bf510bd5d:
git show db2bf510bd5d
commit db2bf510bd5d57f064d9e1db395ed86a08320c54
Author: Liu Jian <liujian56@xxxxxxxxxx>
Date: Fri Apr 14 18:30:06 2023 +0800
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.
This patch introduces a possible null-ptr-def problem. Revert it. And the
fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth:
btsdio: fix use after free bug in btsdio_remove due to race condition").
Fixes: 1e9ac114c442 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work")
Signed-off-by: Liu Jian <liujian56@xxxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
After backporting, I have verified the compilation of x86 architecture at my end and it is success.
- Deepak