-----Original Message----- From: Greg KH gregkh@linuxfoundation.org Sent: Friday, September 8, 2023 12:39 PM To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) deeratho@cisco.com Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
A: http://en.wikipedia.org/wiki/Top_post Q: Were do I find info about this thing called top-posting? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
A: No. Q: Should I include quotations after my reply?
On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
Hi Greg,
This change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel version.
Which change?
[Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel.
Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Zheng Wang zyytlz.wz@163.com
[ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
Signed-off-by: Zheng Wang zyytlz.wz@163.com Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com Signed-off-by: Deepak Rathore deeratho@cisco.com
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644 --- a/drivers/bluetooth/btsdio.c +++ b/drivers/bluetooth/btsdio.c @@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func) if (!data) return;
+ cancel_work_sync(&data->work); hdev = data->hdev;
sdio_set_drvdata(func, NULL); -- 2.35.6
It is fixed in upstream starting from v6.3 kernel version and required to fix in 6.1 kernel version as well so we have backported this from v6.3 kernel version to v6.1 and I have sent this patch for review and merging.
Again, what commit are you referring to here.
confused,
greg k-h
[Deepak]: Sorry for the inconvenience that my message did not provide all the details. The kernel CVE: CVE-2023-1989 is fixed in upstream with this commit: https://github.com/torvalds/linux/commit/73f7b171b7c09139eb3c6a5677c200dc1be... Starting from v6.3 kernel and we have to fix this in 6.1 kernel as well, so we have backported this from v6.3 kernel version to v6.1 kernel.
Regards, Deepak