On Fri, May 28, 2021 at 05:52:24PM +0900, Nobuhiro Iwamatsu wrote:
From: Lin Ma linma@zju.edu.cn
commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
There is a possible race condition vulnerability between issuing a HCI command and removing the cont. Specifically, functions hci_req_sync() and hci_dev_do_close() can race each other like below:
thread-A in hci_req_sync() | thread-B in hci_dev_do_close() | hci_req_sync_lock(hdev); test_bit(HCI_UP, &hdev->flags); | ... | test_and_clear_bit(HCI_UP, &hdev->flags) hci_req_sync_lock(hdev); | | In this commit we alter the sequence in function hci_req_sync(). Hence, the thread-A cannot issue th.
Signed-off-by: Lin Ma linma@zju.edu.cn Cc: Marcel Holtmann marcel@holtmann.org Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [iwamatsu: adjust filename, arguments of __hci_req_sync(). CVE-2021-32399] Signed-off-by: Nobuhiro Iwamatsu nobuhiro1.iwamatsu@toshiba.co.jp
net/bluetooth/hci_core.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)
Now queued up, thanks.
greg k-h