--- /dev/null
+From 7f7cfcb6f0825652973b780f248603e23f16ee90 Mon Sep 17 00:00:00 2001
+From: Pauli Virtanen <pav@iki.fi>
+Date: Mon, 19 Jun 2023 01:04:32 +0300
+Subject: Bluetooth: hci_event: call disconnect callback before deleting conn
+
+From: Pauli Virtanen <pav@iki.fi>
+
+commit 7f7cfcb6f0825652973b780f248603e23f16ee90 upstream.
+
+In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
+
+ISO, L2CAP and SCO connections refer to the hci_conn without
+hci_conn_get, so disconn_cfm must be called so they can clean up their
+conn, otherwise use-after-free occurs.
+
+ISO:
+==========================================================
+iso_sock_connect:880: sk 00000000eabd6557
+iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
+...
+iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
+hci_dev_put:1487: hci0 orig refcnt 17
+__iso_chan_add:214: conn 00000000b6251073
+iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
+...
+hci_rx_work:4085: hci0 Event packet
+hci_event_packet:7601: hci0: event 0x0f
+hci_cmd_status_evt:4346: hci0: opcode 0x0406
+hci_cs_disconnect:2760: hci0: status 0x0c
+hci_sent_cmd_data:3107: hci0 opcode 0x0406
+hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
+hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
+hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
+hci_chan_list_flush:2780: hcon 000000001696f1fd
+hci_dev_put:1487: hci0 orig refcnt 21
+hci_dev_put:1487: hci0 orig refcnt 20
+hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
+... <no iso_* activity on sk/conn> ...
+iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
+BUG: kernel NULL pointer dereference, address: 0000000000000668
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP PTI
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
+RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
+==========================================================
+
+L2CAP:
+==================================================================
+hci_cmd_status_evt:4359: hci0: opcode 0x0406
+hci_cs_disconnect:2760: hci0: status 0x0c
+hci_sent_cmd_data:3085: hci0 opcode 0x0406
+hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
+hci_conn_unlink:1102: hci0: hcon ffff88800c999000
+hci_chan_list_flush:2780: hcon ffff88800c999000
+hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
+...
+BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
+Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
+
+CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5b/0x90
+ print_report+0xcf/0x670
+ ? __virt_addr_valid+0xf8/0x180
+ ? hci_send_acl+0x2d/0x540 [bluetooth]
+ kasan_report+0xa8/0xe0
+ ? hci_send_acl+0x2d/0x540 [bluetooth]
+ hci_send_acl+0x2d/0x540 [bluetooth]
+ ? __pfx___lock_acquire+0x10/0x10
+ l2cap_chan_send+0x1fd/0x1300 [bluetooth]
+ ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
+ ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
+ ? lock_release+0x1d5/0x3c0
+ ? mark_held_locks+0x1a/0x90
+ l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
+ sock_write_iter+0x275/0x280
+ ? __pfx_sock_write_iter+0x10/0x10
+ ? __pfx___lock_acquire+0x10/0x10
+ do_iter_readv_writev+0x176/0x220
+ ? __pfx_do_iter_readv_writev+0x10/0x10
+ ? find_held_lock+0x83/0xa0
+ ? selinux_file_permission+0x13e/0x210
+ do_iter_write+0xda/0x340
+ vfs_writev+0x1b4/0x400
+ ? __pfx_vfs_writev+0x10/0x10
+ ? __seccomp_filter+0x112/0x750
+ ? populate_seccomp_data+0x182/0x220
+ ? __fget_light+0xdf/0x100
+ ? do_writev+0x19d/0x210
+ do_writev+0x19d/0x210
+ ? __pfx_do_writev+0x10/0x10
+ ? mark_held_locks+0x1a/0x90
+ do_syscall_64+0x60/0x90
+ ? lockdep_hardirqs_on_prepare+0x149/0x210
+ ? do_syscall_64+0x6c/0x90
+ ? lockdep_hardirqs_on_prepare+0x149/0x210
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+RIP: 0033:0x7ff45cb23e64
+Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
+RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64
+RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017
+RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40
+R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0
+R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040
+ </TASK>
+
+Allocated by task 771:
+ kasan_save_stack+0x33/0x60
+ kasan_set_track+0x25/0x30
+ __kasan_kmalloc+0xaa/0xb0
+ hci_chan_create+0x67/0x1b0 [bluetooth]
+ l2cap_conn_add.part.0+0x17/0x590 [bluetooth]
+ l2cap_connect_cfm+0x266/0x6b0 [bluetooth]
+ hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth]
+ hci_event_packet+0x38d/0x800 [bluetooth]
+ hci_rx_work+0x287/0xb20 [bluetooth]
+ process_one_work+0x4f7/0x970
+ worker_thread+0x8f/0x620
+ kthread+0x17f/0x1c0
+ ret_from_fork+0x2c/0x50
+
+Freed by task 771:
+ kasan_save_stack+0x33/0x60
+ kasan_set_track+0x25/0x30
+ kasan_save_free_info+0x2e/0x50
+ ____kasan_slab_free+0x169/0x1c0
+ slab_free_freelist_hook+0x9e/0x1c0
+ __kmem_cache_free+0xc0/0x310
+ hci_chan_list_flush+0x46/0x90 [bluetooth]
+ hci_conn_cleanup+0x7d/0x330 [bluetooth]
+ hci_cs_disconnect+0x35d/0x530 [bluetooth]
+ hci_cmd_status_evt+0xef/0x2b0 [bluetooth]
+ hci_event_packet+0x38d/0x800 [bluetooth]
+ hci_rx_work+0x287/0xb20 [bluetooth]
+ process_one_work+0x4f7/0x970
+ worker_thread+0x8f/0x620
+ kthread+0x17f/0x1c0
+ ret_from_fork+0x2c/0x50
+==================================================================
+
+Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2373,6 +2373,9 @@ static void hci_cs_disconnect(struct hci
+ hci_req_reenable_advertising(hdev);
+ }
+
++ /* Inform sockets conn is gone before we delete it */
++ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
++
+ /* If the disconnection failed for any reason, the upper layer
+ * does not retry to disconnect in current implementation.
+ * Hence, we need to do some basic cleanup here and re-enable
--- /dev/null
+From 72f98ef9a4be30d2a60136dd6faee376f780d06c Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Wed, 22 Oct 2025 16:26:27 +0800
+Subject: iommu: disable SVA when CONFIG_X86 is set
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 72f98ef9a4be30d2a60136dd6faee376f780d06c upstream.
+
+Patch series "Fix stale IOTLB entries for kernel address space", v7.
+
+This proposes a fix for a security vulnerability related to IOMMU Shared
+Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
+page table entries. When a kernel page table page is freed and
+reallocated for another purpose, the IOMMU might still hold stale,
+incorrect entries. This can be exploited to cause a use-after-free or
+write-after-free condition, potentially leading to privilege escalation or
+data corruption.
+
+This solution introduces a deferred freeing mechanism for kernel page
+table pages, which provides a safe window to notify the IOMMU to
+invalidate its caches before the page is reused.
+
+
+This patch (of 8):
+
+In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
+shares and walks the CPU's page tables. The x86 architecture maps the
+kernel's virtual address space into the upper portion of every process's
+page table. Consequently, in an SVA context, the IOMMU hardware can walk
+and cache kernel page table entries.
+
+The Linux kernel currently lacks a notification mechanism for kernel page
+table changes, specifically when page table pages are freed and reused.
+The IOMMU driver is only notified of changes to user virtual address
+mappings. This can cause the IOMMU's internal caches to retain stale
+entries for kernel VA.
+
+Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
+kernel page table pages are freed and later reallocated. The IOMMU could
+misinterpret the new data as valid page table entries. The IOMMU might
+then walk into attacker-controlled memory, leading to arbitrary physical
+memory DMA access or privilege escalation. This is also a
+Write-After-Free issue, as the IOMMU will potentially continue to write
+Accessed and Dirty bits to the freed memory while attempting to walk the
+stale page tables.
+
+Currently, SVA contexts are unprivileged and cannot access kernel
+mappings. However, the IOMMU will still walk kernel-only page tables all
+the way down to the leaf entries, where it realizes the mapping is for the
+kernel and errors out. This means the IOMMU still caches these
+intermediate page table entries, making the described vulnerability a real
+concern.
+
+Disable SVA on x86 architecture until the IOMMU can receive notification
+to flush the paging cache before freeing the CPU kernel page table pages.
+
+Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com
+Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com
+Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Betkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: Kevin Tian <kevin.tian@intel.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Robin Murohy <robin.murphy@arm.com>
+Cc: Thomas Gleinxer <tglx@linutronix.de>
+Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
+Cc: Vasant Hegde <vasant.hegde@amd.com>
+Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yi Lai <yi1.lai@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ The context change is due to the commit
+ be51b1d6bbff ("iommu/sva: Refactoring iommu_sva_bind/unbind_device()")
+ and the commit 757636ed2607 ("iommu: Rename iommu-sva-lib.{c,h}")
+ in v6.2 which are irrelevant to the logic of this patch. ]
+Signed-off-by: Rahul Sharma <black.hawk@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -3068,6 +3068,9 @@ iommu_sva_bind_device(struct device *dev
+ if (!group)
+ return ERR_PTR(-ENODEV);
+
++ if (IS_ENABLED(CONFIG_X86))
++ return ERR_PTR(-EOPNOTSUPP);
++
+ /* Ensure device count and domain don't change while we're binding */
+ mutex_lock(&group->mutex);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
