From 32a6168f76eb26a4735e9c66c930bcf0e09eaad5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Feb 2026 13:34:12 +0100 Subject: [PATCH] 5.15-stable patches added patches: bluetooth-hci_event-call-disconnect-callback-before-deleting-conn.patch iommu-disable-sva-when-config_x86-is-set.patch --- ...onnect-callback-before-deleting-conn.patch | 164 ++++++++++++++++++ ...u-disable-sva-when-config_x86-is-set.patch | 111 ++++++++++++ queue-5.15/series | 2 + 3 files changed, 277 insertions(+) create mode 100644 queue-5.15/bluetooth-hci_event-call-disconnect-callback-before-deleting-conn.patch create mode 100644 queue-5.15/iommu-disable-sva-when-config_x86-is-set.patch diff --git a/queue-5.15/bluetooth-hci_event-call-disconnect-callback-before-deleting-conn.patch b/queue-5.15/bluetooth-hci_event-call-disconnect-callback-before-deleting-conn.patch new file mode 100644 index 0000000000..940ca3b01b --- /dev/null +++ b/queue-5.15/bluetooth-hci_event-call-disconnect-callback-before-deleting-conn.patch @@ -0,0 +1,164 @@ +From 7f7cfcb6f0825652973b780f248603e23f16ee90 Mon Sep 17 00:00:00 2001 +From: Pauli Virtanen +Date: Mon, 19 Jun 2023 01:04:32 +0300 +Subject: Bluetooth: hci_event: call disconnect callback before deleting conn + +From: Pauli Virtanen + +commit 7f7cfcb6f0825652973b780f248603e23f16ee90 upstream. + +In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. + +ISO, L2CAP and SCO connections refer to the hci_conn without +hci_conn_get, so disconn_cfm must be called so they can clean up their +conn, otherwise use-after-free occurs. + +ISO: +========================================================== +iso_sock_connect:880: sk 00000000eabd6557 +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 +hci_dev_put:1487: hci0 orig refcnt 17 +__iso_chan_add:214: conn 00000000b6251073 +iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 +... +hci_rx_work:4085: hci0 Event packet +hci_event_packet:7601: hci0: event 0x0f +hci_cmd_status_evt:4346: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3107: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 +hci_conn_unlink:1102: hci0: hcon 000000001696f1fd +hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 +hci_chan_list_flush:2780: hcon 000000001696f1fd +hci_dev_put:1487: hci0 orig refcnt 21 +hci_dev_put:1487: hci0 orig refcnt 20 +hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c +... ... +iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 +BUG: kernel NULL pointer dereference, address: 0000000000000668 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth +========================================================== + +L2CAP: +================================================================== +hci_cmd_status_evt:4359: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3085: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 +hci_conn_unlink:1102: hci0: hcon ffff88800c999000 +hci_chan_list_flush:2780: hcon ffff88800c999000 +hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 +... +BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] +Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 + +CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Call Trace: + + dump_stack_lvl+0x5b/0x90 + print_report+0xcf/0x670 + ? __virt_addr_valid+0xf8/0x180 + ? hci_send_acl+0x2d/0x540 [bluetooth] + kasan_report+0xa8/0xe0 + ? hci_send_acl+0x2d/0x540 [bluetooth] + hci_send_acl+0x2d/0x540 [bluetooth] + ? __pfx___lock_acquire+0x10/0x10 + l2cap_chan_send+0x1fd/0x1300 [bluetooth] + ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] + ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] + ? lock_release+0x1d5/0x3c0 + ? mark_held_locks+0x1a/0x90 + l2cap_sock_sendmsg+0x100/0x170 [bluetooth] + sock_write_iter+0x275/0x280 + ? __pfx_sock_write_iter+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + do_iter_readv_writev+0x176/0x220 + ? __pfx_do_iter_readv_writev+0x10/0x10 + ? find_held_lock+0x83/0xa0 + ? selinux_file_permission+0x13e/0x210 + do_iter_write+0xda/0x340 + vfs_writev+0x1b4/0x400 + ? __pfx_vfs_writev+0x10/0x10 + ? __seccomp_filter+0x112/0x750 + ? populate_seccomp_data+0x182/0x220 + ? __fget_light+0xdf/0x100 + ? do_writev+0x19d/0x210 + do_writev+0x19d/0x210 + ? __pfx_do_writev+0x10/0x10 + ? mark_held_locks+0x1a/0x90 + do_syscall_64+0x60/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + ? do_syscall_64+0x6c/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7ff45cb23e64 +Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 +RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64 +RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017 +RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40 +R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0 +R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040 + + +Allocated by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + __kasan_kmalloc+0xaa/0xb0 + hci_chan_create+0x67/0x1b0 [bluetooth] + l2cap_conn_add.part.0+0x17/0x590 [bluetooth] + l2cap_connect_cfm+0x266/0x6b0 [bluetooth] + hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 + +Freed by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + kasan_save_free_info+0x2e/0x50 + ____kasan_slab_free+0x169/0x1c0 + slab_free_freelist_hook+0x9e/0x1c0 + __kmem_cache_free+0xc0/0x310 + hci_chan_list_flush+0x46/0x90 [bluetooth] + hci_conn_cleanup+0x7d/0x330 [bluetooth] + hci_cs_disconnect+0x35d/0x530 [bluetooth] + hci_cmd_status_evt+0xef/0x2b0 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 +================================================================== + +Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2373,6 +2373,9 @@ static void hci_cs_disconnect(struct hci + hci_req_reenable_advertising(hdev); + } + ++ /* Inform sockets conn is gone before we delete it */ ++ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); ++ + /* If the disconnection failed for any reason, the upper layer + * does not retry to disconnect in current implementation. + * Hence, we need to do some basic cleanup here and re-enable diff --git a/queue-5.15/iommu-disable-sva-when-config_x86-is-set.patch b/queue-5.15/iommu-disable-sva-when-config_x86-is-set.patch new file mode 100644 index 0000000000..a344e21750 --- /dev/null +++ b/queue-5.15/iommu-disable-sva-when-config_x86-is-set.patch @@ -0,0 +1,111 @@ +From 72f98ef9a4be30d2a60136dd6faee376f780d06c Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Wed, 22 Oct 2025 16:26:27 +0800 +Subject: iommu: disable SVA when CONFIG_X86 is set + +From: Lu Baolu + +commit 72f98ef9a4be30d2a60136dd6faee376f780d06c upstream. + +Patch series "Fix stale IOTLB entries for kernel address space", v7. + +This proposes a fix for a security vulnerability related to IOMMU Shared +Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel +page table entries. When a kernel page table page is freed and +reallocated for another purpose, the IOMMU might still hold stale, +incorrect entries. This can be exploited to cause a use-after-free or +write-after-free condition, potentially leading to privilege escalation or +data corruption. + +This solution introduces a deferred freeing mechanism for kernel page +table pages, which provides a safe window to notify the IOMMU to +invalidate its caches before the page is reused. + + +This patch (of 8): + +In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware +shares and walks the CPU's page tables. The x86 architecture maps the +kernel's virtual address space into the upper portion of every process's +page table. Consequently, in an SVA context, the IOMMU hardware can walk +and cache kernel page table entries. + +The Linux kernel currently lacks a notification mechanism for kernel page +table changes, specifically when page table pages are freed and reused. +The IOMMU driver is only notified of changes to user virtual address +mappings. This can cause the IOMMU's internal caches to retain stale +entries for kernel VA. + +Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when +kernel page table pages are freed and later reallocated. The IOMMU could +misinterpret the new data as valid page table entries. The IOMMU might +then walk into attacker-controlled memory, leading to arbitrary physical +memory DMA access or privilege escalation. This is also a +Write-After-Free issue, as the IOMMU will potentially continue to write +Accessed and Dirty bits to the freed memory while attempting to walk the +stale page tables. + +Currently, SVA contexts are unprivileged and cannot access kernel +mappings. However, the IOMMU will still walk kernel-only page tables all +the way down to the leaf entries, where it realizes the mapping is for the +kernel and errors out. This means the IOMMU still caches these +intermediate page table entries, making the described vulnerability a real +concern. + +Disable SVA on x86 architecture until the IOMMU can receive notification +to flush the paging cache before freeing the CPU kernel page table pages. + +Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com +Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com +Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") +Signed-off-by: Lu Baolu +Suggested-by: Jason Gunthorpe +Reviewed-by: Jason Gunthorpe +Cc: Alistair Popple +Cc: Andy Lutomirski +Cc: Borislav Betkov +Cc: Dave Hansen +Cc: David Hildenbrand +Cc: Ingo Molnar +Cc: Jann Horn +Cc: Jean-Philippe Brucker +Cc: Joerg Roedel +Cc: Kevin Tian +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Matthew Wilcox (Oracle) +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Peter Zijlstra +Cc: Robin Murohy +Cc: Thomas Gleinxer +Cc: "Uladzislau Rezki (Sony)" +Cc: Vasant Hegde +Cc: Vinicius Costa Gomes +Cc: Vlastimil Babka +Cc: Will Deacon +Cc: Yi Lai +Cc: +Signed-off-by: Andrew Morton +[ The context change is due to the commit + be51b1d6bbff ("iommu/sva: Refactoring iommu_sva_bind/unbind_device()") + and the commit 757636ed2607 ("iommu: Rename iommu-sva-lib.{c,h}") + in v6.2 which are irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -3068,6 +3068,9 @@ iommu_sva_bind_device(struct device *dev + if (!group) + return ERR_PTR(-ENODEV); + ++ if (IS_ENABLED(CONFIG_X86)) ++ return ERR_PTR(-EOPNOTSUPP); ++ + /* Ensure device count and domain don't change while we're binding */ + mutex_lock(&group->mutex); + diff --git a/queue-5.15/series b/queue-5.15/series index 968ee7bf35..8575995b79 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -65,3 +65,5 @@ gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch tracing-fix-ftrace-event-field-alignments.patch gve-fix-stats-report-corruption-on-queue-count-change.patch gve-correct-ethtool-rx_dropped-calculation.patch +bluetooth-hci_event-call-disconnect-callback-before-deleting-conn.patch +iommu-disable-sva-when-config_x86-is-set.patch -- 2.47.3