--- /dev/null
+From e2cb6b891ad2b8caa9131e3be70f45243df82a80 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 12 Apr 2021 19:17:57 +0800
+Subject: bluetooth: eliminate the potential race condition when removing the HCI controller
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
+
+There is a possible race condition vulnerability between issuing a HCI
+command and removing the cont. Specifically, functions hci_req_sync()
+and hci_dev_do_close() can race each other like below:
+
+thread-A in hci_req_sync() | thread-B in hci_dev_do_close()
+ | hci_req_sync_lock(hdev);
+test_bit(HCI_UP, &hdev->flags); |
+... | test_and_clear_bit(HCI_UP, &hdev->flags)
+hci_req_sync_lock(hdev); |
+ |
+In this commit we alter the sequence in function hci_req_sync(). Hence,
+the thread-A cannot issue th.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
+[iwamatsu: adjust filename, arguments of __hci_req_sync(). CVE-2021-32399]
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -371,12 +371,17 @@ static int hci_req_sync(struct hci_dev *
+ {
+ int ret;
+
+- if (!test_bit(HCI_UP, &hdev->flags))
+- return -ENETDOWN;
+-
+ /* Serialize all requests */
+ hci_req_lock(hdev);
+- ret = __hci_req_sync(hdev, req, opt, timeout);
++ /* check the state after obtaing the lock to protect the HCI_UP
++ * against any races from hci_dev_do_close when the controller
++ * gets removed.
++ */
++ if (test_bit(HCI_UP, &hdev->flags))
++ ret = __hci_req_sync(hdev, req, opt, timeout);
++ else
++ ret = -ENETDOWN;
++
+ hci_req_unlock(hdev);
+
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
