From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 31 May 2021 11:58:37 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.271~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f19cf3817de30ddaaab125d0c75f1f0b256756d2;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch
---

diff --git a/queue-4.4/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch b/queue-4.4/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch
new file mode 100644
index 00000000000..94ed241ab71
--- /dev/null
+++ b/queue-4.4/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch
@@ -0,0 +1,56 @@
+From e2cb6b891ad2b8caa9131e3be70f45243df82a80 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 12 Apr 2021 19:17:57 +0800
+Subject: bluetooth: eliminate the potential race condition when removing the HCI controller
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
+
+There is a possible race condition vulnerability between issuing a HCI
+command and removing the cont.  Specifically, functions hci_req_sync()
+and hci_dev_do_close() can race each other like below:
+
+thread-A in hci_req_sync()      |   thread-B in hci_dev_do_close()
+                                |   hci_req_sync_lock(hdev);
+test_bit(HCI_UP, &hdev->flags); |
+...                             |   test_and_clear_bit(HCI_UP, &hdev->flags)
+hci_req_sync_lock(hdev);        |
+                                |
+In this commit we alter the sequence in function hci_req_sync(). Hence,
+the thread-A cannot issue th.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
+[iwamatsu: adjust filename, arguments of __hci_req_sync(). CVE-2021-32399]
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_core.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -371,12 +371,17 @@ static int hci_req_sync(struct hci_dev *
+ {
+ 	int ret;
+ 
+-	if (!test_bit(HCI_UP, &hdev->flags))
+-		return -ENETDOWN;
+-
+ 	/* Serialize all requests */
+ 	hci_req_lock(hdev);
+-	ret = __hci_req_sync(hdev, req, opt, timeout);
++	/* check the state after obtaing the lock to protect the HCI_UP
++	 * against any races from hci_dev_do_close when the controller
++	 * gets removed.
++	 */
++	if (test_bit(HCI_UP, &hdev->flags))
++		ret = __hci_req_sync(hdev, req, opt, timeout);
++	else
++		ret = -ENETDOWN;
++
+ 	hci_req_unlock(hdev);
+ 
+ 	return ret;
diff --git a/queue-4.4/series b/queue-4.4/series
index d7f6702fc57..1d89dc4bccc 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -50,3 +50,4 @@ sch_dsmark-fix-a-null-deref-in-qdisc_reset.patch
 mips-alchemy-xxs1500-add-gpio-au1000.h-header-file.patch
 mips-ralink-export-rt_sysc_membase-for-rt2880_wdt.c.patch
 hugetlbfs-hugetlb_fault_mutex_hash-cleanup.patch
+bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch