From patchwork Tue Apr 23 21:27:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1926790 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VPFZy5JN0z1yZy for ; Wed, 24 Apr 2024 07:27:54 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rzNg1-0001cw-If; Tue, 23 Apr 2024 21:27:45 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rzNfv-0001cL-TA for kernel-team@lists.ubuntu.com; Tue, 23 Apr 2024 21:27:39 +0000 Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7FEF73F15B for ; Tue, 23 Apr 2024 21:27:39 +0000 (UTC) Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-439d6a512e9so27124091cf.1 for ; Tue, 23 Apr 2024 14:27:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713907658; x=1714512458; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RAzr3KOiYCWZPO1xjP4C06Cq9QTtr6JWWy0m7aKrjR8=; b=CK4v0rIfaVMN13QwS1QAal1XFhL0P81pIk6Nie2GqcETkFVQSWcKfpXNhQNGuhn38I MZM4S6FCTNA6behmjbyMp0s8sbDuu/ALpXKP2yK+lHKcLbf9dxmZhIlpb3I4kLy6/8Cu tMYELNjW4sPTdf6xbkZdxc7AJ7cot1sGiDXbAzH87rhueerni4Zow2YVZ/CLYCwU1rV8 Fvjt7aA5mh+pRKH+Cijbje0g6FyClUCLd9zZw5avZ0PmpO2qUp/q3bMRa5Z2bCOkQ7GW e7UjeDIqHBsd4HDw6h3dIJGGdM7huc022Jej6F3qoD3EL1Kxb13tGYlYdJdwspQjNo+x PRuw== X-Gm-Message-State: AOJu0YwGghI30tOf6CkMjLEKJZ2gPtG7yzEGxmAXRqPw0yAqmpNTiVls VjqgfsGctSDaLSM7/J+ZuEPxaj9r7gr5mIeI7ZVS5rnw7/fAPX8h2qcWjDCudgHtNjNkqhJ4nKq 3pu37TT0elB8Ttk2r1+zzoNl6/fo/792HkJUnICx82GYPFg6u/WQOhWYVJHVI/sNSqIl8DY7OcO 3usOs22p1qCQ== X-Received: by 2002:a05:622a:20c:b0:439:7137:3650 with SMTP id b12-20020a05622a020c00b0043971373650mr853006qtx.23.1713907658477; Tue, 23 Apr 2024 14:27:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHHVCup0vIVO4UF3OlWXGzNf1a/Z99kfyjX5U9bdiURvVJjaJEGwSuxVXFK9+PUvSqq/6oJGQ== X-Received: by 2002:a05:622a:20c:b0:439:7137:3650 with SMTP id b12-20020a05622a020c00b0043971373650mr852984qtx.23.1713907658079; Tue, 23 Apr 2024 14:27:38 -0700 (PDT) Received: from smtp.gmail.com (72-46-51-119.lnk.ne.static.allophone.net. [72.46.51.119]) by smtp.gmail.com with ESMTPSA id p5-20020ac84605000000b00439549ef9d8sm3908936qtn.82.2024.04.23.14.27.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 14:27:37 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH 1/1] Bluetooth: Avoid potential use-after-free in hci_error_reset Date: Tue, 23 Apr 2024 16:27:35 -0500 Message-Id: <20240423212735.27988-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240423212735.27988-1-bethany.jamison@canonical.com> References: <20240423212735.27988-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ying Hsu [ Upstream commit 2449007d3f73b2842c9734f45f0aadb522daf592 ] While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth ] hci_error_reset+0x4f/0xa4 [bluetooth ] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash. Fixes: c7741d16a57c ("Bluetooth: Perform a power cycle when receiving hardware error event") Signed-off-by: Ying Hsu Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit 2ab9a19d896f5a0dd386e1f001c5309bc35f433b linux-6.6.y) CVE-2024-26801 Signed-off-by: Bethany Jamison --- net/bluetooth/hci_core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index eb591495ba245..35aaed40bfed0 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1049,6 +1049,7 @@ static void hci_error_reset(struct work_struct *work) { struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset); + hci_dev_hold(hdev); BT_DBG("%s", hdev->name); if (hdev->hw_error) @@ -1056,10 +1057,10 @@ static void hci_error_reset(struct work_struct *work) else bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code); - if (hci_dev_do_close(hdev)) - return; + if (!hci_dev_do_close(hdev)) + hci_dev_do_open(hdev); - hci_dev_do_open(hdev); + hci_dev_put(hdev); } void hci_uuids_clear(struct hci_dev *hdev)