On Fri, May 28, 2021 at 05:52:24PM +0900, Nobuhiro Iwamatsu wrote:
> From: Lin Ma <linma@xxxxxxxxxx>
>
> commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
>
> There is a possible race condition vulnerability between issuing a HCI
> command and removing the cont. Specifically, functions hci_req_sync()
> and hci_dev_do_close() can race each other like below:
>
> thread-A in hci_req_sync() | thread-B in hci_dev_do_close()
> | hci_req_sync_lock(hdev);
> test_bit(HCI_UP, &hdev->flags); |
> ... | test_and_clear_bit(HCI_UP, &hdev->flags)
> hci_req_sync_lock(hdev); |
> |
> In this commit we alter the sequence in function hci_req_sync(). Hence,
> the thread-A cannot issue th.
>
> Signed-off-by: Lin Ma <linma@xxxxxxxxxx>
> Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx>
> Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> [iwamatsu: adjust filename, arguments of __hci_req_sync(). CVE-2021-32399]
> Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@xxxxxxxxxxxxx>
> ---
> net/bluetooth/hci_core.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
Now queued up, thanks.
greg k-h
