[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: f53e1c9c726d83092167f2226f32bd3b73f26c21
WARNING: Author mismatch between patch and upstream commit:
Backport author: Xiangyu Chen <xiangyu.chen@xxxxxxxxxxxxxxxxx>
Commit author: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (different SHA1: 8c3f7943a291)
6.6.y | Present (different SHA1: 4883296505aa)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
--- - 2024-11-26 08:07:32.599317773 -0500
+++ /tmp/tmp.XHyzHU5ddN 2024-11-26 08:07:32.593820712 -0500
@@ -1,3 +1,5 @@
+[ Upstream commit f53e1c9c726d83092167f2226f32bd3b73f26c21 ]
+
If mgmt_index_removed is called while there are commands queued on
cmd_sync it could lead to crashes like the bellow trace:
@@ -12,15 +14,17 @@
Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
Reported-by: jiaymao <quic_jiaymao@xxxxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
+[Xiangyu: BP to fix CVE: CVE-2024-49951, Minor conflict resolution]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@xxxxxxxxxxxxx>
---
net/bluetooth/mgmt.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
-index e4f564d6f6fbf..4157d9f23f46e 100644
+index 5a1015ccc063..82edd9981ab0 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
-@@ -1453,10 +1453,15 @@ static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
+@@ -1457,10 +1457,15 @@ static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
{
@@ -39,7 +43,7 @@
mgmt_pending_remove(cmd);
return;
-@@ -9394,12 +9399,12 @@ void mgmt_index_added(struct hci_dev *hdev)
+@@ -9424,14 +9429,14 @@ void mgmt_index_added(struct hci_dev *hdev)
void mgmt_index_removed(struct hci_dev *hdev)
{
struct mgmt_ev_ext_index ev;
@@ -49,12 +53,14 @@
if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
return;
-- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
-+ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
-
- if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
- mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,
-@@ -9450,7 +9455,7 @@ void mgmt_power_on(struct hci_dev *hdev, int err)
+ switch (hdev->dev_type) {
+ case HCI_PRIMARY:
+- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
++ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
+
+ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
+ mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
+@@ -9489,7 +9494,7 @@ void mgmt_power_on(struct hci_dev *hdev, int err)
void __mgmt_power_off(struct hci_dev *hdev)
{
struct cmd_lookup match = { NULL, hdev };
@@ -63,7 +69,7 @@
mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
-@@ -9462,11 +9467,11 @@ void __mgmt_power_off(struct hci_dev *hdev)
+@@ -9501,11 +9506,11 @@ void __mgmt_power_off(struct hci_dev *hdev)
* status responses.
*/
if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
@@ -78,3 +84,6 @@
if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
+--
+2.43.0
+
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
