| Message ID | 20230221160910.kernel.v1.1.If0578b001c1f12567f2ebcac5856507f1adee745@changeid (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Clear workqueue to avoid use-after-free | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | success | Gitlint PASS |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | success | CheckSparse PASS |
| tedd_an/CheckSmatch | success | CheckSparse PASS |
| tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
| tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
| tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
| tedd_an/TestRunner_iso-tester | success | TestRunner PASS |
| tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
Hi, We need to revise this patch after a local test failure. I will update after finding the cause. Thanks, Zhengping On Tue, Feb 21, 2023 at 4:09 PM Zhengping Jiang <jiangzp@google.com> wrote: > > Clear cmd_sync_work queue before clearing the mgmt cmd list to avoid > racing conditions which cause use-after-free. > > When powering off the adapter, the mgmt cmd list will be cleared. If a > work is queued in the cmd_sync_work queue at the same time, it will > cause the risk of use-after-free, as the cmd pointer is not checked > before use. > > Signed-off-by: Zhengping Jiang <jiangzp@google.com> > --- > > Changes in v1: > - Clear cmd_sync_work queue before clearing the mgmt cmd list > > net/bluetooth/hci_sync.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c > index 117eedb6f709..6609434e3125 100644 > --- a/net/bluetooth/hci_sync.c > +++ b/net/bluetooth/hci_sync.c > @@ -4840,6 +4840,8 @@ int hci_dev_close_sync(struct hci_dev *hdev) > > auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF); > > + hci_cmd_sync_clear(hdev); > + > if (!auto_off && hdev->dev_type == HCI_PRIMARY && > !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && > hci_dev_test_flag(hdev, HCI_MGMT)) > -- > 2.39.2.637.g21b0678d19-goog >
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 117eedb6f709..6609434e3125 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -4840,6 +4840,8 @@ int hci_dev_close_sync(struct hci_dev *hdev) auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF); + hci_cmd_sync_clear(hdev); + if (!auto_off && hdev->dev_type == HCI_PRIMARY && !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && hci_dev_test_flag(hdev, HCI_MGMT))
Clear cmd_sync_work queue before clearing the mgmt cmd list to avoid racing conditions which cause use-after-free. When powering off the adapter, the mgmt cmd list will be cleared. If a work is queued in the cmd_sync_work queue at the same time, it will cause the risk of use-after-free, as the cmd pointer is not checked before use. Signed-off-by: Zhengping Jiang <jiangzp@google.com> --- Changes in v1: - Clear cmd_sync_work queue before clearing the mgmt cmd list net/bluetooth/hci_sync.c | 2 ++ 1 file changed, 2 insertions(+)