6.8-stable patches

added patches: bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-04-30 11:14:23 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-04-30 11:14:23 +0200
commit: a32b64d2658e2aac4cb010cc81176eaf176a79cb (patch)
tree: ccbdd534d8b790a152b9538e773c4297b2838afe
parent: f0be3b797abf0eb3fccb7c8e5dec292ce3ae1ddc (diff)
download: stable-queue-a32b64d2658e2aac4cb010cc81176eaf176a79cb.tar.gz
4 files changed, 219 insertions, 0 deletions
diff --git a/queue-6.8/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch b/queue-6.8/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
new file mode 100644
index 0000000000..d375194dab
--- /dev/null
+++ b/queue-6.8/bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
@@ -0,0 +1,99 @@
+From 3d1c16e920c88eb5e583e1b4a10b95a5dc97ec22 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 8 Mar 2024 11:02:48 -0500
+Subject: Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 3d1c16e920c88eb5e583e1b4a10b95a5dc97ec22 upstream.
+
+This fixes the following error caused by hci_conn being freed while
+hcy_acl_create_conn_sync is pending:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0xa7/0x2e0
+Write of size 2 at addr ffff888002ae0036 by task kworker/u3:0/848
+
+CPU: 0 PID: 848 Comm: kworker/u3:0 Not tainted 6.8.0-rc6-g2ab3e8d67fc1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
+04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x21/0x70
+ print_report+0xce/0x620
+ ? preempt_count_sub+0x13/0xc0
+ ? __virt_addr_valid+0x15f/0x310
+ ? hci_acl_create_conn_sync+0xa7/0x2e0
+ kasan_report+0xdf/0x110
+ ? hci_acl_create_conn_sync+0xa7/0x2e0
+ hci_acl_create_conn_sync+0xa7/0x2e0
+ ? __pfx_hci_acl_create_conn_sync+0x10/0x10
+ ? __pfx_lock_release+0x10/0x10
+ ? __pfx_hci_acl_create_conn_sync+0x10/0x10
+ hci_cmd_sync_work+0x138/0x1c0
+ process_one_work+0x405/0x800
+ ? __pfx_lock_acquire+0x10/0x10
+ ? __pfx_process_one_work+0x10/0x10
+ worker_thread+0x37b/0x670
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x19b/0x1e0
+ ? kthread+0xfe/0x1e0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x2f/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+Allocated by task 847:
+ kasan_save_stack+0x33/0x60
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x8f/0xa0
+ hci_conn_add+0xc6/0x970
+ hci_connect_acl+0x309/0x410
+ pair_device+0x4fb/0x710
+ hci_sock_sendmsg+0x933/0xef0
+ sock_write_iter+0x2c3/0x2d0
+ do_iter_readv_writev+0x21a/0x2e0
+ vfs_writev+0x21c/0x7b0
+ do_writev+0x14a/0x180
+ do_syscall_64+0x77/0x150
+ entry_SYSCALL_64_after_hwframe+0x6c/0x74
+
+Freed by task 847:
+ kasan_save_stack+0x33/0x60
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x60
+ __kasan_slab_free+0xfa/0x150
+ kfree+0xcb/0x250
+ device_release+0x58/0xf0
+ kobject_put+0xbb/0x160
+ hci_conn_del+0x281/0x570
+ hci_conn_hash_flush+0xfc/0x130
+ hci_dev_close_sync+0x336/0x960
+ hci_dev_close+0x10e/0x140
+ hci_sock_ioctl+0x14a/0x5c0
+ sock_ioctl+0x58a/0x5d0
+ __x64_sys_ioctl+0x480/0xf60
+ do_syscall_64+0x77/0x150
+ entry_SYSCALL_64_after_hwframe+0x6c/0x74
+
+Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6687,6 +6687,9 @@ static int hci_acl_create_conn_sync(stru
+ 	struct hci_cp_create_conn cp;
+ 	int err;
+ 
++	if (!hci_conn_valid(hdev, conn))
++		return -ECANCELED;
++
+ 	/* Many controllers disallow HCI Create Connection while it is doing
+ 	 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
+ 	 * Connection. This may cause the MGMT discovering state to become false
diff --git a/queue-6.8/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch b/queue-6.8/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
new file mode 100644
index 0000000000..63b34fdcc7
--- /dev/null
+++ b/queue-6.8/bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
@@ -0,0 +1,51 @@
+From f7cbce60a38a6589f0dade720d4c2544959ecc0e Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 20 Feb 2024 13:10:47 -0500
+Subject: Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit f7cbce60a38a6589f0dade720d4c2544959ecc0e upstream.
+
+While waiting for hci_dev_lock the hci_conn object may be cleanup
+causing the following trace:
+
+BUG: KASAN: slab-use-after-free in hci_connect_le_scan_cleanup+0x29/0x350
+Read of size 8 at addr ffff888001a50a30 by task kworker/u3:1/111
+
+CPU: 0 PID: 111 Comm: kworker/u3:1 Not tainted
+6.8.0-rc2-00701-g8179b15ab3fd-dirty #6418
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
+04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x21/0x70
+ print_report+0xce/0x620
+ ? preempt_count_sub+0x13/0xc0
+ ? __virt_addr_valid+0x15f/0x310
+ ? hci_connect_le_scan_cleanup+0x29/0x350
+ kasan_report+0xdf/0x110
+ ? hci_connect_le_scan_cleanup+0x29/0x350
+ hci_connect_le_scan_cleanup+0x29/0x350
+ create_le_conn_complete+0x25c/0x2c0
+
+Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection attempt")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6763,6 +6763,9 @@ static void create_le_conn_complete(stru
+ 
+ 	hci_dev_lock(hdev);
+ 
++	if (!hci_conn_valid(hdev, conn))
++		goto done;
++
+ 	if (!err) {
+ 		hci_connect_le_scan_cleanup(conn, 0x00);
+ 		goto done;
diff --git a/queue-6.8/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch b/queue-6.8/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
new file mode 100644
index 0000000000..276683f73d
--- /dev/null
+++ b/queue-6.8/bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
@@ -0,0 +1,66 @@
+From 7453847fb22c7c45334c43cc6a02ea5df5b9961d Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Fri, 16 Feb 2024 15:29:55 -0500
+Subject: Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 7453847fb22c7c45334c43cc6a02ea5df5b9961d upstream.
+
+Fixes the following trace where hci_acl_create_conn_sync attempts to
+call hci_abort_conn_sync after timeout:
+
+BUG: KASAN: slab-use-after-free in hci_abort_conn_sync
+(net/bluetooth/hci_sync.c:5439)
+Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36
+
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
+04/01/2014
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+<TASK>
+dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26
+./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127
+lib/dump_stack.c:107)
+print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
+? preempt_count_sub (kernel/sched/core.c:5889)
+? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1)
+./include/linux/rcupdate.h:865 (discriminator 1)
+./include/linux/mmzone.h:2026 (discriminator 1)
+arch/x86/mm/physaddr.c:65 (discriminator 1))
+? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
+kasan_report (mm/kasan/report.c:603)
+? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
+hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
+? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433)
+hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681)
+
+Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c |   13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6735,15 +6735,10 @@ static int hci_acl_create_conn_sync(stru
+ 	else
+ 		cp.role_switch = 0x00;
+ 
+-	err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
+-				       sizeof(cp), &cp,
+-				       HCI_EV_CONN_COMPLETE,
+-				       conn->conn_timeout, NULL);
+-
+-	if (err == -ETIMEDOUT)
+-		hci_abort_conn_sync(hdev, conn, HCI_ERROR_LOCAL_HOST_TERM);
+-
+-	return err;
++	return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
++					sizeof(cp), &cp,
++					HCI_EV_CONN_COMPLETE,
++					conn->conn_timeout, NULL);
+ }
+ 
+ int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
diff --git a/queue-6.8/series b/queue-6.8/series
index 961d585623..4bd7e39ee7 100644
--- a/queue-6.8/series
+++ b/queue-6.8/series
@@ -223,3 +223,6 @@ risc-v-selftests-cbo-ensure-asm-operands-match-const.patch
 i2c-smbus-fix-null-function-pointer-dereference.patch
 phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch
 bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
+bluetooth-hci_sync-fix-uaf-in-hci_acl_create_conn_sync.patch
+bluetooth-hci_sync-fix-uaf-on-create_le_conn_complete.patch
+bluetooth-hci_sync-fix-uaf-on-hci_abort_conn_sync.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-04-30 11:14:23 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-04-30 11:14:23 +0200
commit	a32b64d2658e2aac4cb010cc81176eaf176a79cb (patch)
tree	ccbdd534d8b790a152b9538e773c4297b2838afe
parent	f0be3b797abf0eb3fccb7c8e5dec292ce3ae1ddc (diff)
download	stable-queue-a32b64d2658e2aac4cb010cc81176eaf176a79cb.tar.gz