cve/published/2024/CVE-2024-41063.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41063: Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

 syzbot is reporting that calling hci_release_dev() from hci_error_reset()
 due to hci_dev_put() from hci_error_reset() can cause deadlock at
 destroy_workqueue(), for hci_error_reset() is called from
 hdev->req_workqueue which destroy_workqueue() needs to flush.

 We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are
 queued into hdev->workqueue and hdev->{power_on,error_reset} which are
 queued into hdev->req_workqueue are no longer running by the moment

        destroy_workqueue(hdev->workqueue);
        destroy_workqueue(hdev->req_workqueue);

 are called from hci_release_dev().

 Call cancel_work_sync() on these work items from hci_unregister_dev()
 as soon as hdev->list is removed from hci_dev_list.

 The Linux kernel CVE team has assigned CVE-2024-41063 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.319 with commit 48542881997e17b49dc16b93fe910e0cfcf7a9f9
 	Fixed in 5.4.281 with commit 9cfc84b1d464cc024286f42a090718f9067b80ed
 	Fixed in 5.10.223 with commit ddeda6ca5f218b668b560d90fc31ae469adbfd92
 	Fixed in 5.15.164 with commit d2ce562a5aff1dcd0c50d9808ea825ef90da909f
 	Fixed in 6.1.101 with commit 96600c2e5ee8213dbab5df1617293d8e847bb4fa
 	Fixed in 6.6.42 with commit d6cbce18370641a21dd889e8613d8153df15eb39
 	Fixed in 6.9.11 with commit 3f939bd73fed12dddc2a32a76116c19ca47c7678
 	Fixed in 6.10 with commit 0d151a103775dd9645c78c97f77d6e2a5298d913

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41063
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/hci_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9
 	https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed
 	https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92
 	https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f
 	https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa
 	https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39
 	https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678
 	https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41063: Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

	syzbot is reporting that calling hci_release_dev() from hci_error_reset()
	due to hci_dev_put() from hci_error_reset() can cause deadlock at
	destroy_workqueue(), for hci_error_reset() is called from
	hdev->req_workqueue which destroy_workqueue() needs to flush.

	We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are
	queued into hdev->workqueue and hdev->{power_on,error_reset} which are
	queued into hdev->req_workqueue are no longer running by the moment

	destroy_workqueue(hdev->workqueue);
	destroy_workqueue(hdev->req_workqueue);

	are called from hci_release_dev().

	Call cancel_work_sync() on these work items from hci_unregister_dev()
	as soon as hdev->list is removed from hci_dev_list.

	The Linux kernel CVE team has assigned CVE-2024-41063 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.319 with commit 48542881997e17b49dc16b93fe910e0cfcf7a9f9
	Fixed in 5.4.281 with commit 9cfc84b1d464cc024286f42a090718f9067b80ed
	Fixed in 5.10.223 with commit ddeda6ca5f218b668b560d90fc31ae469adbfd92
	Fixed in 5.15.164 with commit d2ce562a5aff1dcd0c50d9808ea825ef90da909f
	Fixed in 6.1.101 with commit 96600c2e5ee8213dbab5df1617293d8e847bb4fa
	Fixed in 6.6.42 with commit d6cbce18370641a21dd889e8613d8153df15eb39
	Fixed in 6.9.11 with commit 3f939bd73fed12dddc2a32a76116c19ca47c7678
	Fixed in 6.10 with commit 0d151a103775dd9645c78c97f77d6e2a5298d913

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41063
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/hci_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9
	https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed
	https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92
	https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f
	https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa
	https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39
	https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678
	https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913