cve/published/2024/CVE-2024-53207.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53207: Bluetooth: MGMT: Fix possible deadlocks

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Bluetooth: MGMT: Fix possible deadlocks

 This fixes possible deadlocks like the following caused by
 hci_cmd_sync_dequeue causing the destroy function to run:

  INFO: task kworker/u19:0:143 blocked for more than 120 seconds.
        Tainted: G        W  O        6.8.0-2024-03-19-intel-next-iLS-24ww14 #1
  "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  task:kworker/u19:0   state:D stack:0     pid:143   tgid:143   ppid:2      flags:0x00004000
  Workqueue: hci0 hci_cmd_sync_work [bluetooth]
  Call Trace:
   <TASK>
   __schedule+0x374/0xaf0
   schedule+0x3c/0xf0
   schedule_preempt_disabled+0x1c/0x30
   __mutex_lock.constprop.0+0x3ef/0x7a0
   __mutex_lock_slowpath+0x13/0x20
   mutex_lock+0x3c/0x50
   mgmt_set_connectable_complete+0xa4/0x150 [bluetooth]
   ? kfree+0x211/0x2a0
   hci_cmd_sync_dequeue+0xae/0x130 [bluetooth]
   ? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth]
   cmd_complete_rsp+0x26/0x80 [bluetooth]
   mgmt_pending_foreach+0x4d/0x70 [bluetooth]
   __mgmt_power_off+0x8d/0x180 [bluetooth]
   ? _raw_spin_unlock_irq+0x23/0x40
   hci_dev_close_sync+0x445/0x5b0 [bluetooth]
   hci_set_powered_sync+0x149/0x250 [bluetooth]
   set_powered_sync+0x24/0x60 [bluetooth]
   hci_cmd_sync_work+0x90/0x150 [bluetooth]
   process_one_work+0x13e/0x300
   worker_thread+0x2f7/0x420
   ? __pfx_worker_thread+0x10/0x10
   kthread+0x107/0x140
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x3d/0x60
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1b/0x30
   </TASK>

 The Linux kernel CVE team has assigned CVE-2024-53207 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.55 with commit 4883296505aa7e4863c6869b689afb6005633b23 and fixed in 6.6.64 with commit 5703fb1d85f653e35b327b14de4db7da239e4fd9
 	Issue introduced in 6.11.3 with commit 8c3f7943a29145d8a2d8e24893762f7673323eae and fixed in 6.11.11 with commit 6a25ce9b4af6dc26ee2b9c32d6bd37620bf9739e
 	Issue introduced in 6.12 with commit f53e1c9c726d83092167f2226f32bd3b73f26c21 and fixed in 6.12.2 with commit cac34e44281f1f1bd842adbbcfe3ef9ff0905111
 	Issue introduced in 6.12 with commit f53e1c9c726d83092167f2226f32bd3b73f26c21 and fixed in 6.13 with commit a66dfaf18fd61bb75ef8cee83db46b2aadf153d0
 	Issue introduced in 6.10.14 with commit 0cc47233af35fb5f10b5e6a027cb4ccd480caf9a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53207
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bluetooth/mgmt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c3f594a3473d6429a0bcf2004cb2885368741b79
 	https://git.kernel.org/stable/c/5703fb1d85f653e35b327b14de4db7da239e4fd9
 	https://git.kernel.org/stable/c/6a25ce9b4af6dc26ee2b9c32d6bd37620bf9739e
 	https://git.kernel.org/stable/c/cac34e44281f1f1bd842adbbcfe3ef9ff0905111
 	https://git.kernel.org/stable/c/a66dfaf18fd61bb75ef8cee83db46b2aadf153d0
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53207: Bluetooth: MGMT: Fix possible deadlocks

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Bluetooth: MGMT: Fix possible deadlocks

	This fixes possible deadlocks like the following caused by
	hci_cmd_sync_dequeue causing the destroy function to run:

	INFO: task kworker/u19:0:143 blocked for more than 120 seconds.
	Tainted: G W O 6.8.0-2024-03-19-intel-next-iLS-24ww14 #1
	"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
	task:kworker/u19:0 state:D stack:0 pid:143 tgid:143 ppid:2 flags:0x00004000
	Workqueue: hci0 hci_cmd_sync_work [bluetooth]
	Call Trace:
	<TASK>
	__schedule+0x374/0xaf0
	schedule+0x3c/0xf0
	schedule_preempt_disabled+0x1c/0x30
	__mutex_lock.constprop.0+0x3ef/0x7a0
	__mutex_lock_slowpath+0x13/0x20
	mutex_lock+0x3c/0x50
	mgmt_set_connectable_complete+0xa4/0x150 [bluetooth]
	? kfree+0x211/0x2a0
	hci_cmd_sync_dequeue+0xae/0x130 [bluetooth]
	? __pfx_cmd_complete_rsp+0x10/0x10 [bluetooth]
	cmd_complete_rsp+0x26/0x80 [bluetooth]
	mgmt_pending_foreach+0x4d/0x70 [bluetooth]
	__mgmt_power_off+0x8d/0x180 [bluetooth]
	? _raw_spin_unlock_irq+0x23/0x40
	hci_dev_close_sync+0x445/0x5b0 [bluetooth]
	hci_set_powered_sync+0x149/0x250 [bluetooth]
	set_powered_sync+0x24/0x60 [bluetooth]
	hci_cmd_sync_work+0x90/0x150 [bluetooth]
	process_one_work+0x13e/0x300
	worker_thread+0x2f7/0x420
	? __pfx_worker_thread+0x10/0x10
	kthread+0x107/0x140
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x3d/0x60
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1b/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-53207 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.55 with commit 4883296505aa7e4863c6869b689afb6005633b23 and fixed in 6.6.64 with commit 5703fb1d85f653e35b327b14de4db7da239e4fd9
	Issue introduced in 6.11.3 with commit 8c3f7943a29145d8a2d8e24893762f7673323eae and fixed in 6.11.11 with commit 6a25ce9b4af6dc26ee2b9c32d6bd37620bf9739e
	Issue introduced in 6.12 with commit f53e1c9c726d83092167f2226f32bd3b73f26c21 and fixed in 6.12.2 with commit cac34e44281f1f1bd842adbbcfe3ef9ff0905111
	Issue introduced in 6.12 with commit f53e1c9c726d83092167f2226f32bd3b73f26c21 and fixed in 6.13 with commit a66dfaf18fd61bb75ef8cee83db46b2aadf153d0
	Issue introduced in 6.10.14 with commit 0cc47233af35fb5f10b5e6a027cb4ccd480caf9a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53207
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bluetooth/mgmt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c3f594a3473d6429a0bcf2004cb2885368741b79
	https://git.kernel.org/stable/c/5703fb1d85f653e35b327b14de4db7da239e4fd9
	https://git.kernel.org/stable/c/6a25ce9b4af6dc26ee2b9c32d6bd37620bf9739e
	https://git.kernel.org/stable/c/cac34e44281f1f1bd842adbbcfe3ef9ff0905111
	https://git.kernel.org/stable/c/a66dfaf18fd61bb75ef8cee83db46b2aadf153d0