diff --git a/patches.kernel.org/6.2.12-014-Bluetooth-Fix-race-condition-in-hidp_session_t.patch b/patches.kernel.org/6.2.12-014-Bluetooth-Fix-race-condition-in-hidp_session_t.patch new file mode 100644 index 0000000..c48536c --- /dev/null +++ b/patches.kernel.org/6.2.12-014-Bluetooth-Fix-race-condition-in-hidp_session_t.patch @@ -0,0 +1,58 @@ +From: Min Li +Date: Sat, 4 Mar 2023 22:23:30 +0800 +Subject: [PATCH] Bluetooth: Fix race condition in hidp_session_thread +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: c95930abd687fcd1aa040dc4fe90dff947916460 + +commit c95930abd687fcd1aa040dc4fe90dff947916460 upstream. + +There is a potential race condition in hidp_session_thread that may +lead to use-after-free. For instance, the timer is active while +hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, +then 'session' will be freed, causing kernel panic when hidp_idle_timeout +is running. + +The solution is to use del_timer_sync instead of del_timer. + +Here is the call trace: + +? hidp_session_probe+0x780/0x780 +call_timer_fn+0x2d/0x1e0 +__run_timers.part.0+0x569/0x940 +hidp_session_probe+0x780/0x780 +call_timer_fn+0x1e0/0x1e0 +ktime_get+0x5c/0xf0 +lapic_next_deadline+0x2c/0x40 +clockevents_program_event+0x205/0x320 +run_timer_softirq+0xa9/0x1b0 +__do_softirq+0x1b9/0x641 +__irq_exit_rcu+0xdc/0x190 +irq_exit_rcu+0xe/0x20 +sysvec_apic_timer_interrupt+0xa1/0xc0 + +Cc: stable@vger.kernel.org +Signed-off-by: Min Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index cc20e706..82cc15ad 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -433,7 +433,7 @@ static void hidp_set_timer(struct hidp_session *session) + static void hidp_del_timer(struct hidp_session *session) + { + if (session->idle_to > 0) +- del_timer(&session->timer); ++ del_timer_sync(&session->timer); + } + + static void hidp_process_report(struct hidp_session *session, int type, +-- +2.35.3 + diff --git a/series.conf b/series.conf index b72de46..c0cc8e8 100644 --- a/series.conf +++ b/series.conf @@ -2241,6 +2241,7 @@ patches.kernel.org/6.2.12-011-ALSA-hda-sigmatel-fix-S-PDIF-out-on-Intel-D-45.patch patches.kernel.org/6.2.12-012-ALSA-hda-hdmi-disable-KAE-for-Intel-DG2.patch patches.kernel.org/6.2.12-013-Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_di.patch + patches.kernel.org/6.2.12-014-Bluetooth-Fix-race-condition-in-hidp_session_t.patch ######################################################## # Build fixes that apply to the vanilla kernel too.