Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp858504pxj;
        Thu, 27 May 2021 13:20:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxfbrDPYWDuSpCd2HKLJhKgM/HYa3fdQ1L3UwKS0MKBbozzel4bfI31kYxTdIcaQ5OpeqIn
X-Received: by 2002:a05:6402:781:: with SMTP id d1mr6417494edy.32.1622146808930;
        Thu, 27 May 2021 13:20:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622146808; cv=none;
        d=google.com; s=arc-20160816;
        b=forA+LXIyOlnpBak5nDgJkNktXS/GyS8/+XGnU/MpAqW59Qz9hhi1d/GTUPSVS9i/G
         XXXhS3+uLl+zGyh8FIUyS9N3qlU3qEqlUxK58pZqa087YSJOpe4ZCqniwmXAbdtAI5Pr
         66pnnIghxQocUTqascSCgv0ehKnGGy7jRxdbvxzd6WctTRaHVZZigYF5fvO4CYcjmVNY
         6KRBUnFiTthhjYs8x2nEErHAcxzXYsrwIsJ1G0VwvH/cgcbNFMed7wkFNIQoQo16pYDC
         KFYbGSOfNqxVXSh8b4BOqiGHqQ9pL2lHSxOpLu7xjkcad3Kycot9VBgfOPwdrF8CwYeX
         JTlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version;
        bh=Yp/u2+TOV23XG/FimRLINajQ7ZhPEcKu2vG+SaZUITA=;
        b=hqCjvdwuMqJzCX6EBE+3hI7VlNT0+GRHf+jtJevLBi3xVbcaF9Fbktev0s5jZcCktc
         oUcEXoYP1hrYbR1IWHEH0ZLct7lk/+zYtgcgDrVfXsfjsxhnia+RrQkb4UIQ23IZopAD
         uTou9r8LQzK75d9lxb/WWm+ip/HB55LksnLf0Yr2H7yqkCkRwSfyceK/z9m+LYuKGwlL
         Rkbf74kxR+tu6mQcJHByKmlckbsDxgzCVepZL4h1icm3PKPb5Z2e/GdzxZYPz6vvHUvl
         BwvAYBmUA4d6tjSUNk5tVLad0SkkF+jps4rxBBV6apCqiATwYQ9SpVK0ngLEEEkgyRdy
         ChJA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x2si3310550ejs.442.2021.05.27.13.18.42;
        Thu, 27 May 2021 13:20:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235820AbhE0UQf (ORCPT <rfc822;maitysanchayan@gmail.com>
        + 99 others); Thu, 27 May 2021 16:16:35 -0400
Received: from coyote.holtmann.net ([212.227.132.17]:35264 "EHLO
        mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235819AbhE0UQf (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Thu, 27 May 2021 16:16:35 -0400
Received: from smtpclient.apple (p4fefc9d6.dip0.t-ipconnect.de [79.239.201.214])
        by mail.holtmann.org (Postfix) with ESMTPSA id D0E9ECECC9;
        Thu, 27 May 2021 22:22:55 +0200 (CEST)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Subject: Re: [PATCH v2] Bluetooth: fix the erroneous flush_work() order
From:   Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <20210525123902.189012-1-gregkh@linuxfoundation.org>
Date:   Thu, 27 May 2021 22:14:59 +0200
Cc:     Johan Hedberg <johan.hedberg@gmail.com>,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
        linma <linma@zju.edu.cn>,
        "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        linux-bluetooth <linux-bluetooth@vger.kernel.org>,
        "open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>,
        Hao Xiong <mart1n@zju.edu.cn>, stable <stable@vger.kernel.org>
Content-Transfer-Encoding: 7bit
Message-Id: <BF0493D4-AB96-44D3-8229-9EA6D084D260@holtmann.org>
References: <20210525123902.189012-1-gregkh@linuxfoundation.org>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Greg,

> In the cleanup routine for failed initialization of HCI device,
> the flush_work(&hdev->rx_work) need to be finished before the
> flush_work(&hdev->cmd_work). Otherwise, the hci_rx_work() can
> possibly invoke new cmd_work and cause a bug, like double free,
> in late processings.
> 
> This was assigned CVE-2021-3564.
> 
> This patch reorder the flush_work() to fix this bug.
> 
> Cc: Marcel Holtmann <marcel@holtmann.org>
> Cc: Johan Hedberg <johan.hedberg@gmail.com>
> Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: linux-bluetooth@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> Signed-off-by: Hao Xiong <mart1n@zju.edu.cn>
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> net/bluetooth/hci_core.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)

patch has been applied to bluetooth-stable tree.

Regards

Marcel