| Message ID | 20230304142330.7367-1-lm0963hack@gmail.com |
|---|---|
| State | Accepted |
| Commit | 4bbfb9fefadfcddb53b6d97acd95cf457166a2cf |
| Headers | show |
| Series | [v2,1/1] Bluetooth: fix race condition in hidp_session_thread | expand |
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Sat, 4 Mar 2023 22:23:30 +0800 you wrote: > There is a potential race condition in hidp_session_thread that may > lead to use-after-free. For instance, the timer is active while > hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, > then 'session' will be freed, causing kernel panic when hidp_idle_timeout > is running. > > The solution is to use del_timer_sync instead of del_timer. > > [...] Here is the summary with links: - [v2,1/1] Bluetooth: fix race condition in hidp_session_thread https://git.kernel.org/bluetooth/bluetooth-next/c/4bbfb9fefadf You are awesome, thank you!
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index bed1a7b9205c..707f229f896a 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -433,7 +433,7 @@ static void hidp_set_timer(struct hidp_session *session) static void hidp_del_timer(struct hidp_session *session) { if (session->idle_to > 0) - del_timer(&session->timer); + del_timer_sync(&session->timer); } static void hidp_process_report(struct hidp_session *session, int type,
There is a potential race condition in hidp_session_thread that may lead to use-after-free. For instance, the timer is active while hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, then 'session' will be freed, causing kernel panic when hidp_idle_timeout is running. The solution is to use del_timer_sync instead of del_timer. Here is the call trace: ? hidp_session_probe+0x780/0x780 call_timer_fn+0x2d/0x1e0 __run_timers.part.0+0x569/0x940 hidp_session_probe+0x780/0x780 call_timer_fn+0x1e0/0x1e0 ktime_get+0x5c/0xf0 lapic_next_deadline+0x2c/0x40 clockevents_program_event+0x205/0x320 run_timer_softirq+0xa9/0x1b0 __do_softirq+0x1b9/0x641 __irq_exit_rcu+0xdc/0x190 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0xa1/0xc0 v2: - Fixed code style issues Signed-off-by: Min Li <lm0963hack@gmail.com> --- net/bluetooth/hidp/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)