Commit 4d0bb954 authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Zhengchao Shao
Browse files

Bluetooth: Fix usage of __hci_cmd_sync_status 

mainline inclusion
from mainline-v6.11-rc1
commit 87be7b189b2c50d4b51512f59e4e97db4eedee8a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEK1
CVE: CVE-2024-41062

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=87be7b189b2c50d4b51512f59e4e97db4eedee8a



-------------------------------------------

__hci_cmd_sync_status shall only be used if hci_req_sync_lock is _not_
required which is not the case of hci_dev_cmd so it needs to use
hci_cmd_sync_status which uses hci_req_sync_lock internally.

Fixes: f1a8f402f13f ("Bluetooth: L2CAP: Fix deadlock")
Reported-by: default avatarPauli Virtanen <pav@iki.fi>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent c995a48c

net/bluetooth/hci_core.c

+12 −15
Original line number Diff line number Diff line
@@ -711,7 +711,7 @@ int hci_dev_cmd(unsigned int cmd, void __user *arg) 


	switch (cmd) {

	case HCISETAUTH:

		err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,

		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,

					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);

		break;
@@ -723,7 +723,7 @@ int hci_dev_cmd(unsigned int cmd, void __user *arg) 


		if (!test_bit(HCI_AUTH, &hdev->flags)) {

			/* Auth must be enabled first */

			err = __hci_cmd_sync_status(hdev,

			err = hci_cmd_sync_status(hdev,

						  HCI_OP_WRITE_AUTH_ENABLE,

						  1, &dr.dev_opt,

						  HCI_CMD_TIMEOUT);
@@ -731,15 +731,13 @@ int hci_dev_cmd(unsigned int cmd, void __user *arg) 
				break;

		}



		err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,

					    1, &dr.dev_opt,

					    HCI_CMD_TIMEOUT);

		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,

					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);

		break;



	case HCISETSCAN:

		err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,

					    1, &dr.dev_opt,

					    HCI_CMD_TIMEOUT);

		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,

					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);



		/* Ensure that the connectable and discoverable states

		 * get correctly modified as this was a non-mgmt change.
@@ -751,9 +749,8 @@ int hci_dev_cmd(unsigned int cmd, void __user *arg) 
	case HCISETLINKPOL:

		policy = cpu_to_le16(dr.dev_opt);



		err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,

					    2, &policy,

					    HCI_CMD_TIMEOUT);

		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,

					  2, &policy, HCI_CMD_TIMEOUT);

		break;



	case HCISETLINKMODE: