Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp2175543imc; Fri, 22 Feb 2019 20:22:21 -0800 (PST) X-Google-Smtp-Source: AHgI3Ib5PrH7thyEK2kWVUH1rTMyCFxXeD2RfktbN8roAWb2vkSKwvXd7DDO8o7A85UM1l8cdtGj X-Received: by 2002:a63:cf01:: with SMTP id j1mr7204304pgg.342.1550895741404; Fri, 22 Feb 2019 20:22:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550895741; cv=none; d=google.com; s=arc-20160816; b=bDRl4F+M5FMzUuPpK1HQ8fg34DrP34/LLdn7Xz41XlY/iuQ2NOdg1pRhWgRPBgrpU/ XNyyVHbsyLXmLgN25LOv0yvIwsC0Dl9VX8dY3vVVUd6v6o6+jXhIB+u8q5vjlSpjkafB jwMB+qDSZjOQvN68yzyJnfejA0kQshe9icBwe38EgweEsehf7lFskEy/8ezqGbNgQICa dI9Cs2Q4F5+Syq+su9Xt5SYh+r8TncC/Teog20aST5hsKE2viqj0h3pg67QwH5OcysUu 94ivNU/Oa54l9kgkz8NjMtLdki7ga+HqAakoMyaDu1QTABKpFjr4fKJd/OQDeoFoEC1+ T4PA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=V64Nc/fD84pZJgXim60teUCqPmrEEdICJR0xgNy1PJQ=; b=FwyLSbCP+9FjgjPg5zF48zD6Gk4F3xus6bPYHeOvfl5fdBFSUAc7A8I5po8pfPHORd az7uvrnwGTuLmC04qoOaoTXDKaza3EPOZn4dNuZZQxhcdg/gf2my+gM2jgxv243sbTWd fYYc6dA5y5aGOEBp0QiDGtvg3gq3T5iSPv+doNcX7Ax653UV9J7Lxp8+Rfhj0IKoUmeG saZXyP66KwRjWvabumaCtgcg8hk1jwAVhLd95pYjLlaCFt95KrrQC0+A2OOtuNWZ9pR0 nsD2moqV5bgcCeqQI8c3CoEHcozyHMPfBWv1+SJPeZNgopA2CAkqaCKaHlNfXuygDQpf NITw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8si2913900plr.54.2019.02.22.20.21.29; Fri, 22 Feb 2019 20:22:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727645AbfBWEUU (ORCPT + 99 others); Fri, 22 Feb 2019 23:20:20 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:38990 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725821AbfBWEUU (ORCPT ); Fri, 22 Feb 2019 23:20:20 -0500 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 132635358FD9DC799E02; Sat, 23 Feb 2019 12:20:18 +0800 (CST) Received: from localhost.localdomain.localdomain (10.175.113.25) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.408.0; Sat, 23 Feb 2019 12:20:07 +0800 From: Kefeng Wang To: Marcel Holtmann , , CC: Jeremy Cline , Johan Hedberg , Kefeng Wang , Subject: [PATCH] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Date: Sat, 23 Feb 2019 12:33:27 +0800 Message-ID: <20190223043327.45424-1-wangkefeng.wang@huawei.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.113.25] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org task A: task B: hci_uart_set_proto flush_to_ldisc - p->open(hu) -> h5_open //alloc h5 - receive_buf - set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf - hci_uart_register_dev - tty_ldisc_receive_buf - hci_uart_tty_receive - test_bit HCI_UART_PROTO_READY - h5_recv - clear_bit HCI_UART_PROTO_READY while() { - p->open(hu) -> h5_close //free h5 - h5_rx_3wire_hdr - h5_reset() //use-after-free } It could use ioctl to set hci uart proto, but there is a use-after-free issue when hci_uart_register_dev() fail in hci_uart_set_proto(), see stack above, fix this by setting HCI_UART_PROTO_READY bit only when hci_uart_register_dev() return success. Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com Signed-off-by: Kefeng Wang --- drivers/bluetooth/hci_ldisc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index 4918fefc4a6f..9562e72c1ae5 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -696,14 +696,13 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) return -EPROTONOSUPPORT; hu->proto = p; - set_bit(HCI_UART_PROTO_READY, &hu->flags); err = hci_uart_register_dev(hu); if (err) { - clear_bit(HCI_UART_PROTO_READY, &hu->flags); return err; } + set_bit(HCI_UART_PROTO_READY, &hu->flags); return 0; } -- 2.20.1