Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3961730img; Mon, 25 Mar 2019 23:36:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqz9SF6hz4iUCTdSKa5aicawBLRa3FP3wYVum8pxTWwDUEO/HDq6NqTGl6zqlIdT4IFy1O8L X-Received: by 2002:a63:c104:: with SMTP id w4mr149976pgf.409.1553582165965; Mon, 25 Mar 2019 23:36:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553582165; cv=none; d=google.com; s=arc-20160816; b=WDtRSITKeWLlQgxdIJrMFb8pVBaI8H+T+EbJFeVEzye/52TwokDlYXm0kQAjKBzxbG JN5iLUm7siN3GTIFV18ktmoy16iNSM0ZTY6ZpSGuiPeby0V1hsQQ/Kl2CAVvCnn7AGZq jbWFYLw7XSSr4iYyBQ/oErZZuQH+Xhex/R3zJlgAH/B2UwuPkQ97kDbGJOCCA/YZNTyp 4Q3feuD+MvVM/53eN/5llwaxGD+57PDj1ghvRoWJFyrB9uDPmFQ+ibRdGCGCfGv06UkJ XFElciEOengAE7VYSKolJ2rU3XtrSzVe7IKCXZnb82PH2TDnzOm4tp5914fn9hmJFu8B ujEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hjGORrjdz2o2AjV//YZU+r85Gvo34TCPm6mS0Sirx6M=; b=vwf8sUxQ/hatwePc/u6QuIh6SokEJ4tP7tUMj1TW94bxXa8YO0UQ2VTfK+42dDJlT9 A7jsDcKhRZA3PXnoSnmEHDxm6LWa/51xdOeWzqXVhbhWzIh8MsJ91UZelDgfwdICP/te 6F25cle6u7g6wGprmsFLH1wF7M9MaEweqbPgYx1+fpu2pPV+Yzg0AOepmpwL3zUOnYQD xOYtWrYx+qE4HMxAgMpIN9C0uYmImuTGWPqEPmvSlb2LTIp4fJAW0zWjzmLnWG3mJLKA l1ObRBtM/F4oFXaTi1muTrUw/8Aovsngrkmnc51QiCF6y2euv24U4OJDtOnH0+QlZjiL PWbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="QhkT/Mgn"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g1si1962266plt.318.2019.03.25.23.35.51; Mon, 25 Mar 2019 23:36:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="QhkT/Mgn"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731938AbfCZGep (ORCPT + 99 others); Tue, 26 Mar 2019 02:34:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:45546 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731926AbfCZGeo (ORCPT ); Tue, 26 Mar 2019 02:34:44 -0400 Received: from localhost (unknown [104.132.152.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA5A12070B; Tue, 26 Mar 2019 06:34:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553582083; bh=a9SbxcqSEv5SFOD5KC95isdbFwL0xXz6DXx1d+I3aCc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QhkT/MgnprM8n7G4biy83AyDpukYmYJyolHM75tYbXxkhGueB15h6MJcKEmGZwE+g WfRN6VbHk8VY70RNv0UzTUDr48ev2UxMsC0gRuVCfbor7mIWzScYlHTCABrSh2cTfC mFwuhd+kjegsPpCvitOu3wS4F9CSVTgHNPTOQhf4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com, Kefeng Wang , Jeremy Cline , Marcel Holtmann Subject: [PATCH 4.14 22/41] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Date: Tue, 26 Mar 2019 15:29:59 +0900 Message-Id: <20190326042651.101088202@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190326042649.889479098@linuxfoundation.org> References: <20190326042649.889479098@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kefeng Wang commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream. task A: task B: hci_uart_set_proto flush_to_ldisc - p->open(hu) -> h5_open //alloc h5 - receive_buf - set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf - hci_uart_register_dev - tty_ldisc_receive_buf - hci_uart_tty_receive - test_bit HCI_UART_PROTO_READY - h5_recv - clear_bit HCI_UART_PROTO_READY while() { - p->open(hu) -> h5_close //free h5 - h5_rx_3wire_hdr - h5_reset() //use-after-free } It could use ioctl to set hci uart proto, but there is a use-after-free issue when hci_uart_register_dev() fail in hci_uart_set_proto(), see stack above, fix this by setting HCI_UART_PROTO_READY bit only when hci_uart_register_dev() return success. Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com Signed-off-by: Kefeng Wang Reviewed-by: Jeremy Cline Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- drivers/bluetooth/hci_ldisc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -692,14 +692,13 @@ static int hci_uart_set_proto(struct hci return -EPROTONOSUPPORT; hu->proto = p; - set_bit(HCI_UART_PROTO_READY, &hu->flags); err = hci_uart_register_dev(hu); if (err) { - clear_bit(HCI_UART_PROTO_READY, &hu->flags); return err; } + set_bit(HCI_UART_PROTO_READY, &hu->flags); return 0; }