Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3965918img; Mon, 25 Mar 2019 23:42:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqyz0LyGIwGV9R6cWsYUW8s98CktYD4/xTHkLri8CfYsvWh3FhShcQTLtctU+CCREOwlgQUs X-Received: by 2002:a63:4e10:: with SMTP id c16mr27936350pgb.302.1553582533482; Mon, 25 Mar 2019 23:42:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553582533; cv=none; d=google.com; s=arc-20160816; b=Ndjm1B5dco31NSUX7OJheh/FGlXseXzX8BSVWa7LGQEBnEb4znlT/Y9SIbjmbDSrUM zokp+f06iwmuie7wKZICEzQnMOLVGUIC3BgTUGt5W7rrtMjFSWsyC13aDbH+b8RECHYN GTDIz49pla60la8+huxZVYlGChaNZSGZZzM/oUnomahIBiqZiJ9djgeY4bDkxQHR7J/6 As4YivGq1okXyx41aF7NsnPHjYaBZJ+Tx2DoiMSSab7MdUm98YIzgZfCs3I68BymF7K7 E93fdOOVJJ9FuPZ5AujM80bwLZrk8rbt3yQpi24xEd3RtD/AEy/NntsTa3cel7R+UDHE K8XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rO7G2qQISpfd0fr2dmC1xAk/iNOvs4XH4JQqG+u0hLU=; b=MmD6fYOek7P2rQyStqbxffImNcMgB9KBkeFR7OASuVzoHsfaDUjKOG9oZvVhdv7pFp I5yBi+Stwb/uy1yfIERYyvfdJ3BxLYo9cW6nNZq3CdhFGuS5PUb9h1yGODL2KcDGav/E Z0xuKsxvsQx0xkE7FwudEKliJqf2B3i35FbwH7NjLawhMcq6d1kKirzpUplanRf8MYgy nOFGLBj0inm1Kcd4ZTw5pj1ndsHQooFbhxf3843wdOT2dvayLRjKeLlgM9ge/hEaw2u4 vV3m+IQXJIJchmj6y+9fhmnwf1xaPDjn/GxtSpnDvf1MOGVQcD8h96gMm57Pk417Ce86 UXRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Jw5+GriA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j19si15080779pfh.124.2019.03.25.23.41.58; Mon, 25 Mar 2019 23:42:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Jw5+GriA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732641AbfCZGkq (ORCPT + 99 others); Tue, 26 Mar 2019 02:40:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:57218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727624AbfCZGkl (ORCPT ); Tue, 26 Mar 2019 02:40:41 -0400 Received: from localhost (unknown [104.132.152.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 27D9B2070B; Tue, 26 Mar 2019 06:40:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553582440; bh=9dh/LpIQImkGOiSSPA334Ug45jDG30yR00DuGiqymKc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jw5+GriAl02oseEKCCeahGETSgUR3jhrQeBCFSWgMDj9pI4J/TTp6/yPIqn49fQYV w6t3OlOPnSKnf2GAReCRd7KI5KqZ9GXB3I3WAeBPEnaVCU4xEaEalAaeSlCD2YWH99 5LdA16VEEO/rhZrILbl71rgdb6wXsrkChgLMFU1w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com, Kefeng Wang , Jeremy Cline , Marcel Holtmann Subject: [PATCH 5.0 40/52] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Date: Tue, 26 Mar 2019 15:30:27 +0900 Message-Id: <20190326042703.109244206@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190326042700.963224437@linuxfoundation.org> References: <20190326042700.963224437@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kefeng Wang commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream. task A: task B: hci_uart_set_proto flush_to_ldisc - p->open(hu) -> h5_open //alloc h5 - receive_buf - set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf - hci_uart_register_dev - tty_ldisc_receive_buf - hci_uart_tty_receive - test_bit HCI_UART_PROTO_READY - h5_recv - clear_bit HCI_UART_PROTO_READY while() { - p->open(hu) -> h5_close //free h5 - h5_rx_3wire_hdr - h5_reset() //use-after-free } It could use ioctl to set hci uart proto, but there is a use-after-free issue when hci_uart_register_dev() fail in hci_uart_set_proto(), see stack above, fix this by setting HCI_UART_PROTO_READY bit only when hci_uart_register_dev() return success. Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com Signed-off-by: Kefeng Wang Reviewed-by: Jeremy Cline Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- drivers/bluetooth/hci_ldisc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -696,14 +696,13 @@ static int hci_uart_set_proto(struct hci return -EPROTONOSUPPORT; hu->proto = p; - set_bit(HCI_UART_PROTO_READY, &hu->flags); err = hci_uart_register_dev(hu); if (err) { - clear_bit(HCI_UART_PROTO_READY, &hu->flags); return err; } + set_bit(HCI_UART_PROTO_READY, &hu->flags); return 0; }