Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4125910ybc; Thu, 14 Nov 2019 22:26:33 -0800 (PST) X-Google-Smtp-Source: APXvYqx75Pv1Wklbf2OwWOjk0TMbsl9KuiGGKvp3MYa90DoaJHZzKFzP8tU/DoyUAAT8trvuikFU X-Received: by 2002:a17:906:5859:: with SMTP id h25mr11625147ejs.2.1573799193209; Thu, 14 Nov 2019 22:26:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573799193; cv=none; d=google.com; s=arc-20160816; b=WyNFbibAgydxqQJ+c6qOkWDzjPx+igdoEFrD3QaAi+1LQ/w2OMLgynYaBwgedIOwaQ cznqQ7cRd6gTCEL9UrJoeT3Exso43k9Kfkp4GdYaBeUOTDTWQ90qYZ2zFRt2VWOOPF4Z c43yknKhCW0eyWniMFIcq5a8Q9x63AxSHHg5f4DOcKrvtrQsRP9hH6vh5I5GoSjSAl+z RCjDiGZ8oE8fKfZIWYXCWGjVvR00LKEx3PJOfA0EYkyQXtAeqY2hFkMumRw2xOYqc8LY yS9kJ0UVYOs3Ay29k+/VfApF5iGX/IvIQd78vvZ6wKS0y9poQWT36l7vLaVMDwOGdfDd cXSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+Jh+sEeTmsL+im+Q78EyuN9BDETnJfP/S5HfXe3saEU=; b=Yuj3pKRMcwBuuEQskm9rerEH4wqx/UoUtbpRSNKMKi9YsH1nmS0VkreQ5skXIzU0A8 m9iU+GRIy+tkLPCoO9aLUO9ztCXIXuYFMj20QVAJAKFwuB9Szb13AZ79EWNNR3UN6cFW moBH5NpbjY+TaMbI5Rp9CT56KdB3vF6J+U6Y2ljA0gX6ZPu4lsWy56DW/x24zgQRfXFp 5pQhkD81es2yVjLDhCWAzm6n5X+QkH59kD0T/hJzBZuCw4UqwJlCWXYIM2xpbTZ8EX80 wd0Vif2MLbvsuURgFKwIMaJqICZ8Cck/RJ5s3yGsMXOOUSxXsQdjNz/GxlrIFJjBNE6M olEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xof9hdqg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g15si6138916edl.95.2019.11.14.22.26.08; Thu, 14 Nov 2019 22:26:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xof9hdqg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727684AbfKOGWX (ORCPT + 99 others); Fri, 15 Nov 2019 01:22:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:51590 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727661AbfKOGWT (ORCPT ); Fri, 15 Nov 2019 01:22:19 -0500 Received: from localhost (unknown [104.132.150.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3DF7720801; Fri, 15 Nov 2019 06:22:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573798938; bh=8IG6tur10nefoM+6Nm28PPgC/jGfCZPjcJ3FKkXeoXU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xof9hdqgZLbqoc3oiVihdrCuJE7dtFge2CiKUjiE0m6dLkC/Iys6xEgXM+ffCLwyJ aolTu9tWZ4TnprhrLqPGjNHi87se6lh4A5eN2srOUl1wdUbsHtr39hd82dKl9/CNqX vJG0kH0Fy7EoE2MuDhmHdDtuVnmClOkTGAk/wJwY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com, Kefeng Wang , Jeremy Cline , Marcel Holtmann Subject: [PATCH 4.9 02/31] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Date: Fri, 15 Nov 2019 14:20:31 +0800 Message-Id: <20191115062010.682028342@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191115062009.813108457@linuxfoundation.org> References: <20191115062009.813108457@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kefeng Wang commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream. task A: task B: hci_uart_set_proto flush_to_ldisc - p->open(hu) -> h5_open //alloc h5 - receive_buf - set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf - hci_uart_register_dev - tty_ldisc_receive_buf - hci_uart_tty_receive - test_bit HCI_UART_PROTO_READY - h5_recv - clear_bit HCI_UART_PROTO_READY while() { - p->open(hu) -> h5_close //free h5 - h5_rx_3wire_hdr - h5_reset() //use-after-free } It could use ioctl to set hci uart proto, but there is a use-after-free issue when hci_uart_register_dev() fail in hci_uart_set_proto(), see stack above, fix this by setting HCI_UART_PROTO_READY bit only when hci_uart_register_dev() return success. Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com Signed-off-by: Kefeng Wang Reviewed-by: Jeremy Cline Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- drivers/bluetooth/hci_ldisc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -653,15 +653,14 @@ static int hci_uart_set_proto(struct hci return err; hu->proto = p; - set_bit(HCI_UART_PROTO_READY, &hu->flags); err = hci_uart_register_dev(hu); if (err) { - clear_bit(HCI_UART_PROTO_READY, &hu->flags); p->close(hu); return err; } + set_bit(HCI_UART_PROTO_READY, &hu->flags); return 0; }