Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp4666813ybc; Fri, 15 Nov 2019 08:12:06 -0800 (PST) X-Google-Smtp-Source: APXvYqwNnVtwNUv2MweFdGiFAO+JZzvgTZQcyRbgmyrv1uNwB8g0ATCrT6pEV9WzcrPsotI83tqw X-Received: by 2002:a17:906:b2c7:: with SMTP id cf7mr1879354ejb.218.1573834326563; Fri, 15 Nov 2019 08:12:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573834326; cv=none; d=google.com; s=arc-20160816; b=RStErVAuT9OqNK08yiX8RjuNc6pgtAO4m8JwemdxD9HCt971dQkeFe+5cTPlXJtatv 49iEb1d5/MbVr8RHoREtAH/YOh4mgOK/aeyqEpCytlIjt9GKgePWs4RHKxeN/TdYOF2a XqVCAcMR8Hd0i2Tni9Km2NGJi/6KLZ9A5JTfZexUuCnvNrth8sLKuzdjdn9JCQRYUh8x 03zIK/IT4da1t3+1F4RytURCL8bW86f5cvPyiBxKtFZa3kLj3MrjEqhPJYZn7F4/GCda 2jD8NB5c1KhC7Ax+w6KDxlzHJckdNEFyZXh9fVdAQpUYoYnaR0rH0aCZd8WAiX7CeCoi WEfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=QXQnsuzIdBD4R7XwRkiLdL633g5N2HlkyOWWAExgJGo=; b=OBXOF4lNpak57/CJjRwJ+jlU80DHqcegHVJ7cWE1WSdhMKptYN4/bVi+4INaAeVt0q qZ1CBlvuxyOLNJx9lDDiz8MlNGagjHdqrYrAM+r3f6t9kSDIdIu3id4MGPnZKzQ1F1lb Dizl6EME4B8WVwi4/TCtz0ah6B/jtf+rifMQczXiE6wZSrH0ICfCeSKLC/aW3EhlyB1A 9zEhrWweFGUoxxGOe3S0JUKGncZdaELf2uAja/K72NfVYyBsv91qFdVvQEl9CcvPBSun GAmOOKL7GjuQBxjWDiuaygKOXNdBv5gzrUplWEMs0veGF121dkIDZQrg1kmHh3X+KP5V isnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=udqLCFcd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s23si5742132eju.55.2019.11.15.08.11.40; Fri, 15 Nov 2019 08:12:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=udqLCFcd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727560AbfKOQKc (ORCPT + 99 others); Fri, 15 Nov 2019 11:10:32 -0500 Received: from mail-qk1-f196.google.com ([209.85.222.196]:43980 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727461AbfKOQKc (ORCPT ); Fri, 15 Nov 2019 11:10:32 -0500 Received: by mail-qk1-f196.google.com with SMTP id z23so8480416qkj.10 for ; Fri, 15 Nov 2019 08:10:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=QXQnsuzIdBD4R7XwRkiLdL633g5N2HlkyOWWAExgJGo=; b=udqLCFcds+MJ2Y/juBQ9HAl4utewCmMZfse7vGLAKZuboTmXzCedLxYEXt/DXXTZC4 cl2y/Mf8bkDabGez0Kf6FAWqIKLKrNkIFoTFyKjMjiDUBHqHZy7lV72ftLWBpa1NKv9O VmkZ79DKNubg//mSi9AMOyHnOAG6WxSurIJGRzaOuguYmeIWAhyG5WHJIrLyIfIoH13v /Qdm2YO9qLLoxV8Iv8g9DYFb1yGQbh6RmUHTm6D5XNMrVWcjJ+Mgeu9/TsklEBdHnXHg PE5hYh5xNmiN5EdT/d+5FJlH+v0QwKW0DULKZVFGKU1lo1AIZQ3sNg0MkPJZKBfT52sI 8A1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=QXQnsuzIdBD4R7XwRkiLdL633g5N2HlkyOWWAExgJGo=; b=k+5QXIp8RaCLoyriiQLjk6KHdjfxTKBwguAdZbI+r7Qppn9R08XFx9ZVezz5R7Fj7+ PgzyeQLqai7XNvIvhc6YzczubHWAGobrfCpknbI6/T3FMSv26n3tOen2Qhj5EX2lEpW1 gkjWlqzCyKay7dHKSJ9pQuudo8praPgTrxfqmDOE1WZfBK19qLD/zZ8vYy0zEM8PCUxW xf3sImG+/WWaQrWuL/Jh4zlUk9hTiWHMfZ5itWXbrq4ODq8H8zSHHaWm1IxSk11AChLS tcZ6C9ApPZk55oO3MEO1Kwk7oA05dlpOWA2BCEe1cGgVByeYZeQq0KZC3GQjbmS9SkzA a36A== X-Gm-Message-State: APjAAAVtXrzeFVl2k3XDJVwaWbM1Wo4oEPy0s7mlOIVYQ/mQuyB59Zzo V0divLodeMQ598bb52RjrGdKkA== X-Received: by 2002:a37:4e03:: with SMTP id c3mr8749809qkb.6.1573834231034; Fri, 15 Nov 2019 08:10:31 -0800 (PST) Received: from localhost (rfs.netwinder.org. [206.248.184.2]) by smtp.gmail.com with ESMTPSA id 70sm4236561qkj.48.2019.11.15.08.10.29 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 15 Nov 2019 08:10:30 -0800 (PST) Date: Fri, 15 Nov 2019 11:10:29 -0500 From: Ralph Siemsen To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com, Kefeng Wang , Jeremy Cline , Marcel Holtmann Subject: Re: [PATCH 4.9 02/31] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Message-ID: <20191115161029.GA32365@maple.netwinder.org> References: <20191115062009.813108457@linuxfoundation.org> <20191115062010.682028342@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20191115062010.682028342@linuxfoundation.org> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Greg, On Fri, Nov 15, 2019 at 02:20:31PM +0800, Greg Kroah-Hartman wrote: >From: Kefeng Wang > >commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream. > >task A: task B: >hci_uart_set_proto flush_to_ldisc > - p->open(hu) -> h5_open //alloc h5 - receive_buf > - set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf > - hci_uart_register_dev - tty_ldisc_receive_buf > - hci_uart_tty_receive > - test_bit HCI_UART_PROTO_READY > - h5_recv > - clear_bit HCI_UART_PROTO_READY while() { > - p->open(hu) -> h5_close //free h5 > - h5_rx_3wire_hdr > - h5_reset() //use-after-free > } > >It could use ioctl to set hci uart proto, but there is >a use-after-free issue when hci_uart_register_dev() fail in >hci_uart_set_proto(), see stack above, fix this by setting >HCI_UART_PROTO_READY bit only when hci_uart_register_dev() >return success. > >Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com >Signed-off-by: Kefeng Wang >Reviewed-by: Jeremy Cline >Signed-off-by: Marcel Holtmann >Signed-off-by: Greg Kroah-Hartman I was just about to ask why this had not been merged into 4.9. Spent a while searching archives for any discussion to explain its absence, but couldn't find anything. Also watched your kernel-recipes talk... BTW, this also seems to be missing from 4.4 branch, although it was merged for 3.16 (per https://lore.kernel.org/stable/?q=Postpone+HCI). I gather that the usual rule is that a fix must be in newer versions before it can go into older ones. Or at least, some patches were rejected on that basis. If this is in fact the policy, perhaps it could be added to stable-kernel-rules.rst ? -Ralph >--- > drivers/bluetooth/hci_ldisc.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > >--- a/drivers/bluetooth/hci_ldisc.c >+++ b/drivers/bluetooth/hci_ldisc.c >@@ -653,15 +653,14 @@ static int hci_uart_set_proto(struct hci > return err; > > hu->proto = p; >- set_bit(HCI_UART_PROTO_READY, &hu->flags); > > err = hci_uart_register_dev(hu); > if (err) { >- clear_bit(HCI_UART_PROTO_READY, &hu->flags); > p->close(hu); > return err; > } > >+ set_bit(HCI_UART_PROTO_READY, &hu->flags); > return 0; > } > > >