Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp62945pxb; Tue, 2 Feb 2021 22:59:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJxX4lQzUXUnsv6jTAG5TrPHBD+njy3XzcWWUJL13qv5loDzxx0eIvldtmfPL+UZ0nb5677c X-Received: by 2002:a17:906:388b:: with SMTP id q11mr1787404ejd.421.1612335580690; Tue, 02 Feb 2021 22:59:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612335580; cv=none; d=google.com; s=arc-20160816; b=wKv/Q9AtzAybEX0cd+upnwtn1A2C8zOO+zubhnnJvWw5gKfC2JoNfMkj04pfYEzNZD mW32R4yyvOvrUQwZ+epXurha1RhZU3bXi77BKW53rXeYSXWULHm+wqUjBCEhbstd1ikP ZFYoHu64OTfhK+c5U4X32KsOPDoA7VgrjuSAxX/5g3Lnl5+UwUw1u6TLGqxaiTIR2Llp EZgWUw3q9cSVxOAANDCGkkIE6a5C+LVC/2/ZCA1k2KB0tLzy/rF9YsmJdR5RSfvUf+cm gBTblRTQrcNJL1yk2CayzDIvFIcWtYx7fplZQrVR0FSfgQCqgORv5BMnD8IVetWGEkQB dE4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :sender:dkim-signature; bh=/wnbMtD0oy336W9EDCGq60PMZiiWzWFv7G6400JHFhs=; b=wKQLPZ9XuTgui/qXIejkLfkFx8LFaZn72onUeTVj05SZq2PoqhWA8j4KhHlg/fs4FU dPoJER+Wz5pwPxfDs00HwF1EF1zJKSKrXMDSpSkVW42aELKI7oM4wIEF3cMHSr+yiw3f b9ye3MCMDKYtga0l9bc3SLJn9Fsopt9HG3YRJRl75sPQT6yrnx5lNB6GD/5lvoD/HZTw jsZgQld9erS/rwR2DRGeX1yOXSVPnNGiZQbz+5yapcGf8tEnqyS0K0YxfXdfGrGVcOXH frgq38YAg5ys0ujhs0e+LoncN6YjpDnQe8ksCNlonHrJnPFl/3wOGKeml2WLdwVQjtdQ 3YNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tfjQFmZu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i7si722960ejo.54.2021.02.02.22.59.15; Tue, 02 Feb 2021 22:59:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tfjQFmZu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231659AbhBCG5w (ORCPT + 99 others); Wed, 3 Feb 2021 01:57:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42476 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231560AbhBCG5v (ORCPT ); Wed, 3 Feb 2021 01:57:51 -0500 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2064C061573 for ; Tue, 2 Feb 2021 22:57:10 -0800 (PST) Received: by mail-yb1-xb4a.google.com with SMTP id x4so4331755ybj.22 for ; Tue, 02 Feb 2021 22:57:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:message-id:mime-version:subject:from:to:cc; bh=/wnbMtD0oy336W9EDCGq60PMZiiWzWFv7G6400JHFhs=; b=tfjQFmZuBFZHJuQTjSVhg3ixz+DnPLN/S9VEIvqbIxFzeoWNgV77XNtiyL9ixPO4Tb dz0un2MfXWvAwVLGdjRh/++XmGFZd948pQuQFXv6vBXBjSlmZWraR0aKplDotFXISRP3 PeaaH93UfYOEVLcTJI3ORIUPgyXvtocYdiJV0Rzzn/CVwSvbupy+oy554e7WbzRO8+sk mBMRaneAEtmswh0W3dKwol0esz25Gaupy0pjB6oF9Z2y+Gx8h+HzW/iChV83VZoVLDMJ ehusselEhRZwCjTxFbKkR7wDR4RiJEaZHPGDsLcrWuNkLWdNWH0IIC74zkgZdeTrh0BK sZ5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:mime-version:subject:from :to:cc; bh=/wnbMtD0oy336W9EDCGq60PMZiiWzWFv7G6400JHFhs=; b=jZsfqLQNlPutgA/7UrCJ9jZa34T47iiAsCCqmUOA0DAP5FflGXTMQ22zr/1OwY71vK O5L2ZcZKHxUGVzFtDZRfuZsecgAXNPsiLJeBH6OKvUWUircjW0wTwk3+OkV4ML1YfVGY JmM0xU9w9nFykBlwCcjzRlVn9DjB0FOo2JwJCA0d5PlXDPrFQH9goU6L6AcwEnHa0Ng2 wT9BlwMwG7T66F5uFd26bd+vpA2O8PzTvJv+BEBOvoySfe6YEX3mufq/L8c/BUS4biml r4mD25SrEt/yiFqXKNnMiAM2sCOyr8A6aoj0DiPegEVmgovQWuJXBLQYCTndqQU5j+rM Qa+A== X-Gm-Message-State: AOAM531vUi4H6H0eT0ID8JPlpknvJGIVhZfRz5yrKl0Rj3ZT3gDN/oov JqoFDhKeBkL5PURxxBq/fe10jEZRjOIwHUlsow== Sender: "howardchung via sendgmr" X-Received: from howardchung-p920.tpe.corp.google.com ([2401:fa00:1:10:c8ff:4e4a:dbd4:e8a6]) (user=howardchung job=sendgmr) by 2002:a25:ca8c:: with SMTP id a134mr2589170ybg.106.1612335430056; Tue, 02 Feb 2021 22:57:10 -0800 (PST) Date: Wed, 3 Feb 2021 14:56:44 +0800 Message-Id: <20210203145558.Bluez.v1.1.I23ab3f91f23508bf84908e62d470bfab1d844f63@changeid> Mime-Version: 1.0 X-Mailer: git-send-email 2.30.0.365.g02bc693789-goog Subject: [Bluez PATCH v1] Bluetooth: Fix crash in mgmt_add_adv_patterns_monitor_complete From: Howard Chung To: linux-bluetooth@vger.kernel.org, marcel@holtmann.org Cc: Howard Chung , Miao-chen Chou , Manish Mandlik , Archie Pusaka , "David S. Miller" , Jakub Kicinski , Johan Hedberg , Luiz Augusto von Dentz , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If hci_add_adv_monitor is a pending command(e.g. forward to msft_add_monitor_pattern), it is possible that mgmt_add_adv_patterns_monitor_complete gets called before cmd->user_data gets set, which will cause a crash when we try to get the moniter handle through cmd->user_data in mgmt_add_adv_patterns_monitor_complete. This moves the cmd->user_data assignment earlier than hci_add_adv_monitor. RIP: 0010:mgmt_add_adv_patterns_monitor_complete+0x82/0x187 [bluetooth] Code: 1e bf 03 00 00 00 be 52 00 00 00 4c 89 ea e8 9e e4 02 00 49 89 c6 48 85 c0 0f 84 06 01 00 00 48 89 5d b8 4c 89 fb 4d 8b 7e 30 <41> 0f b7 47 18 66 89 45 c0 45 84 e4 75 5a 4d 8b 56 28 48 8d 4d c8 RSP: 0018:ffffae81807dbcb8 EFLAGS: 00010286 RAX: ffff91c4bdf723c0 RBX: 0000000000000000 RCX: ffff91c4e5da5b80 RDX: ffff91c405680000 RSI: 0000000000000052 RDI: ffff91c49d654c00 RBP: ffffae81807dbd00 R08: ffff91c49fb157e0 R09: ffff91c49fb157e0 R10: 000000000002a4f0 R11: ffffffffc0819cfd R12: 0000000000000000 R13: ffff91c405680000 R14: ffff91c4bdf723c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff91c4ea300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 0000000133612002 CR4: 00000000003606e0 Call Trace: ? msft_le_monitor_advertisement_cb+0x111/0x141 [bluetooth] hci_event_packet+0x425e/0x631c [bluetooth] ? printk+0x59/0x73 ? __switch_to_asm+0x41/0x70 ? msft_le_set_advertisement_filter_enable_cb+0xa6/0xa6 [bluetooth] ? bt_dbg+0xb4/0xbb [bluetooth] ? __switch_to_asm+0x41/0x70 hci_rx_work+0x101/0x319 [bluetooth] process_one_work+0x257/0x506 worker_thread+0x10d/0x284 kthread+0x14c/0x154 ? process_one_work+0x506/0x506 ? kthread_blkcg+0x2c/0x2c ret_from_fork+0x1f/0x40 Reviewed-by: Miao-chen Chou Reviewed-by: Manish Mandlik Reviewed-by: Archie Pusaka Signed-off-by: Howard Chung --- net/bluetooth/mgmt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 8ff9c4bb43d11..74971b4bd4570 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -4303,6 +4303,7 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, goto unlock; } + cmd->user_data = m; pending = hci_add_adv_monitor(hdev, m, &err); if (err) { if (err == -ENOSPC || err == -ENOMEM) @@ -4330,7 +4331,6 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, hci_dev_unlock(hdev); - cmd->user_data = m; return 0; unlock: -- 2.30.0.365.g02bc693789-goog