Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2205058iof; Tue, 7 Jun 2022 23:09:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxpVk4phkcSkEAxrXHJh67ALRgwcRLBK/M5Jy7RBSPwaUzvyWdiY0g45/w7aJVq0RlXmzQ6 X-Received: by 2002:a17:90b:1d04:b0:1e8:64e2:38c6 with SMTP id on4-20020a17090b1d0400b001e864e238c6mr20469418pjb.238.1654668558386; Tue, 07 Jun 2022 23:09:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654668558; cv=none; d=google.com; s=arc-20160816; b=HfHbu5okb/bZfdjI17vDtlEFndJUYM+C+9OfNVxQgFh1hO6i/oKZbP1rWdmZO46Sqf hOScnymJ27PBnM/e4bxeILep3mO+unH13KzrcY8PAxsqF7rlEHfAtUX4gN8QGjJzmtkO 2XqXKgAJifEKsAprG9zE38IXTuH0cpgjGvEPLkrGvpOsu/YE+6xexo/L+KNfDA/jDkbF iSTwash+6gnBUPvqnDTvh6ncO59AI8cx0hsYtKr0vH/N2nHO8P4e9bwyMdA0aVF+e5XF FKtfaJEyohhbIVAnrPjFgsEyMMcX4/iLVuYnFZOm4PzliCeQDTOi4U2zmXeu/RoU3045 68Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cd4Zi+jU7jFNSd5XfUQcfoH5B9Vgje+3LZQOQBLFF0E=; b=j88jlgTprxPwiplqMPyLGy4cQ90ir3Lnlgi1CAtk+H+HI1DYaR5kjdzmWQeUn5ensA bT4AkDmGTSFfYe9bPuQlZECwpnwz1tExiLfx4v7NTTpDW3Bq6GTWtLuqAPMS5Q3cD7aJ Nd6cn4zAp+CKwCCApm6JtkagPLs6CajKj5ONKYCnLl9ZfCZ1/yx9ZS4CdHk8uH8TEUUX mJR+ji5ADWhRdAkdoi+3PjOTlctZ8XAlo1xmyHhy1OGWBc8hII7Fk6yoe2nGUYNayTzV 4NICUmgl/WKkB5N8dH0HCiQEYok0BsJn9vGjzltcQwo0OmDoXjE960Ml+PRLGQMQJ7yD MIqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uAb5FAC9; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id l22-20020a637016000000b003fc85b530cdsi22689575pgc.124.2022.06.07.23.09.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 23:09:18 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uAb5FAC9; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7EC89305458; Tue, 7 Jun 2022 22:32:43 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388211AbiFHBhx (ORCPT + 99 others); Tue, 7 Jun 2022 21:37:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1382421AbiFGVv0 (ORCPT ); Tue, 7 Jun 2022 17:51:26 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11B5E220759; Tue, 7 Jun 2022 12:08:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 174576188D; Tue, 7 Jun 2022 19:08:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 261C3C385A2; Tue, 7 Jun 2022 19:08:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654628926; bh=aYqZE8TxvhvL5QEdtOPcHD/GbVTx3XHTQlLjadvSmYE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uAb5FAC9zlJaxQa4VPY7NkrRxVLsS5mTLb0SQA2SZZgk8DHSloYuSycu3PeTlSCxD x5XzPeCPs1lDFbb2qpTEYof1mTjb7p2mGZ2V+WzVqTJqYSy0QsvkuWlNRAVFmAtVCx U5aVW9p9UlP9yg69qledYX7bScsn3G/Hib+LEEjw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yake Yang , Sean Wang , Marcel Holtmann , Sasha Levin Subject: [PATCH 5.18 456/879] Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event Date: Tue, 7 Jun 2022 18:59:34 +0200 Message-Id: <20220607165016.107348190@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Wang [ Upstream commit 0fab6361c4ba17d1b43a991bef4238a3c1754d35 ] We should not access skb buffer data anymore after hci_recv_frame was called. [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800) Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Co-developed-by: Yake Yang Signed-off-by: Yake Yang Signed-off-by: Sean Wang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- drivers/bluetooth/btmtksdio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c index b6d77e04240c..4ae6631a7c29 100644 --- a/drivers/bluetooth/btmtksdio.c +++ b/drivers/bluetooth/btmtksdio.c @@ -379,6 +379,7 @@ static int btmtksdio_recv_event(struct hci_dev *hdev, struct sk_buff *skb) { struct btmtksdio_dev *bdev = hci_get_drvdata(hdev); struct hci_event_hdr *hdr = (void *)skb->data; + u8 evt = hdr->evt; int err; /* When someone waits for the WMT event, the skb is being cloned @@ -396,7 +397,7 @@ static int btmtksdio_recv_event(struct hci_dev *hdev, struct sk_buff *skb) if (err < 0) goto err_free_skb; - if (hdr->evt == HCI_EV_WMT) { + if (evt == HCI_EV_WMT) { if (test_and_clear_bit(BTMTKSDIO_TX_WAIT_VND_EVT, &bdev->tx_state)) { /* Barrier to sync with other CPUs */ -- 2.35.1