hci_send_cmd_sync first sends skb and then tries to clone it. However,
the driver may have already freed the skb at that point.
Fix by cloning the sent_cmd cloned just above, instead of the original.
Log:
================================================================
BUG: KASAN: slab-use-after-free in __copy_skb_header+0x1a/0x240
...
Call Trace: ..
__skb_clone+0x59/0x2c0
hci_cmd_work+0x3b3/0x3d0 [bluetooth]
process_one_work+0x459/0x900
...
Allocated by task 129: ...
__alloc_skb+0x1ae/0x220
__hci_cmd_sync_sk+0x44c/0x7a0 [bluetooth]
__hci_cmd_sync_status+0x24/0xb0 [bluetooth]
set_cig_params_sync+0x778/0x7d0 [bluetooth]
...
Freed by task 0: ...
kmem_cache_free+0x157/0x3c0
__usb_hcd_giveback_urb+0x11e/0x1e0
usb_giveback_urb_bh+0x1ad/0x2a0
tasklet_action_common.isra.0+0x259/0x4a0
__do_softirq+0x15b/0x5a7
================================================================
Fixes: ea5391e7b256 ("Bluetooth: hci_sync: Fix overwriting request callback")
Signed-off-by: Pauli Virtanen <[email protected]>
---
net/bluetooth/hci_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 6ca4c0df9f9c..df3aa41e376d 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4217,7 +4217,7 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
if (hci_req_status_pend(hdev) &&
!hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
kfree_skb(hdev->req_skb);
- hdev->req_skb = skb_clone(skb, GFP_KERNEL);
+ hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
}
atomic_dec(&hdev->cmd_cnt);
--
2.44.0
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=831811
---Test result---
Test Summary:
CheckPatch PASS 0.66 seconds
GitLint PASS 0.32 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 29.18 seconds
CheckAllWarning PASS 32.28 seconds
CheckSparse PASS 37.65 seconds
CheckSmatch PASS 102.16 seconds
BuildKernel32 PASS 28.12 seconds
TestRunnerSetup PASS 516.85 seconds
TestRunner_l2cap-tester PASS 20.46 seconds
TestRunner_iso-tester PASS 33.64 seconds
TestRunner_bnep-tester PASS 4.95 seconds
TestRunner_mgmt-tester FAIL 117.46 seconds
TestRunner_rfcomm-tester PASS 7.59 seconds
TestRunner_sco-tester PASS 11.26 seconds
TestRunner_ioctl-tester PASS 8.24 seconds
TestRunner_mesh-tester PASS 6.15 seconds
TestRunner_smp-tester PASS 7.01 seconds
TestRunner_userchan-tester PASS 5.15 seconds
IncrementalBuild PASS 27.37 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 488 (99.2%), Failed: 2, Not Run: 2
Failed Test Cases
LL Privacy - Add Device 5 (2 Devices to RL) Failed 0.177 seconds
LL Privacy - Remove Device 4 (Disable Adv) Timed out 2.270 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Sat, 2 Mar 2024 19:06:23 +0200 you wrote:
> hci_send_cmd_sync first sends skb and then tries to clone it. However,
> the driver may have already freed the skb at that point.
>
> Fix by cloning the sent_cmd cloned just above, instead of the original.
>
> Log:
> ================================================================
> BUG: KASAN: slab-use-after-free in __copy_skb_header+0x1a/0x240
> ...
> Call Trace: ..
> __skb_clone+0x59/0x2c0
> hci_cmd_work+0x3b3/0x3d0 [bluetooth]
> process_one_work+0x459/0x900
> ...
> Allocated by task 129: ...
> __alloc_skb+0x1ae/0x220
> __hci_cmd_sync_sk+0x44c/0x7a0 [bluetooth]
> __hci_cmd_sync_status+0x24/0xb0 [bluetooth]
> set_cig_params_sync+0x778/0x7d0 [bluetooth]
> ...
> Freed by task 0: ...
> kmem_cache_free+0x157/0x3c0
> __usb_hcd_giveback_urb+0x11e/0x1e0
> usb_giveback_urb_bh+0x1ad/0x2a0
> tasklet_action_common.isra.0+0x259/0x4a0
> __do_softirq+0x15b/0x5a7
> ================================================================
>
> [...]
Here is the summary with links:
- Bluetooth: fix use-after-free in accessing skb after sending it
https://git.kernel.org/bluetooth/bluetooth-next/c/d147be932692
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html