Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp933022ybx;
        Fri, 1 Nov 2019 13:43:50 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy50/zDN6kJjEmakGl/RVBVGozs/8cktJxOijeDyfMOBRQklg4BZXQGrXzqnkGjJk3Mm9B9
X-Received: by 2002:a17:906:6d05:: with SMTP id m5mr1788536ejr.102.1572641030093;
        Fri, 01 Nov 2019 13:43:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572641030; cv=none;
        d=google.com; s=arc-20160816;
        b=dy9SpmjAwJN8jEudQxI0Wx5GN+wjZSbJZTVnm4G1FmS4SPmdawoC0sRN9AUIQTagDQ
         U6q7e5XNvgIRCT/F0X3m17gOhJrwtEbtObqTol3sV9s03K5loxcJe+UzU/NF93fQjvFx
         kg6D7bPpwkMqSj1+RgRYkiJ+hyLF6lKbPsULSnVNjI9FgFrGG1JElKVx0cYMAKwjsYbZ
         MMLhQVNosQc+Bt+xC/pW+Vvku5TKnqPXGCe6YMM13G64aidXlnqmnQ6IzRZtklQhYyCj
         aaPEPK0BjpSiYLuKxv8o7ZR4+6Hl3KIqPXNyOFtROUX29aWdrDxBcMo8LQkmMSv79c4S
         W+Lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=ZGSw0Pf1yR7L0D2XUywPAXmKwfJWwLsrgldLsCFIOFg=;
        b=RjqjKz8jYETgiXdEMuaiCzRDHR1OnD8bWDV6uJWvFz3fnLUvrHUNXXugBDx8mBFUVE
         CqI8GKmmCueQqqaP/FnnzA6FiJnxzTaUzDgInJgNf/B5oAdCuTGZSWDk1IrILt2qd56W
         okUuheJ5qSwlT7Yst/+mRw/EfCj4ekBgfiiwnAiLph8oAxLdautb1Do/VxrW0M0Bl9q3
         rog4V6OwHUqdsQ8v7+TIYW+tsrJ/6Q2ItVL2yjqNaZ80m1RRRFNHHcnpVZ/FCx+vfx7g
         8MkcQqgUNS6SRv5xCW6Zl+fHrAbcpGjei1WBWEocorR6ZHsDp9vWepPybwYIHRKJR005
         YoTQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ikqziVfg;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k35si1330824edb.84.2019.11.01.13.43.12;
        Fri, 01 Nov 2019 13:43:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ikqziVfg;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726709AbfKAUmv (ORCPT <rfc822;by312139@gmail.com> + 99 others);
        Fri, 1 Nov 2019 16:42:51 -0400
Received: from mail-lj1-f194.google.com ([209.85.208.194]:40945 "EHLO
        mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726477AbfKAUmv (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Nov 2019 16:42:51 -0400
Received: by mail-lj1-f194.google.com with SMTP id q2so4942787ljg.7;
        Fri, 01 Nov 2019 13:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=ZGSw0Pf1yR7L0D2XUywPAXmKwfJWwLsrgldLsCFIOFg=;
        b=ikqziVfgGr73GAy1cRnOZrkrHml/aNL1IkBEoAFKaKqFBgzoosvRYbOKj/h2wPjDZ4
         /Uh62d2CtaE+6aLHFYv9eJ3fgMwIDzViNazwXGHJ0IfNQ3+tcn5csPR1u8hU0JGjV3f2
         R5lus91udvDRirSnmLkNl6B9H2GVfshZuPWFEYspsSiI7JWCuLSRbHIQfork2RYavLtA
         ArNQFvTmBYmOeBDQH9ylAsmE1z5A6Wcu2TyfXtW8Gee1xCyx2pjLC4fttuIxyATyiPNK
         yHj1+ObGAXtYhJj1RN9fNoy7ISvmB5vrRVXl/pHHv62yY0n8K9xcaiPb71RAqbNcwfFe
         3ZhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=ZGSw0Pf1yR7L0D2XUywPAXmKwfJWwLsrgldLsCFIOFg=;
        b=CHgZ1dJz/O+a5f/BeVz02JzTUA6mmUk51xvLcHSED9Lgx3MPBblk6DWporOPtCCiM1
         /8wbVDmbEPZjYl4jgWtPHrBflYIwgPWGnGM+r/wEbBLebsIepICigKq3teggKtclm3hi
         eG4U94mxfBFpWeEW6BajelZ7yRo9MWF1DnVXOCDYK5QWGsqE9F4vIcmtWl5FDUA9YqJO
         9r+TVTEIbWFNitcbLM1syUpJGYhKq2YelOiHjyDs6ZAeMA0xpE1BQshz9NYvIaCfUFED
         3QM4dzwNwWejMO7dv2s5ghnPthKkQiGkVe0J2qrvRzyZvCswIaInprkaRIGj7m/AXfVD
         v8yg==
X-Gm-Message-State: APjAAAXG0sPYV5nfKzoXJR6ipkZLu79hCBV3Klab2d9VpWKR7jbs1v7Y
        Nybn/6LOHkV32ryD/pXGv1U=
X-Received: by 2002:a05:651c:313:: with SMTP id a19mr9543563ljp.199.1572640969006;
        Fri, 01 Nov 2019 13:42:49 -0700 (PDT)
Received: from debian-tom.home (2-111-15-75-dynamic.dk.customer.tdc.net. [2.111.15.75])
        by smtp.gmail.com with ESMTPSA id 190sm3766098ljj.72.2019.11.01.13.42.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 Nov 2019 13:42:48 -0700 (PDT)
From:   Tomas Bortoli <tomasbortoli@gmail.com>
To:     marcel@holtmann.org, johan.hedberg@gmail.com
Cc:     linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzkaller@googlegroups.com, Tomas Bortoli <tomasbortoli@gmail.com>,
        syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
Subject: [PATCH] Fix invalid-free in bcsp_close()
Date:   Fri,  1 Nov 2019 21:42:44 +0100
Message-Id: <20191101204244.14509-1-tomasbortoli@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <000000000000109f9605964acf6c@google.com>
References: <000000000000109f9605964acf6c@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Syzbot reported an invalid-free that I introduced fixing a memleak.

bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
Nullify bcsp->rx_skb every time it is freed.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
---
 drivers/bluetooth/hci_bcsp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index fe2e307009f4..cf4a56095817 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -591,6 +591,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
 			if (*ptr == 0xc0) {
 				BT_ERR("Short BCSP packet");
 				kfree_skb(bcsp->rx_skb);
+				bcsp->rx_skb = NULL;
 				bcsp->rx_state = BCSP_W4_PKT_START;
 				bcsp->rx_count = 0;
 			} else
@@ -606,6 +607,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
 			    bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
 				BT_ERR("Error in BCSP hdr checksum");
 				kfree_skb(bcsp->rx_skb);
+				bcsp->rx_skb = NULL;
 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
 				bcsp->rx_count = 0;
 				continue;
@@ -630,6 +632,7 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
 				       bscp_get_crc(bcsp));
 
 				kfree_skb(bcsp->rx_skb);
+				bcsp->rx_skb = NULL;
 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
 				bcsp->rx_count = 0;
 				continue;
-- 
2.20.1