Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp22925588rwd; Fri, 30 Jun 2023 14:59:56 -0700 (PDT) X-Google-Smtp-Source: APBJJlFfIKT+YhPH2LLXrd8sU7g5qjtcp+OChewhubeY5vK6J1G6P03rANFH5NxxGotq/eKok2rN X-Received: by 2002:a17:902:7c82:b0:1b5:2fdf:5bd8 with SMTP id y2-20020a1709027c8200b001b52fdf5bd8mr3081370pll.8.1688162396048; Fri, 30 Jun 2023 14:59:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688162396; cv=none; d=google.com; s=arc-20160816; b=SJEaUTnuib3Kj85EC26uv+jmXLZgUalO45M8oB1U5Xus2lFWR6//NVtlKIm4cFWGir PJ9YYnXFzMJM/l3VdHNwIc2sRDlHRIueo57RWamELXb9dx7Z8JLsN3ucE22Ugq29JnYO XionLw3jeV3RP8Ad1GiraT4IporaOPThEqTipucR/Xe3qxxHajOMw4wOmOODCelpaI2R SlyTrR7PAHQ3Id82er52IMoobN4hpN4rTv/+KC9CqxfjUeBeZBkXb9b4FWmTLG766cHA ZQVqc1iUKPC/i7062dBxrMAb56piGj+37QyIod/KUsNffUTgi8oqQKwMb5ECN6nGFK4i TYsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=T5DxyFcmJIMNE7LBSdw0rkcJEAqf+huqKEIAkUvUHJ8=; fh=s5IVI8mhCX69+6gyfMfQOYOwXz6iqW3b/lguW1j62vo=; b=iXTqQXGwW0c08dnJkdnMA9WzKrO7pqlXY4HrEerwkXaYT13BHcwrf4TZbS4OR3Ppi3 pYxLkAmEge+Cl6VZH4fTXB6XSADc2vVI2dFKPxBh1/cHlQyNNuVTZmfwqo7l9I2uZvNf FxMAnCPtzrVYOAv8Nk6r1iITlK4/08n7sLYPcDYeVzbL2lHMci65GDxKv8rZ9njh+/tk Bt87wxT0CccOZo+G8CkmMJMgqxoSgGwvSDXVLObWkOeK/kQzCupf+80KhQIcTsmcL1A0 0UOcgffaA3FnvwQHzX2KaiJmjQho2IOQobOGje8x7QltJdLZuCiWUedCeAjs/HeuEwqd rE6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DEjH22qp; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i6-20020a170902c94600b001ac2ff9fbf8si4254757pla.403.2023.06.30.14.59.41; Fri, 30 Jun 2023 14:59:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DEjH22qp; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229669AbjF3VzE (ORCPT + 99 others); Fri, 30 Jun 2023 17:55:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43556 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbjF3VzC (ORCPT ); Fri, 30 Jun 2023 17:55:02 -0400 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27D7D3C0E; Fri, 30 Jun 2023 14:55:01 -0700 (PDT) Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-4f9fdb0ef35so3961857e87.0; Fri, 30 Jun 2023 14:55:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688162099; x=1690754099; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=T5DxyFcmJIMNE7LBSdw0rkcJEAqf+huqKEIAkUvUHJ8=; b=DEjH22qpNxM0IfWh3zAQj9c3eY2FA7gby1mw71AlZQju+wLUl1+O1vR7eZsUTyMUyy hTInCk2Xj+vGFtD4MNTSLL6qTMnXAxKOa3NHBzidb7YOhDLD78Iw+hxwxAhB98pNMF3w TH2rHkUgsgMVaH4fOy18IlN1e5NmHKDCKFjqBTc4cRAQmhAo0WholJq5AFGMrh12vYqr 6DTFdH/uE2GmUB4Si06AYeHxdVKlzyijf/ym7ipCO/V/2YHg48hfyiP50RQtwyFzCJpt zpNVZwZxI0KlvXgxMjVIaDhSjARW7m1luURILYA3HUAD2XlXbBZN0mXzBihWL952jh+h JfBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688162099; x=1690754099; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T5DxyFcmJIMNE7LBSdw0rkcJEAqf+huqKEIAkUvUHJ8=; b=USfa4OzF5ButRF/g0QXEP05n5kqAhmLIsayFIP9ux/Ebx7pApHGChMVzrlTUFjG4Sf cxEc3IClBZ1sCKRqQkrsftFkg6BnWt6+oTMlVUrlwzhFBokxTBVmmZdjoJEFuvXlA7VS dJ3qIXdtFtTAvTXtdn9MbvYvjEnnMLyH2r0Cm08jWJD+Gzyi+Jv4l1t5OMgxIz1eepsN bwp0Kzt0pezfO1ixpTlKXsjDcDh/AUenwVDHlcna0f+fxep4PGjVDT5ghITZ4/BVldBc rDicf4mN0NcqFwVvJBPFAMiYgDOe3Nd1BZBv5RI3fUIqoex2wx3B7eQ1qAQUn4QwH8E/ WkzQ== X-Gm-Message-State: ABy/qLZ9ZPig0edNr31J3Ei5CfN5ybDHH+ufU2sgGqZLPXDGgxzzxKKE wtZWVIOCR/qpGJop4/wzepXxWDVBcZFL62AwNnU= X-Received: by 2002:a05:6512:472:b0:4f9:5a87:1028 with SMTP id x18-20020a056512047200b004f95a871028mr2714789lfd.30.1688162099088; Fri, 30 Jun 2023 14:54:59 -0700 (PDT) MIME-Version: 1.0 References: <20230630143125.1.I3b7c8905728f3124576361ca35ed28e37f12f5d1@changeid> In-Reply-To: <20230630143125.1.I3b7c8905728f3124576361ca35ed28e37f12f5d1@changeid> From: Luiz Augusto von Dentz Date: Fri, 30 Jun 2023 14:54:46 -0700 Message-ID: Subject: Re: [PATCH] Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() To: Douglas Anderson Cc: Marcel Holtmann , Johan Hedberg , Stephen Boyd , Manish Mandlik , Miao-chen Chou , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Douglas, On Fri, Jun 30, 2023 at 2:40=E2=80=AFPM Douglas Anderson wrote: > > KASAN reports that there's a use-after-free in > hci_remove_adv_monitor(). Trawling through the disassembly, you can > see that the complaint is from the access in bt_dev_dbg() under the > HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because > msft_remove_monitor() can end up freeing the monitor > structure. Specifically: > hci_remove_adv_monitor() -> > msft_remove_monitor() -> > msft_remove_monitor_sync() -> > msft_le_cancel_monitor_advertisement_cb() -> > hci_free_adv_monitor() > > Let's fix the problem by just stashing the relevant data when it's > still valid. > > Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") > Signed-off-by: Douglas Anderson > --- > > net/bluetooth/hci_core.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c > index 48917c68358d..dbb2043a9112 100644 > --- a/net/bluetooth/hci_core.c > +++ b/net/bluetooth/hci_core.c > @@ -1972,6 +1972,7 @@ static int hci_remove_adv_monitor(struct hci_dev *h= dev, > struct adv_monitor *monitor) > { > int status =3D 0; > + int handle; > > switch (hci_get_adv_monitor_offload_ext(hdev)) { > case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off= */ > @@ -1980,9 +1981,10 @@ static int hci_remove_adv_monitor(struct hci_dev *= hdev, > goto free_monitor; > > case HCI_ADV_MONITOR_EXT_MSFT: > + handle =3D monitor->handle; > status =3D msft_remove_monitor(hdev, monitor); > bt_dev_dbg(hdev, "%s remove monitor %d msft status %d", > - hdev->name, monitor->handle, status); > + hdev->name, handle, status); Just move the call to bt_dev_dbg under msft_remove_monitor, also there is no reason to print hdev->name since bt_dev_dbg already does that so while at it we can probably fix this as well. > break; > } > > -- > 2.41.0.255.g8b1d071c50-goog > --=20 Luiz Augusto von Dentz