Re: [PATCH v2] Bluetooth: hci_core: Fix poential Use-after-Free bug in hci_remove_adv_monitor

From: Zheng Hacker <hackerzheng666@gmail.com>
To: Simon Horman <simon.horman@corigine.com>
Cc: Zheng Wang <zyytlz.wz@163.com>,
	marcel@holtmann.org, alex000young@gmail.com,
	johan.hedberg@gmail.com, luiz.dentz@gmail.com,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, linux-bluetooth@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	pmenzel@molgen.mpg.de
Subject: Re: [PATCH v2] Bluetooth: hci_core: Fix poential Use-after-Free bug in hci_remove_adv_monitor
Date: Wed, 15 Mar 2023 17:01:40 +0800	[thread overview]
Message-ID: <CAJedcCxuaoB8gA5eEnmEdFcxnc4ObrMhvPzu0Ki0SumqrDLz7w@mail.gmail.com> (raw)
In-Reply-To: <ZBCRRL8+EtTBH2tl@corigine.com>

Simon Horman <simon.horman@corigine.com> 于2023年3月14日周二 23:22写道：
>
> On Tue, Mar 14, 2023 at 04:06:11PM +0100, Simon Horman wrote:
> > On Mon, Mar 13, 2023 at 05:55:35PM +0800, Zheng Hacker wrote:
> > > friendly ping
> > >
> > > Zheng Wang <zyytlz.wz@163.com> 于2023年2月17日周五 18:05写道：
> > > >
> > > > In hci_remove_adv_monitor, if it gets into HCI_ADV_MONITOR_EXT_MSFT case,
> > > > the function will free the monitor and print its handle after that.
> > > > Fix it by removing the logging into msft_le_cancel_monitor_advertisement_cb
> > > > before calling hci_free_adv_monitor.
> > > >
> > > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > > > ---
> > > > v2:
> > > > - move the logging inside msft_remove_monitor suggested by Luiz
> > > > ---
> > > >  net/bluetooth/hci_core.c | 2 --
> > > >  net/bluetooth/msft.c     | 2 ++
> > > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> > > > index b65c3aabcd53..69b82c2907ff 100644
> > > > --- a/net/bluetooth/hci_core.c
> > > > +++ b/net/bluetooth/hci_core.c
> > > > @@ -1981,8 +1981,6 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev,
> > > >
> > > >         case HCI_ADV_MONITOR_EXT_MSFT:
> > > >                 status = msft_remove_monitor(hdev, monitor);
> > > > -               bt_dev_dbg(hdev, "%s remove monitor %d msft status %d",
> > > > -                          hdev->name, monitor->handle, status);
> > > >                 break;
> >
> > I'm probably missing something obvious.
> > But from my perspective a simpler fix would be to
> > move the msft_remove_monitor() call to below the bt_dev_dbg() call.
>
> The obvious thing I was missing is that was what was done in v1
> but Luiz suggested moving the logging to
> msft_le_cancel_monitor_advertisement_cb().
> Sorry for the noise.

Hi Simon,

Thanks for your reply and detailed review :)

Best regards,
Zheng

>
> Link: https://lore.kernel.org/all/CABBYNZL_gZ+kr_OEqjYgMmt+=91=jC88g310F-ScMC=kLh0xdw@mail.gmail.com/
>
> >
> > > >         }
> > > >
> > > > diff --git a/net/bluetooth/msft.c b/net/bluetooth/msft.c
> > > > index bee6a4c656be..4b35f0ed1360 100644
> > > > --- a/net/bluetooth/msft.c
> > > > +++ b/net/bluetooth/msft.c
> > > > @@ -286,6 +286,8 @@ static int msft_le_cancel_monitor_advertisement_cb(struct hci_dev *hdev,
> > > >                  * suspend. It will be re-monitored on resume.
> > > >                  */
> > > >                 if (!msft->suspending) {
> > > > +                       bt_dev_dbg(hdev, "%s remove monitor %d status %d", hdev->name,
> > > > +                                  monitor->handle, status);
> > > >                         hci_free_adv_monitor(hdev, monitor);
> > > >
> > > >                         /* Clear any monitored devices by this Adv Monitor */
> > > > --
> > > > 2.25.1
> > > >
> > >