stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com,
	Kefeng Wang <wangkefeng.wang@huawei.com>,
	Jeremy Cline <jcline@redhat.com>,
	Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 4.9 02/31] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
Date: Fri, 15 Nov 2019 14:20:31 +0800	[thread overview]
Message-ID: <20191115062010.682028342@linuxfoundation.org> (raw)
In-Reply-To: <20191115062009.813108457@linuxfoundation.org>

From: Kefeng Wang <wangkefeng.wang@huawei.com>

commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.

task A:                                task B:
hci_uart_set_proto                     flush_to_ldisc
 - p->open(hu) -> h5_open  //alloc h5  - receive_buf
 - set_bit HCI_UART_PROTO_READY         - tty_port_default_receive_buf
 - hci_uart_register_dev                 - tty_ldisc_receive_buf
                                          - hci_uart_tty_receive
				           - test_bit HCI_UART_PROTO_READY
				            - h5_recv
 - clear_bit HCI_UART_PROTO_READY             while() {
 - p->open(hu) -> h5_close //free h5
				              - h5_rx_3wire_hdr
				               - h5_reset()  //use-after-free
                                              }

It could use ioctl to set hci uart proto, but there is
a use-after-free issue when hci_uart_register_dev() fail in
hci_uart_set_proto(), see stack above, fix this by setting
HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
return success.

Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/hci_ldisc.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -653,15 +653,14 @@ static int hci_uart_set_proto(struct hci
 		return err;
 
 	hu->proto = p;
-	set_bit(HCI_UART_PROTO_READY, &hu->flags);
 
 	err = hci_uart_register_dev(hu);
 	if (err) {
-		clear_bit(HCI_UART_PROTO_READY, &hu->flags);
 		p->close(hu);
 		return err;
 	}
 
+	set_bit(HCI_UART_PROTO_READY, &hu->flags);
 	return 0;
 }
 



  parent reply	other threads:[~2019-11-15  6:22 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-15  6:20 [PATCH 4.9 00/31] 4.9.202-stable review Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 01/31] kvm: mmu: Dont read PDPTEs when paging is not enabled Greg Kroah-Hartman
2019-11-15  6:20 ` Greg Kroah-Hartman [this message]
2019-11-15 16:10   ` [PATCH 4.9 02/31] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Ralph Siemsen
2019-11-16  7:56     ` Greg Kroah-Hartman
2019-11-18 20:27       ` Ralph Siemsen
2019-11-19  4:47         ` Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 03/31] MIPS: BCM63XX: fix switch core reset on BCM6368 Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 04/31] usb: gadget: core: unmap request from DMA only if previously mapped Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 05/31] KVM: x86: use Intel speculation bugs and features as derived in generic x86 code Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 06/31] x86/msr: Add the IA32_TSX_CTRL MSR Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 07/31] x86/cpu: Add a helper function x86_read_arch_cap_msr() Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 08/31] x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 09/31] x86/speculation/taa: Add mitigation for TSX Async Abort Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 10/31] x86/speculation/taa: Add sysfs reporting " Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 11/31] kvm/x86: Export MDS_NO=0 to guests when TSX is enabled Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 12/31] x86/tsx: Add "auto" option to the tsx= cmdline parameter Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 13/31] x86/speculation/taa: Add documentation for TSX Async Abort Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 14/31] x86/tsx: Add config options to set tsx=on|off|auto Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 15/31] x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 16/31] KVM: x86: simplify ept_misconfig Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 17/31] KVM: x86: extend usage of RET_MMIO_PF_* constants Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 18/31] kvm: Convert kvm_lock to a mutex Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 19/31] kvm: x86: Do not release the page inside mmu_set_spte() Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 20/31] KVM: x86: make FNAME(fetch) and __direct_map more similar Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 21/31] KVM: x86: remove now unneeded hugepage gfn adjustment Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 22/31] KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 23/31] KVM: x86: Add is_executable_pte() Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 24/31] KVM: x86: add tracepoints around __direct_map and FNAME(fetch) Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 25/31] KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 26/31] x86/bugs: Add ITLB_MULTIHIT bug infrastructure Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 27/31] cpu/speculation: Uninline and export CPU mitigations helpers Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 28/31] kvm: mmu: ITLB_MULTIHIT mitigation Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 29/31] kvm: Add helper function for creating VM worker threads Greg Kroah-Hartman
2019-11-15  6:20 ` [PATCH 4.9 30/31] kvm: x86: mmu: Recovery of shattered NX large pages Greg Kroah-Hartman
2019-11-15  6:21 ` [PATCH 4.9 31/31] Documentation: Add ITLB_MULTIHIT documentation Greg Kroah-Hartman
2019-11-15 12:00 ` [PATCH 4.9 00/31] 4.9.202-stable review kernelci.org bot
2019-11-15 13:50 ` Jon Hunter
2019-11-15 15:07   ` Greg Kroah-Hartman
2019-11-15 13:56 ` Guenter Roeck
2019-11-15 15:08   ` Greg Kroah-Hartman
2019-11-15 15:52 ` Naresh Kamboju
2019-11-16  8:02   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191115062010.682028342@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=jcline@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com \
    --cc=wangkefeng.wang@huawei.com \
    --subject='Re: [PATCH 4.9 02/31] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).