stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
	"Marcel Holtmann" <marcel@holtmann.org>,
	"Jeremy Cline" <jcline@redhat.com>,
	syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com,
	"Kefeng Wang" <wangkefeng.wang@huawei.com>
Subject: [PATCH 3.16 128/132] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
Date: Fri, 20 Sep 2019 15:23:35 +0100	[thread overview]
Message-ID: <lsq.1568989415.810725363@decadent.org.uk> (raw)
In-Reply-To: <lsq.1568989414.954567518@decadent.org.uk>

3.16.74-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kefeng Wang <wangkefeng.wang@huawei.com>

commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.

task A:                                task B:
hci_uart_set_proto                     flush_to_ldisc
 - p->open(hu) -> h5_open  //alloc h5  - receive_buf
 - set_bit HCI_UART_PROTO_READY         - tty_port_default_receive_buf
 - hci_uart_register_dev                 - tty_ldisc_receive_buf
                                          - hci_uart_tty_receive
				           - test_bit HCI_UART_PROTO_READY
				            - h5_recv
 - clear_bit HCI_UART_PROTO_READY             while() {
 - p->open(hu) -> h5_close //free h5
				              - h5_rx_3wire_hdr
				               - h5_reset()  //use-after-free
                                              }

It could use ioctl to set hci uart proto, but there is
a use-after-free issue when hci_uart_register_dev() fail in
hci_uart_set_proto(), see stack above, fix this by setting
HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
return success.

Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/bluetooth/hci_ldisc.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -477,15 +477,14 @@ static int hci_uart_set_proto(struct hci
 		return err;
 
 	hu->proto = p;
-	set_bit(HCI_UART_PROTO_READY, &hu->flags);
 
 	err = hci_uart_register_dev(hu);
 	if (err) {
-		clear_bit(HCI_UART_PROTO_READY, &hu->flags);
 		p->close(hu);
 		return err;
 	}
 
+	set_bit(HCI_UART_PROTO_READY, &hu->flags);
 	return 0;
 }
 


  parent reply	other threads:[~2019-09-20 14:34 UTC|newest]

Thread overview: 142+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-20 14:23 [PATCH 3.16 000/132] 3.16.74-rc1 review Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 049/132] bcache: fix memory corruption in init error path Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 063/132] ALSA: hda/realtek - EAPD turn on later Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 051/132] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 112/132] vhost: make sure log_num < in_num Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 095/132] bonding: fix arp_validate toggling in active-backup mode Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 120/132] media: smsusb: better handle optional alignment Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 132/132] staging: comedi: dt282x: fix a null pointer deref on interrupt Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 031/132] hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 088/132] platform/x86: sony-laptop: Fix unintentional fall-through Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 122/132] p54usb: Fix race between disconnect and firmware loading Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 024/132] crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 046/132] fuse: fix writepages on 32bit Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 082/132] tracing: Fix partial reading of trace event's id file Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 061/132] ext4: actually request zeroing of inode table after grow Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 005/132] ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260 Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 043/132] smpboot: Place the __percpu annotation correctly Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 110/132] mwifiex: vendor_ie length check for parse WMM IEs Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 080/132] ceph: flush dirty inodes before proceeding with remount Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 068/132] cdc-acm: handle read pipe errors Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 042/132] PCI: Mark Atheros AR9462 to avoid bus reset Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 017/132] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 058/132] at76c50x-usb: Don't register led_trigger if usb_register_driver failed Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 099/132] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 060/132] p54: drop device reference count if fails to enable device Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 086/132] media: davinci/vpbe: array underflow in vpbe_enum_outputs() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 032/132] hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 084/132] ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 070/132] USB: cdc-acm: fix unthrottle races Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 020/132] PCI: Factor out pcie_retrain_link() function Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 033/132] hwmon: (vt1211) Use request_muxed_region for Super-IO accesses Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 013/132] media: wl128x: prevent two potential buffer overflows Ben Hutchings
2019-09-20 14:23 ` Ben Hutchings [this message]
2019-09-20 14:23 ` [PATCH 3.16 106/132] rsi: add fix for crash during assertions Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 125/132] appletalk: Fix compile regression Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 016/132] drm/fb-helper: dpms_legacy(): Only set on connectors in use Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 111/132] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 011/132] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 094/132] kdb: do a sanity check on the cpu in kdb_per_cpu() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 030/132] hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 100/132] x86/speculation/mds: Revert CPU buffer clear on double fault exit Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 059/132] mwl8k: Fix rate_idx underflow Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 062/132] USB: serial: fix initial-termios handling Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 117/132] media: cpia2_usb: first wake up, then free in disconnect Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 108/132] mac80211: drop robust management frames from unknown TA Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 008/132] pwm: tiehrpwm: Update shadow register for disabling PWMs Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 056/132] Bluetooth: Fix faulty expression for minimum encryption key size check Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 054/132] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 041/132] media: pvrusb2: Prevent a buffer overflow Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 009/132] scsi: qla4xxx: avoid freeing unallocated dma memory Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 075/132] powerpc/booke64: set RI in default MSR Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 040/132] media: ov6650: Fix sensor possibly not detected on probe Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 077/132] net: ucc_geth - fix Oops when changing number of buffers in the ring Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 012/132] media: davinci-isif: avoid uninitialized variable use Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 127/132] Bluetooth: hci_ldisc: Fix null pointer derefence in case of early data Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 055/132] Bluetooth: Fix regression with minimum encryption key size alignment Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 004/132] media: cx18: update *pos correctly in cx18_read_pos() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 102/132] GFS2: Fix rgrp end rounding problem for bsize < page size Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 028/132] hwmon: (f71805f) Use request_muxed_region for Super-IO accesses Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 053/132] PCI: Reset Lenovo ThinkPad P50 nvgpu at boot if necessary Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 036/132] crypto: salsa20 - don't access already-freed walk.iv Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 123/132] ALSA: line6: Fix write on zero-sized buffer Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 109/132] mac80211: handle deauthentication/disassociation from TDLS peer Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 121/132] USB: sisusbvga: fix oops in error path of sisusb_probe Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 052/132] TTY: serial_core, add ->install Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 006/132] media: wl128x: Fix an error code in fm_download_firmware() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 026/132] arm64: compat: Reduce address limit Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 074/132] ASoC: fsl_esai: Fix missing break in switch statement Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 078/132] ALSA: hda/hdmi - Read the pin sense from register when repolling Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 003/132] media: ivtv: update *pos correctly in ivtv_read_pos() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 044/132] x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 079/132] ASoC: max98090: Fix restore of DAPM Muxes Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 039/132] powerpc/83xx: Add missing of_node_put() after of_device_is_available() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 098/132] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 023/132] crypto: crct10dif-generic - fix use via crypto_shash_digest() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 007/132] pwm: Fix deadlock warning when removing PWM device Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 107/132] mac80211: add API to request TDLS operation from userspace Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 027/132] ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data" Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 018/132] rtc: don't reference bogus function pointer in kdoc Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 047/132] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 001/132] spi: rspi: Fix register initialization while runtime-suspended Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 115/132] media: radio-raremono: change devm_k*alloc to k*alloc Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 069/132] usb: cdc-acm: fix race during wakeup blocking TX traffic Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 035/132] platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 025/132] scsi: qla2xxx: Unregister chrdev if module initialization fails Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 114/132] ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term Ben Hutchings
     [not found]   ` <94525609-b88e-cc24-dfe5-9db470e105ef@gmail.com>
2019-09-21 18:39     ` Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 092/132] drm/radeon: prefer lower reference dividers Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 093/132] ext4: fix data corruption caused by overlapping unaligned and aligned IO Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 014/132] kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 029/132] hwmon: (pc87427) Use request_muxed_region for Super-IO accesses Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 038/132] selftests/ipc: Fix msgque compiler warnings Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 126/132] scsi: libsas: delete sas port if expander discover failed Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 065/132] ALSA: usb-audio: Fix a memory leak bug Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 071/132] USB: serial: use variable for status Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 105/132] xfs: clear sb->s_fs_info on mount failure Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 116/132] USB: rio500: refuse more than one device at a time Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 064/132] ALSA: hda/realtek - Fix overridden device-specific initialization Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 101/132] x86/speculation/mds: Improve CPU buffer clear documentation Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 087/132] platform/x86: alienware-wmi: printing the wrong error code Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 089/132] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 022/132] jbd2: check superblock mapped prior to committing Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 019/132] ehea: Fix a copy-paste err in ehea_init_port_res Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 073/132] of: fix clang -Wunsequenced for be32_to_cpu() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 104/132] net: arc_emac: fix koops caused by sk_buff free Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 015/132] cxgb3/l2t: Fix undefined behaviour Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 067/132] cdc-acm: store in and out pipes in acm structure Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 045/132] ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 130/132] KVM: coalesced_mmio: add bounds checking Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 034/132] RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 010/132] ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 096/132] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 097/132] backlight: lm3630a: Return 0 on success in update_status functions Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 091/132] NFS4: Fix v4.0 client state corruption when mount Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 129/132] ath6kl: add some bounds checking Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 103/132] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 119/132] media: usb: siano: Fix false-positive "uninitialized variable" warning Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 037/132] crypto: arm/aes-neonbs - don't access already-freed walk.iv Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 118/132] media: usb: siano: Fix general protection fault in smsusb Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 085/132] media: omap_vout: potential buffer overflow in vidioc_dqbuf() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 124/132] appletalk: Fix use-after-free in atalk_proc_exit Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 090/132] ntp: Allow TAI-UTC offset to be set to zero Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 072/132] USB: serial: fix unthrottle races Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 131/132] media: poseidon: Depend on PM_RUNTIME Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 066/132] cdc-acm: fix race between callback and unthrottle Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 048/132] fuse: fallocate: fix return with locked inode Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 113/132] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 083/132] ipv4: Fix raw socket lookup for local traffic Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 050/132] bcache: fix a race between cache register and cacheset unregister Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 002/132] spi: rspi: Fix sequencer reset during initialization Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 057/132] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 076/132] iommu/vt-d: Set intel_iommu_gfx_mapped correctly Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 081/132] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Ben Hutchings
2019-09-20 14:23 ` [PATCH 3.16 021/132] PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum Ben Hutchings
2019-09-20 20:04 ` [PATCH 3.16 000/132] 3.16.74-rc1 review Guenter Roeck
2019-09-20 21:16   ` Ben Hutchings
2019-09-20 23:00     ` Guenter Roeck
2019-09-21  1:35     ` Guenter Roeck
2019-09-22 16:33       ` Ben Hutchings
2019-09-22 19:26     ` Miguel Ojeda
2019-11-19 14:58       ` Ben Hutchings
2019-11-19 20:40         ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=lsq.1568989415.810725363@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=jcline@redhat.com \
    --cc=kda@linux-powerpc.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com \
    --cc=wangkefeng.wang@huawei.com \
    --subject='Re: [PATCH 3.16 128/132] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).