| Message ID | 20240501014335.2329860-1-iam@sung-woo.kim (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c2d3fedad3ad5240a19a68ad001894ac352f7878 |
| Headers | show |
| Series | [v4] Bluetooth: msft: fix slab-use-after-free in msft_do_close() | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | fail | error: patch failed: net/bluetooth/hci_core.c:2768 error: net/bluetooth/hci_core.c: patch does not apply error: patch failed: net/bluetooth/msft.c:769 error: net/bluetooth/msft.c: patch does not apply error: patch failed: net/bluetooth/msft.h:14 error: net/bluetooth/msft.h: patch does not apply hint: Use 'git am --show-current-patch' to see the failed patch |
This is an automated email and please do not reply to this email. Dear Submitter, Thank you for submitting the patches to the linux bluetooth mailing list. While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository. ----- Output ----- error: patch failed: net/bluetooth/hci_core.c:2768 error: net/bluetooth/hci_core.c: patch does not apply error: patch failed: net/bluetooth/msft.c:769 error: net/bluetooth/msft.c: patch does not apply error: patch failed: net/bluetooth/msft.h:14 error: net/bluetooth/msft.h: patch does not apply hint: Use 'git am --show-current-patch' to see the failed patch Please resolve the issue and submit the patches again. --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Tue, 30 Apr 2024 21:43:36 -0400 you wrote: > Dear Luiz, could you revert the v3 patch and apply this? > > Fix the use-after-free bug in msft->data by tying the > msft->data lifectime to hdev. > Also, change msft_unregister() name to msft_release(). > > How msft is used after freed: > > [...] Here is the summary with links: - [v4] Bluetooth: msft: fix slab-use-after-free in msft_do_close() https://git.kernel.org/bluetooth/bluetooth-next/c/c2d3fedad3ad You are awesome, thank you!
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index a7028d38c..bc5086423 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2768,8 +2768,6 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_unregister_suspend_notifier(hdev); - msft_unregister(hdev); - hci_dev_do_close(hdev); if (!test_bit(HCI_INIT, &hdev->flags) && @@ -2823,6 +2821,7 @@ void hci_release_dev(struct hci_dev *hdev) hci_discovery_filter_clear(hdev); hci_blocked_keys_clear(hdev); hci_codec_list_clear(&hdev->local_codecs); + msft_release(hdev); hci_dev_unlock(hdev); ida_destroy(&hdev->unset_handle_ida); diff --git a/net/bluetooth/msft.c b/net/bluetooth/msft.c index 9612c5d1b..d039683d3 100644 --- a/net/bluetooth/msft.c +++ b/net/bluetooth/msft.c @@ -769,7 +769,7 @@ void msft_register(struct hci_dev *hdev) mutex_init(&msft->filter_lock); } -void msft_unregister(struct hci_dev *hdev) +void msft_release(struct hci_dev *hdev) { struct msft_data *msft = hdev->msft_data; diff --git a/net/bluetooth/msft.h b/net/bluetooth/msft.h index 2a63205b3..fe538e9c9 100644 --- a/net/bluetooth/msft.h +++ b/net/bluetooth/msft.h @@ -14,7 +14,7 @@ bool msft_monitor_supported(struct hci_dev *hdev); void msft_register(struct hci_dev *hdev); -void msft_unregister(struct hci_dev *hdev); +void msft_release(struct hci_dev *hdev); void msft_do_open(struct hci_dev *hdev); void msft_do_close(struct hci_dev *hdev); void msft_vendor_evt(struct hci_dev *hdev, void *data, struct sk_buff *skb); @@ -35,7 +35,7 @@ static inline bool msft_monitor_supported(struct hci_dev *hdev) } static inline void msft_register(struct hci_dev *hdev) {} -static inline void msft_unregister(struct hci_dev *hdev) {} +static inline void msft_release(struct hci_dev *hdev) {} static inline void msft_do_open(struct hci_dev *hdev) {} static inline void msft_do_close(struct hci_dev *hdev) {} static inline void msft_vendor_evt(struct hci_dev *hdev, void *data,
Dear Luiz, could you revert the v3 patch and apply this? Fix the use-after-free bug in msft->data by tying the msft->data lifectime to hdev. Also, change msft_unregister() name to msft_release(). How msft is used after freed: [use] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- passed. return; mutex_lock(&msft->filter_lock); ...(4) <- used after freed. [free] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed. ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309 CPU: 0 PID: 309 Comm: kworker/u5:2 Not tainted 6.9.0-rc5+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci4 hci_error_reset Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x140 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x191/0x560 mm/kasan/report.c:488 kasan_report+0xe2/0x120 mm/kasan/report.c:601 __asan_report_load8_noabort+0x18/0x20 mm/kasan/report_generic.c:381 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 mutex_lock_nested+0x1f/0x30 kernel/locking/mutex.c:804 msft_do_close+0x292/0x700 net/bluetooth/msft.c:694 hci_dev_close_sync+0x906/0xf10 net/bluetooth/hci_sync.c:5168 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0x152/0x410 net/bluetooth/hci_core.c:1091 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 7328: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0xa2/0xc0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x20c/0x3e0 mm/slub.c:3997 kmalloc include/linux/slab.h:628 [inline] kzalloc include/linux/slab.h:749 [inline] msft_register+0x66/0x1d0 net/bluetooth/msft.c:760 hci_register_dev+0x85e/0x9a0 net/bluetooth/hci_core.c:2737 __vhci_create_device drivers/bluetooth/hci_vhci.c:438 [inline] vhci_create_device+0x390/0x720 drivers/bluetooth/hci_vhci.c:480 vhci_get_user drivers/bluetooth/hci_vhci.c:537 [inline] vhci_write+0x39b/0x460 drivers/bluetooth/hci_vhci.c:617 call_write_iter include/linux/fs.h:2110 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x8eb/0xb50 fs/read_write.c:590 ksys_write+0x106/0x1f0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x84/0xa0 fs/read_write.c:652 x64_sys_call+0x271a/0x2ce0 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x9c/0x130 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 7332: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x44/0x50 mm/kasan/generic.c:579 poison_slab_object+0x11a/0x190 mm/kasan/common.c:240 __kasan_slab_free+0x3b/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2106 [inline] slab_free mm/slub.c:4280 [inline] kfree+0x13c/0x330 mm/slub.c:4390 msft_unregister+0x9d/0x120 net/bluetooth/msft.c:785 hci_unregister_dev+0x1d9/0x520 net/bluetooth/hci_core.c:2771 vhci_release+0x8c/0xe0 drivers/bluetooth/hci_vhci.c:674 __fput+0x36f/0x750 fs/file_table.c:422 ____fput+0x1e/0x30 fs/file_table.c:450 task_work_run+0x1da/0x280 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x856/0x2210 kernel/exit.c:878 do_group_exit+0x201/0x2c0 kernel/exit.c:1027 get_signal+0x12ff/0x1380 kernel/signal.c:2911 arch_do_signal_or_restart+0x3b/0x650 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xcc/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xa8/0x130 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106cbbc00 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 168 bytes inside of freed 256-byte region [ffff888106cbbc00, ffff888106cbbd00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106cba head: order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffe0000840(slab|head|node=0|zone=2|lastcpupid=0x3fffff) page_type: 0xffffffff() raw: 0017ffffe0000840 ffff888100042040 ffffea00042de590 ffffea00041b3e10 raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 head: 0017ffffe0000840 ffff888100042040 ffffea00042de590 ffffea00041b3e10 head: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 head: 0017ffffe0000001 ffffea00041b2e81 dead000000000122 00000000ffffffff head: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106cbbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106cbbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888106cbbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106cbbd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106cbbd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Fixes: 5031ffcc79b8 ("Bluetooth: Keep MSFT ext info throughout a hci_dev's life cycle") Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> --- v1 -> v2: Move BT_DBG after null checking in msft_data_hold_unless_zero(). v2 -> v3: Make a msft lifetime fit hdev. v3 -> v4: - Fix a defconfig build failure, adding a missing declaration for msft_release() - Fix a wrong fixes tag. net/bluetooth/hci_core.c | 3 +-- net/bluetooth/msft.c | 2 +- net/bluetooth/msft.h | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-)