From patchwork Wed Mar 29 06:10:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Scott X-Patchwork-Id: 9650951 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 293D3602C8 for ; Wed, 29 Mar 2017 06:10:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 116E12841A for ; Wed, 29 Mar 2017 06:10:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 04D0528451; Wed, 29 Mar 2017 06:10:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 61DDC2841A for ; Wed, 29 Mar 2017 06:10:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753174AbdC2GKu (ORCPT ); Wed, 29 Mar 2017 02:10:50 -0400 Received: from mail-ot0-f174.google.com ([74.125.82.174]:35396 "EHLO mail-ot0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752958AbdC2GKs (ORCPT ); Wed, 29 Mar 2017 02:10:48 -0400 Received: by mail-ot0-f174.google.com with SMTP id y88so3837902ota.2 for ; Tue, 28 Mar 2017 23:10:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=PYLAF6pklKoDSby/HDhRg+uFGohijxLQUeM1No+DMfw=; b=U//PXTQIg6aLmNHk4PxgPDmSo8tznE9hiX9KEjyFbf0zBPpcpg/jC+wZVO1KgrXY5V OngA0rfBsKrO3A3O0cyAJupsq15ubc9qJ8mO18ZFrnjSzt7l0ZwM4c0jchQDg0gHuHnn lAwMG+pqu8DwcFhjlwW7Fi2Zn97pu2rkCLM8M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=PYLAF6pklKoDSby/HDhRg+uFGohijxLQUeM1No+DMfw=; b=lCv9PnAOvSAtwKYitT44kMSSXgXa2L7P38ZIU5zTO1KAfQHJweQAnoCnPjWMPtoUL6 iGeZlj9a9mn8wSXRi6r5pO6JJNMUHoXXYETjrOSRExPOZzXvY1uPIL09V6P1JLPHuPUm JAHzWzMkpVomcm2ZZKRkQmXjwha7Y0ttZt19Tf/sdazbA3uyIjO18UvfHwGcvXoqVu1r fA52rX5hIJk81Geb+rLtstAM9GGwez5imaUO223rLHQIjC+d57vJN1swkkIKv3GZszH2 88jatuYVpwHkOJ5QepcB12qvHpimAU1LNWZJiAMzKtZHqHg85HEPFsyoBzUwnrjTsU+S lMhA== X-Gm-Message-State: AFeK/H2XxqKscFm80VMlNXuoFaNruktO0nbKI5dhDdfuqwushERXO6vsiZqNL7z+haDYokIM X-Received: by 10.157.30.198 with SMTP id n64mr15081454otn.133.1490767847379; Tue, 28 Mar 2017 23:10:47 -0700 (PDT) Received: from localhost.localdomain (107-198-5-8.lightspeed.irvnca.sbcglobal.net. [107.198.5.8]) by smtp.googlemail.com with ESMTPSA id p47sm2919551otp.23.2017.03.28.23.10.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Mar 2017 23:10:46 -0700 (PDT) From: Michael Scott To: Marcel Holtmann , Gustavo Padovan , Johan Hedberg Cc: "David S . Miller" , Jukka Rissanen , linux-bluetooth@vger.kernel.org, linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Michael Scott Subject: [PATCH] bluetooth: 6lowpan: fix use after free in chan_suspend/resume Date: Tue, 28 Mar 2017 23:10:18 -0700 Message-Id: <20170329061018.4243-1-michael.scott@linaro.org> X-Mailer: git-send-email 2.11.0 Sender: linux-wpan-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wpan@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP A status field in the skb_cb struct was storing a channel status based on channel suspend/resume events. This stored status was then used to return EAGAIN if there were packet sending issues in snd_pkt(). The issue is that the skb has been freed by the time the callback to 6lowpan's suspend/resume was called. So, this generates a "use after free" issue that was noticed while running kernel tests with KASAN debug enabled. Let's eliminate the status field entirely as we can use the channel tx_credits to indicate whether we should return EAGAIN when handling packets. Signed-off-by: Michael Scott Acked-by: Jukka Rissanen --- net/bluetooth/6lowpan.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index d491529332f4..e27be3ca0a0c 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -38,7 +38,6 @@ struct skb_cb { struct in6_addr addr; struct in6_addr gw; struct l2cap_chan *chan; - int status; }; #define lowpan_cb(skb) ((struct skb_cb *)((skb)->cb)) @@ -528,7 +527,7 @@ static int send_pkt(struct l2cap_chan *chan, struct sk_buff *skb, } if (!err) - err = lowpan_cb(skb)->status; + err = (!chan->tx_credits ? -EAGAIN : 0); if (err < 0) { if (err == -EAGAIN) @@ -964,26 +963,12 @@ static struct sk_buff *chan_alloc_skb_cb(struct l2cap_chan *chan, static void chan_suspend_cb(struct l2cap_chan *chan) { - struct sk_buff *skb = chan->data; - - BT_DBG("chan %p conn %p skb %p", chan, chan->conn, skb); - - if (!skb) - return; - - lowpan_cb(skb)->status = -EAGAIN; + BT_DBG("chan %p suspend", chan); } static void chan_resume_cb(struct l2cap_chan *chan) { - struct sk_buff *skb = chan->data; - - BT_DBG("chan %p conn %p skb %p", chan, chan->conn, skb); - - if (!skb) - return; - - lowpan_cb(skb)->status = 0; + BT_DBG("chan %p resume", chan); } static long chan_get_sndtimeo_cb(struct l2cap_chan *chan)