lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 04 Jun 2020 21:17:36 +0530 From: bgodavar@...eaurora.org To: Venkata Lakshmi Narayana Gubba <gubbaven@...eaurora.org> Cc: marcel@...tmann.org, johan.hedberg@...il.com, mka@...omium.org, linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org, robh@...nel.org, hemantg@...eaurora.org, linux-arm-msm@...r.kernel.org, tientzu@...omium.org, seanpaul@...omium.org, rjliao@...eaurora.org, yshavit@...gle.com, abhishekpandit@...omium.org Subject: Re: [PATCH v1] Bluetooth: hci_qca: Fix double free during SSR timeout On 2020-06-04 19:27, Venkata Lakshmi Narayana Gubba wrote: > Due to race conditions between qca_hw_error and qca_controller_memdump > during SSR timeout,the same pointer is freed twice. Which results to > double free error. Now a lock is acquired while SSR state moved to > timeout. > > Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@...eaurora.org> > --- > drivers/bluetooth/hci_qca.c | 19 ++++++++++++++----- > 1 file changed, 14 insertions(+), 5 deletions(-) > > diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c > index 836949d..9110775 100644 > --- a/drivers/bluetooth/hci_qca.c > +++ b/drivers/bluetooth/hci_qca.c > @@ -983,8 +983,11 @@ static void qca_controller_memdump(struct > work_struct *work) > while ((skb = skb_dequeue(&qca->rx_memdump_q))) { > > mutex_lock(&qca->hci_memdump_lock); > - /* Skip processing the received packets if timeout detected. */ > - if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT) { > + /* Skip processing the received packets if timeout detected > + * or memdump collection completed. > + */ > + if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT || > + qca->memdump_state == QCA_MEMDUMP_COLLECTED) { > mutex_unlock(&qca->hci_memdump_lock); > return; > } > @@ -1485,7 +1488,7 @@ static void qca_hw_error(struct hci_dev *hdev, u8 > code) > { > struct hci_uart *hu = hci_get_drvdata(hdev); > struct qca_data *qca = hu->priv; > - struct qca_memdump_data *qca_memdump = qca->qca_memdump; > + struct qca_memdump_data *qca_memdump = NULL; > char *memdump_buf = NULL; > > set_bit(QCA_HW_ERROR_EVENT, &qca->flags); > @@ -1509,9 +1512,10 @@ static void qca_hw_error(struct hci_dev *hdev, > u8 code) > qca_wait_for_dump_collection(hdev); > } > > + mutex_lock(&qca->hci_memdump_lock); > if (qca->memdump_state != QCA_MEMDUMP_COLLECTED) { > bt_dev_err(hu->hdev, "clearing allocated memory due to memdump > timeout"); > - mutex_lock(&qca->hci_memdump_lock); > + qca_memdump = qca->qca_memdump; > if (qca_memdump) > memdump_buf = qca_memdump->memdump_buf_head; > vfree(memdump_buf); > @@ -1520,8 +1524,13 @@ static void qca_hw_error(struct hci_dev *hdev, > u8 code) > qca->memdump_state = QCA_MEMDUMP_TIMEOUT; > cancel_delayed_work(&qca->ctrl_memdump_timeout); > skb_queue_purge(&qca->rx_memdump_q); > - mutex_unlock(&qca->hci_memdump_lock); > + } > + mutex_unlock(&qca->hci_memdump_lock); > + > + if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT || > + qca->memdump_state == QCA_MEMDUMP_COLLECTED) { > cancel_work_sync(&qca->ctrl_memdump_evt); > + skb_queue_purge(&qca->rx_memdump_q); > } > > clear_bit(QCA_HW_ERROR_EVENT, &qca->flags); Reviewed-by: Balakrishna Godavarthi <bgodavar@...eaurora.org>
Powered by blists - more mailing lists