| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 04 Jun 2020 21:17:36 +0530
From: bgodavar@...eaurora.org
To: Venkata Lakshmi Narayana Gubba <gubbaven@...eaurora.org>
Cc: marcel@...tmann.org, johan.hedberg@...il.com, mka@...omium.org,
linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org,
robh@...nel.org, hemantg@...eaurora.org,
linux-arm-msm@...r.kernel.org, tientzu@...omium.org,
seanpaul@...omium.org, rjliao@...eaurora.org, yshavit@...gle.com,
abhishekpandit@...omium.org
Subject: Re: [PATCH v1] Bluetooth: hci_qca: Fix double free during SSR timeout
On 2020-06-04 19:27, Venkata Lakshmi Narayana Gubba wrote:
> Due to race conditions between qca_hw_error and qca_controller_memdump
> during SSR timeout,the same pointer is freed twice. Which results to
> double free error. Now a lock is acquired while SSR state moved to
> timeout.
>
> Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@...eaurora.org>
> ---
> drivers/bluetooth/hci_qca.c | 19 ++++++++++++++-----
> 1 file changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
> index 836949d..9110775 100644
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -983,8 +983,11 @@ static void qca_controller_memdump(struct
> work_struct *work)
> while ((skb = skb_dequeue(&qca->rx_memdump_q))) {
>
> mutex_lock(&qca->hci_memdump_lock);
> - /* Skip processing the received packets if timeout detected. */
> - if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT) {
> + /* Skip processing the received packets if timeout detected
> + * or memdump collection completed.
> + */
> + if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT ||
> + qca->memdump_state == QCA_MEMDUMP_COLLECTED) {
> mutex_unlock(&qca->hci_memdump_lock);
> return;
> }
> @@ -1485,7 +1488,7 @@ static void qca_hw_error(struct hci_dev *hdev, u8
> code)
> {
> struct hci_uart *hu = hci_get_drvdata(hdev);
> struct qca_data *qca = hu->priv;
> - struct qca_memdump_data *qca_memdump = qca->qca_memdump;
> + struct qca_memdump_data *qca_memdump = NULL;
> char *memdump_buf = NULL;
>
> set_bit(QCA_HW_ERROR_EVENT, &qca->flags);
> @@ -1509,9 +1512,10 @@ static void qca_hw_error(struct hci_dev *hdev,
> u8 code)
> qca_wait_for_dump_collection(hdev);
> }
>
> + mutex_lock(&qca->hci_memdump_lock);
> if (qca->memdump_state != QCA_MEMDUMP_COLLECTED) {
> bt_dev_err(hu->hdev, "clearing allocated memory due to memdump
> timeout");
> - mutex_lock(&qca->hci_memdump_lock);
> + qca_memdump = qca->qca_memdump;
> if (qca_memdump)
> memdump_buf = qca_memdump->memdump_buf_head;
> vfree(memdump_buf);
> @@ -1520,8 +1524,13 @@ static void qca_hw_error(struct hci_dev *hdev,
> u8 code)
> qca->memdump_state = QCA_MEMDUMP_TIMEOUT;
> cancel_delayed_work(&qca->ctrl_memdump_timeout);
> skb_queue_purge(&qca->rx_memdump_q);
> - mutex_unlock(&qca->hci_memdump_lock);
> + }
> + mutex_unlock(&qca->hci_memdump_lock);
> +
> + if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT ||
> + qca->memdump_state == QCA_MEMDUMP_COLLECTED) {
> cancel_work_sync(&qca->ctrl_memdump_evt);
> + skb_queue_purge(&qca->rx_memdump_q);
> }
>
> clear_bit(QCA_HW_ERROR_EVENT, &qca->flags);
Reviewed-by: Balakrishna Godavarthi <bgodavar@...eaurora.org>
Powered by blists - more mailing lists