lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9baddcafef3c1ecad1f968e3adaf3201@codeaurora.org>
Date:   Thu, 04 Jun 2020 21:17:36 +0530
From:   bgodavar@...eaurora.org
To:     Venkata Lakshmi Narayana Gubba <gubbaven@...eaurora.org>
Cc:     marcel@...tmann.org, johan.hedberg@...il.com, mka@...omium.org,
        linux-kernel@...r.kernel.org, linux-bluetooth@...r.kernel.org,
        robh@...nel.org, hemantg@...eaurora.org,
        linux-arm-msm@...r.kernel.org, tientzu@...omium.org,
        seanpaul@...omium.org, rjliao@...eaurora.org, yshavit@...gle.com,
        abhishekpandit@...omium.org
Subject: Re: [PATCH v1] Bluetooth: hci_qca: Fix double free during SSR timeout

On 2020-06-04 19:27, Venkata Lakshmi Narayana Gubba wrote:
> Due to race conditions between qca_hw_error and qca_controller_memdump
> during SSR timeout,the same pointer is freed twice. Which results to
> double free error. Now a lock is acquired while SSR state moved to 
> timeout.
> 
> Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@...eaurora.org>
> ---
>  drivers/bluetooth/hci_qca.c | 19 ++++++++++++++-----
>  1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
> index 836949d..9110775 100644
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -983,8 +983,11 @@ static void qca_controller_memdump(struct
> work_struct *work)
>  	while ((skb = skb_dequeue(&qca->rx_memdump_q))) {
> 
>  		mutex_lock(&qca->hci_memdump_lock);
> -		/* Skip processing the received packets if timeout detected. */
> -		if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT) {
> +		/* Skip processing the received packets if timeout detected
> +		 * or memdump collection completed.
> +		 */
> +		if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT ||
> +		    qca->memdump_state == QCA_MEMDUMP_COLLECTED) {
>  			mutex_unlock(&qca->hci_memdump_lock);
>  			return;
>  		}
> @@ -1485,7 +1488,7 @@ static void qca_hw_error(struct hci_dev *hdev, u8 
> code)
>  {
>  	struct hci_uart *hu = hci_get_drvdata(hdev);
>  	struct qca_data *qca = hu->priv;
> -	struct qca_memdump_data *qca_memdump = qca->qca_memdump;
> +	struct qca_memdump_data *qca_memdump = NULL;
>  	char *memdump_buf = NULL;
> 
>  	set_bit(QCA_HW_ERROR_EVENT, &qca->flags);
> @@ -1509,9 +1512,10 @@ static void qca_hw_error(struct hci_dev *hdev, 
> u8 code)
>  		qca_wait_for_dump_collection(hdev);
>  	}
> 
> +	mutex_lock(&qca->hci_memdump_lock);
>  	if (qca->memdump_state != QCA_MEMDUMP_COLLECTED) {
>  		bt_dev_err(hu->hdev, "clearing allocated memory due to memdump 
> timeout");
> -		mutex_lock(&qca->hci_memdump_lock);
> +		qca_memdump = qca->qca_memdump;
>  		if (qca_memdump)
>  			memdump_buf = qca_memdump->memdump_buf_head;
>  		vfree(memdump_buf);
> @@ -1520,8 +1524,13 @@ static void qca_hw_error(struct hci_dev *hdev, 
> u8 code)
>  		qca->memdump_state = QCA_MEMDUMP_TIMEOUT;
>  		cancel_delayed_work(&qca->ctrl_memdump_timeout);
>  		skb_queue_purge(&qca->rx_memdump_q);
> -		mutex_unlock(&qca->hci_memdump_lock);
> +	}
> +	mutex_unlock(&qca->hci_memdump_lock);
> +
> +	if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT ||
> +	    qca->memdump_state == QCA_MEMDUMP_COLLECTED) {
>  		cancel_work_sync(&qca->ctrl_memdump_evt);
> +		skb_queue_purge(&qca->rx_memdump_q);
>  	}
> 
>  	clear_bit(QCA_HW_ERROR_EVENT, &qca->flags);

Reviewed-by: Balakrishna Godavarthi <bgodavar@...eaurora.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ