| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Dec 2021 16:57:44 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: kbuild@...ts.01.org, Manish Mandlik <mmandlik@...gle.com>,
marcel@...tmann.org, luiz.dentz@...il.com
Cc: lkp@...el.com, kbuild-all@...ts.01.org,
linux-bluetooth@...r.kernel.org,
chromeos-bluetooth-upstreaming@...omium.org,
Manish Mandlik <mmandlik@...gle.com>,
Miao-chen Chou <mcchou@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Johan Hedberg <johan.hedberg@...il.com>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH v7 1/2] bluetooth: Handle MSFT Monitor Device Event
Hi Manish,
url: https://github.com/0day-ci/linux/commits/Manish-Mandlik/bluetooth-Handle-MSFT-Monitor-Device-Event/20211203-151659
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
config: x86_64-randconfig-m001-20211203 (https://download.01.org/0day-ci/archive/20211205/202112050416.RYsEcWkk-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
smatch warnings:
net/bluetooth/msft.c:312 msft_le_cancel_monitor_advertisement_cb() error: dereferencing freed memory 'handle_data'
vim +/handle_data +312 net/bluetooth/msft.c
182ee45da083db Luiz Augusto von Dentz 2021-10-27 266 static void msft_le_cancel_monitor_advertisement_cb(struct hci_dev *hdev,
182ee45da083db Luiz Augusto von Dentz 2021-10-27 267 u8 status, u16 opcode,
182ee45da083db Luiz Augusto von Dentz 2021-10-27 268 struct sk_buff *skb)
ce81843be24e9d Manish Mandlik 2021-09-21 269 {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 270 struct msft_cp_le_cancel_monitor_advertisement *cp;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 271 struct msft_rp_le_cancel_monitor_advertisement *rp;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 272 struct adv_monitor *monitor;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 273 struct msft_monitor_advertisement_handle_data *handle_data;
ce81843be24e9d Manish Mandlik 2021-09-21 274 struct msft_data *msft = hdev->msft_data;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 275 int err;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 276 bool pending;
eb96f195e598b7 Manish Mandlik 2021-12-02 277 struct monitored_device *dev, *tmp;
ce81843be24e9d Manish Mandlik 2021-09-21 278
182ee45da083db Luiz Augusto von Dentz 2021-10-27 279 if (status)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 280 goto done;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 281
182ee45da083db Luiz Augusto von Dentz 2021-10-27 282 rp = (struct msft_rp_le_cancel_monitor_advertisement *)skb->data;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 283 if (skb->len < sizeof(*rp)) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 284 status = HCI_ERROR_UNSPECIFIED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 285 goto done;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 286 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 287
182ee45da083db Luiz Augusto von Dentz 2021-10-27 288 hci_dev_lock(hdev);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 289
182ee45da083db Luiz Augusto von Dentz 2021-10-27 290 cp = hci_sent_cmd_data(hdev, hdev->msft_opcode);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 291 handle_data = msft_find_handle_data(hdev, cp->handle, false);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 292
182ee45da083db Luiz Augusto von Dentz 2021-10-27 293 if (handle_data) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 294 monitor = idr_find(&hdev->adv_monitors_idr,
182ee45da083db Luiz Augusto von Dentz 2021-10-27 295 handle_data->mgmt_handle);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 296
182ee45da083db Luiz Augusto von Dentz 2021-10-27 297 if (monitor && monitor->state == ADV_MONITOR_STATE_OFFLOADED)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 298 monitor->state = ADV_MONITOR_STATE_REGISTERED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 299
182ee45da083db Luiz Augusto von Dentz 2021-10-27 300 /* Do not free the monitor if it is being removed due to
182ee45da083db Luiz Augusto von Dentz 2021-10-27 301 * suspend. It will be re-monitored on resume.
182ee45da083db Luiz Augusto von Dentz 2021-10-27 302 */
182ee45da083db Luiz Augusto von Dentz 2021-10-27 303 if (monitor && !msft->suspending)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 304 hci_free_adv_monitor(hdev, monitor);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 305
182ee45da083db Luiz Augusto von Dentz 2021-10-27 306 list_del(&handle_data->list);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 307 kfree(handle_data);
^^^^^^^^^^^^^^^^^^
Free
eb96f195e598b7 Manish Mandlik 2021-12-02 308
eb96f195e598b7 Manish Mandlik 2021-12-02 309 /* Clear any monitored devices by this Adv Monitor */
eb96f195e598b7 Manish Mandlik 2021-12-02 310 list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices,
eb96f195e598b7 Manish Mandlik 2021-12-02 311 list) {
eb96f195e598b7 Manish Mandlik 2021-12-02 @312 if (dev->handle == handle_data->mgmt_handle) {
^^^^^^^^^^^^^^^^^^^^^^^^
Use after free.
eb96f195e598b7 Manish Mandlik 2021-12-02 313 list_del(&dev->list);
eb96f195e598b7 Manish Mandlik 2021-12-02 314 kfree(dev);
eb96f195e598b7 Manish Mandlik 2021-12-02 315 }
eb96f195e598b7 Manish Mandlik 2021-12-02 316 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 317 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 318
182ee45da083db Luiz Augusto von Dentz 2021-10-27 319 /* If remove all monitors is required, we need to continue the process
182ee45da083db Luiz Augusto von Dentz 2021-10-27 320 * here because the earlier it was paused when waiting for the
182ee45da083db Luiz Augusto von Dentz 2021-10-27 321 * response from controller.
182ee45da083db Luiz Augusto von Dentz 2021-10-27 322 */
182ee45da083db Luiz Augusto von Dentz 2021-10-27 323 if (msft->pending_remove_handle == 0) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 324 pending = hci_remove_all_adv_monitor(hdev, &err);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 325 if (pending) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 326 hci_dev_unlock(hdev);
ce81843be24e9d Manish Mandlik 2021-09-21 327 return;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 328 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 329
182ee45da083db Luiz Augusto von Dentz 2021-10-27 330 if (err)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 331 status = HCI_ERROR_UNSPECIFIED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 332 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 333
182ee45da083db Luiz Augusto von Dentz 2021-10-27 334 hci_dev_unlock(hdev);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 335
182ee45da083db Luiz Augusto von Dentz 2021-10-27 336 done:
182ee45da083db Luiz Augusto von Dentz 2021-10-27 337 if (!msft->suspending)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 338 hci_remove_adv_monitor_complete(hdev, status);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 339 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Powered by blists - more mailing lists