linux/drivers
Andrey Skvortsov de4e88ec58 Bluetooth: btrtl: fix out of bounds memory access
The problem is detected by KASAN.
btrtl driver uses private hci data to store 'struct btrealtek_data'.
If btrtl driver is used with btusb, then memory for private hci data
is allocated in btusb. But no private data is allocated after hci_dev,
when btrtl is used with hci_h5.

This commit adds memory allocation for hci_h5 case.

 ==================================================================
 BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl]
 Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76

 Hardware name: Pine64 PinePhone (1.2) (DT)
 Workqueue: hci0 hci_power_on [bluetooth]
 Call trace:
  dump_backtrace+0x9c/0x128
  show_stack+0x20/0x38
  dump_stack_lvl+0x48/0x60
  print_report+0xf8/0x5d8
  kasan_report+0x90/0xd0
  __asan_store8+0x9c/0xc0
  	 [btrtl]
  h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
  h5_setup+0x50/0x80 [hci_uart]
  hci_uart_setup+0xd4/0x260 [hci_uart]
  hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
  hci_dev_do_open+0x34/0x90 [bluetooth]
  hci_power_on+0xc4/0x3c8 [bluetooth]
  process_one_work+0x328/0x6f0
  worker_thread+0x410/0x778
  kthread+0x168/0x178
  ret_from_fork+0x10/0x20

 Allocated by task 53:
  kasan_save_stack+0x3c/0x68
  kasan_save_track+0x20/0x40
  kasan_save_alloc_info+0x68/0x78
  __kasan_kmalloc+0xd4/0xd8
  __kmalloc+0x1b4/0x3b0
  hci_alloc_dev_priv+0x28/0xa58 [bluetooth]
  hci_uart_register_device+0x118/0x4f8 [hci_uart]
  h5_serdev_probe+0xf4/0x178 [hci_uart]
  serdev_drv_probe+0x54/0xa0
  really_probe+0x254/0x588
  __driver_probe_device+0xc4/0x210
  driver_probe_device+0x64/0x160
  __driver_attach_async_helper+0x88/0x158
  async_run_entry_fn+0xd0/0x388
  process_one_work+0x328/0x6f0
  worker_thread+0x410/0x778
  kthread+0x168/0x178
  ret_from_fork+0x10/0x20

 Last potentially related work creation:
  kasan_save_stack+0x3c/0x68
  __kasan_record_aux_stack+0xb0/0x150
  kasan_record_aux_stack_noalloc+0x14/0x20
  __queue_work+0x33c/0x960
  queue_work_on+0x98/0xc0
  hci_recv_frame+0xc8/0x1e8 [bluetooth]
  h5_complete_rx_pkt+0x2c8/0x800 [hci_uart]
  h5_rx_payload+0x98/0xb8 [hci_uart]
  h5_recv+0x158/0x3d8 [hci_uart]
  hci_uart_receive_buf+0xa0/0xe8 [hci_uart]
  ttyport_receive_buf+0xac/0x178
  flush_to_ldisc+0x130/0x2c8
  process_one_work+0x328/0x6f0
  worker_thread+0x410/0x778
  kthread+0x168/0x178
  ret_from_fork+0x10/0x20

 Second to last potentially related work creation:
  kasan_save_stack+0x3c/0x68
  __kasan_record_aux_stack+0xb0/0x150
  kasan_record_aux_stack_noalloc+0x14/0x20
  __queue_work+0x788/0x960
  queue_work_on+0x98/0xc0
  __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth]
  __hci_cmd_sync+0x24/0x38 [bluetooth]
  btrtl_initialize+0x760/0x958 [btrtl]
  h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
  h5_setup+0x50/0x80 [hci_uart]
  hci_uart_setup+0xd4/0x260 [hci_uart]
  hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
  hci_dev_do_open+0x34/0x90 [bluetooth]
  hci_power_on+0xc4/0x3c8 [bluetooth]
  process_one_work+0x328/0x6f0
  worker_thread+0x410/0x778
  kthread+0x168/0x178
  ret_from_fork+0x10/0x20
 ==================================================================

Fixes: 5b355944b1 ("Bluetooth: btrtl: Add btrealtek data struct")
Fixes: 044014ce85 ("Bluetooth: btrtl: Add Realtek devcoredump support")
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2024-03-06 17:26:21 -05:00
..
accel accel/ivpu: Don't enable any tiles by default on VPU40xx 2024-02-20 16:56:21 +01:00
accessibility
acpi ACPI fix for 6.8-rc7 2024-02-28 12:20:00 -08:00
amba
android binder: signal epoll threads of self-work 2024-01-31 14:08:28 -08:00
ata ata: libata-core: Do not call ata_dev_power_set_standby() twice 2024-02-21 19:09:17 +01:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-02-03 12:46:13 +00:00
auxdisplay drm-next for 6.8: 2024-01-12 11:32:19 -08:00
base Driver core fixes for 6.8-rc5 2024-02-17 08:56:41 -08:00
bcma bcma: make bcma_bus_type const 2024-02-06 20:07:35 +02:00
block block-6.8-2024-02-10 2024-02-10 08:02:48 -08:00
bluetooth Bluetooth: btrtl: fix out of bounds memory access 2024-03-06 17:26:21 -05:00
bus bus: imx-weim: fix valid range check 2024-02-06 14:10:47 +08:00
cache cache: ax45mp_cache: Align end size to cache boundary in ax45mp_dma_cache_wback() 2024-02-21 16:24:10 +00:00
cdrom
cdx cdx: Unlock on error path in rescan_store() 2024-01-04 17:01:14 +01:00
char TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
clk clk: samsung: clk-gs101: comply with the new dt cmu_misc clock names 2024-01-22 11:40:12 +01:00
clocksource clocksource/drivers/ep93xx: Fix error handling during probe 2023-12-27 15:37:11 +01:00
comedi
connector connector/cn_proc: revert "connector: Fix proc_event_num_listeners count not cleared" 2024-02-13 11:15:44 +01:00
counter
cpufreq cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back 2024-02-24 15:01:59 +01:00
cpuidle cpuidle: haltpoll: Do not enable interrupts when entering idle 2023-12-29 18:08:18 +01:00
crypto crypto: virtio/akcipher - Fix stack overflow on memcpy 2024-02-09 12:55:53 +08:00
cxl cxl/acpi: Fix load failures due to single window creation failure 2024-02-20 22:58:05 -08:00
dax New code for 6.8: 2024-01-10 08:45:22 -08:00
dca
devfreq PM / devfreq: Synchronize devfreq_monitor_[start/stop] 2023-12-19 07:58:27 +09:00
dio
dma dmaengine: at_hdmac: add missing kernel-doc style description 2024-02-02 17:16:55 +01:00
dma-buf dma-buf: heaps: Don't track CMA dma-buf pages under RssFile 2024-01-31 19:54:58 +05:30
dpll Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-02-29 14:24:56 -08:00
edac Driver core changes for 6.8-rc1 2024-01-18 09:48:40 -08:00
eisa
extcon
firewire firewire: core: send bus reset promptly on gap count error 2024-02-07 08:20:02 +09:00
firmware Microchip firmware driver fixes for v6.8-rc6 2024-02-23 13:53:44 +01:00
fpga Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
fsi
gnss TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
gpio gpiolib: Handle no pin_ranges in gpiochip_generic_config() 2024-02-20 12:49:14 +01:00
gpu drm fixes for 6.8-rc6 2024-02-23 09:17:47 -08:00
greybus TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
hid bpf-next-for-netdev 2024-03-02 20:50:59 -08:00
hsi
hte
hv
hwmon hwmon: (nct6775) Fix access to temperature configuration registers 2024-02-21 13:56:33 -08:00
hwspinlock
hwtracing
i2c i2c: imx: when being a target, mark the last read as processed 2024-02-23 23:39:35 +01:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-01-08 00:51:36 +01:00
idle Power management updates for 6.8-rc1 2024-01-09 16:32:11 -08:00
iio iio: adc: ad4130: only set GPIO_CTRL if pin is unused 2024-02-10 16:52:39 +00:00
infiniband rtnetlink: prepare nla_put_iflink() to run under RCU 2024-02-26 11:46:12 +00:00
input Input updates for v6.8-rc2 2024-02-02 12:52:44 -08:00
interconnect interconnect: qcom: x1e80100: Add missing ACV enable_mask 2024-02-04 23:36:06 +02:00
iommu IOMMU Fixes for Linux v6.8-rc5 2024-02-24 15:59:26 -08:00
ipack TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
irqchip irqchip/gic-v3-its: Do not assume vPE tables are preallocated 2024-02-21 21:11:20 +01:00
isdn
leds - New Drivers 2024-01-17 15:25:27 -08:00
macintosh
mailbox mediatek: add CMDQ support for mt8188 2024-01-17 15:39:32 -08:00
mcb
md - Fix DM integrity and verity targets to not use excessive stack when 2024-02-24 09:55:29 -08:00
media Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-02-22 15:29:26 -08:00
memory IOMMU Updates for Linux v6.8 2024-01-18 15:16:57 -08:00
memstick
message
mfd TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
misc misc: open-dice: Fix spurious lockdep warning 2024-01-30 16:20:54 -08:00
mmc mmc: slot-gpio: Allow non-sleeping GPIO ro 2024-02-06 12:35:44 +01:00
most
mtd mtd: rawnand: marvell: fix layouts 2024-02-05 16:16:24 +01:00
mux mux: mmio: use reg property when parent device is not a syscon 2024-01-04 17:01:14 +01:00
net Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue 2024-03-06 11:29:19 +00:00
nfc
ntb
nubus nubus: Make nubus_bus_type static and constant 2024-01-03 13:33:59 +01:00
nvdimm virtio: features, fixes 2024-01-18 16:44:03 -08:00
nvme net: introduce page_frag_cache_drain() 2024-03-05 11:38:14 +01:00
nvmem nvmem: include bit index in cell sysfs file name 2024-02-14 16:28:16 +01:00
of Devicetree fixes for v6.8: 2024-02-15 10:19:55 -08:00
opp OPP: Rename 'rate_clk_single' 2024-01-05 15:55:41 +05:30
parisc parisc/power: Fix power soft-off button emulation on qemu 2024-01-07 22:59:16 +01:00
parport parport: parport_serial: Add Brainboxes device IDs and geometry 2023-12-15 19:54:56 +01:00
pci PCI/MSI: Prevent MSI hardware interrupt number truncation 2024-02-19 16:11:01 +01:00
pcmcia
peci
perf perf: CXL: fix CPMU filter value mask length 2024-02-20 12:04:07 +00:00
phy phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP 2024-01-30 22:41:11 +05:30
pinctrl pinctrl: amd: Add IRQF_ONESHOT to the interrupt request 2024-01-31 10:06:07 +01:00
platform platform/x86: thinkpad_acpi: Only update profile if successfully converted 2024-02-20 14:35:36 +01:00
pmdomain pmdomain: mediatek: fix race conditions with genpd 2024-01-23 13:19:15 +01:00
pnp More ACPI updates for 6.8-rc1 2024-01-17 14:37:40 -08:00
power Revert "power: supply: qcom_battmgr: Register the power supplies after PDR is up" 2024-01-26 22:45:58 +01:00
powercap
pps
ps3
ptp ptp: fc3: Convert to platform remove callback returning void 2024-03-05 11:23:02 -08:00
pwm pwm: jz4740: Don't use dev_err_probe() in .request() 2024-01-12 18:25:05 +01:00
rapidio rapidio/tsi721: fix kernel-doc warnings 2023-12-20 15:02:57 -08:00
ras
regulator regulator: max5970: Fix regulator child node name 2024-02-13 15:38:23 +00:00
remoteproc remoteproc: qcom_q6v5_pas: Add SC7280 ADSP, CDSP & WPSS 2023-12-17 10:06:32 -08:00
reset SoC: driver updates for 6.8 2024-01-11 11:31:46 -08:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2023-12-18 10:56:03 -07:00
rtc rtc: nuvoton: Compatible with NCT3015Y-R and NCT3018Y-R 2024-01-18 01:05:33 +01:00
s390 s390 fixes for 6.8-rc6 2024-02-23 09:54:13 -08:00
sbus
scsi scsi: jazz_esp: Only build if SCSI core is builtin 2024-02-15 15:34:47 -05:00
sh maple: make maple_bus_type static and const 2024-01-04 14:37:17 +01:00
siox
slimbus
soc RISC-V SoC driver fixes for v6.8-rc6 2024-02-23 13:53:54 +01:00
soundwire soundwire updates for 6.7 2024-01-18 17:08:31 -08:00
spi spi: Drop mismerged fix 2024-02-27 12:52:51 +00:00
spmi spmi: mediatek: add device id check 2023-12-15 17:27:04 +01:00
ssb ssb: make ssb_bustype const 2024-02-06 20:07:12 +02:00
staging Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-02-22 15:29:26 -08:00
target scsi: target: pscsi: Fix bio_put() for error case 2024-02-15 14:44:07 -05:00
tc
tee Another moderately busy cycle for documentation, including: 2024-01-11 19:46:52 -08:00
thermal thermal: intel: powerclamp: Remove dead code for target mwait value 2024-01-22 11:59:22 +01:00
thunderbolt thunderbolt: Fix setting the CNS bit in ROUTER_CS_5 2024-01-29 09:48:40 +02:00
tty serial: amba-pl011: Fix DMA transmission in RS485 mode 2024-02-19 09:43:37 +01:00
ufs scsi: ufs: Uninitialized variable in ufshcd_devfreq_target() 2024-02-15 14:46:13 -05:00
uio uio: Fix use-after-free in uio_open 2024-01-04 17:03:47 +01:00
usb USB fixes for 6.8-rc6 2024-02-25 10:41:57 -08:00
vdpa virtio: features, fixes 2024-01-18 16:44:03 -08:00
vfio VFIO updates for v6.8-rc1 2024-01-18 15:57:25 -08:00
vhost vhost/net: remove vhost_net_page_frag_refill() 2024-03-05 11:38:14 +01:00
video fbdev: stifb: Fix crash in stifb_blank() 2024-01-23 09:13:24 +01:00
virt Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
virtio virtio: features, fixes 2024-01-18 16:44:03 -08:00
w1 w1: ds2433: add support for ds28ec20 eeprom 2023-12-20 09:25:25 +01:00
watchdog linux-watchdog 6.8-rc1 tag 2024-01-12 13:32:30 -08:00
xen xen/events: close evtchn after mapping cleanup 2024-02-13 10:12:47 +01:00
zorro
Kconfig
Makefile fbdev/intelfb: Remove driver 2024-01-12 12:38:37 +01:00