linux/drivers/bluetooth
Kefeng Wang 56897b217a Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
task A:                                task B:
hci_uart_set_proto                     flush_to_ldisc
 - p->open(hu) -> h5_open  //alloc h5  - receive_buf
 - set_bit HCI_UART_PROTO_READY         - tty_port_default_receive_buf
 - hci_uart_register_dev                 - tty_ldisc_receive_buf
                                          - hci_uart_tty_receive
				           - test_bit HCI_UART_PROTO_READY
				            - h5_recv
 - clear_bit HCI_UART_PROTO_READY             while() {
 - p->open(hu) -> h5_close //free h5
				              - h5_rx_3wire_hdr
				               - h5_reset()  //use-after-free
                                              }

It could use ioctl to set hci uart proto, but there is
a use-after-free issue when hci_uart_register_dev() fail in
hci_uart_set_proto(), see stack above, fix this by setting
HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
return success.

Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2019-02-26 09:55:39 +01:00
..
ath3k.c Bluetooth: ath3k: add more information to error message 2018-09-28 19:27:50 +02:00
bcm203x.c Bluetooth: mark expected switch fall-throughs 2017-10-14 09:25:51 +02:00
bfusb.c bluetooth: bfusb: Replace GFP_ATOMIC with GFP_KERNEL in bfusb_send_frame() 2018-07-23 18:05:00 +02:00
bluecard_cs.c bluetooth: bluecard_cs: Replace GFP_ATOMIC with GFP_KERNEL in bluecard_hci_set_baud_rate() 2018-07-23 18:05:00 +02:00
bpa10x.c bluetooth: bpa10x: Replace GFP_ATOMIC with GFP_KERNEL in bpa10x_send_frame() 2018-07-23 18:05:00 +02:00
bt3c_cs.c Bluetooth: bt3c_cs: Fix obsolete function 2018-09-27 12:57:39 +02:00
btbcm.c Bluetooth: btbcm: Add entry for BCM4329B1 UART bluetooth 2018-12-19 13:43:42 +01:00
btbcm.h Bluetooth: btbcm: Allow using btbcm_initialize() for reinit 2018-05-18 06:37:51 +02:00
btintel.c Bluetooth: btintel: Create common function for firmware download 2018-01-25 09:28:40 +01:00
btintel.h Bluetooth: btintel: Create common function for firmware download 2018-01-25 09:28:40 +01:00
btmrvl_debugfs.c Bluetooth: btmrvl: Re-use kstrtol_from_user() 2018-05-30 08:16:05 +02:00
btmrvl_drv.h Bluetooth: btmrvl: Drop unused GPIO includes 2019-01-22 09:51:20 +01:00
btmrvl_main.c Bluetooth: btmrvl: support sysfs initiated firmware coredump 2018-05-29 15:59:50 +02:00
btmrvl_sdio.c Bluetooth: btmrvl: add support for sd8977 chipset 2019-01-22 09:51:20 +01:00
btmrvl_sdio.h btmrvl: add platform specific wakeup interrupt support 2016-05-02 19:26:15 +02:00
btmtkuart.c Bluetooth: mediatek: update the common setup between MT7622 and other devices 2019-02-18 14:08:55 +01:00
btqca.c Bluetooth: hci_qca: Add helper to set device address 2019-01-22 09:51:18 +01:00
btqca.h Bluetooth: hci_qca: Add helper to set device address 2019-01-22 09:51:18 +01:00
btqcomsmd.c Bluetooth: btqcomsmd: Fix rx/tx stats 2018-05-18 06:37:50 +02:00
btrsi.c Bluetooth: btrsi: fix bt tx timeout issue 2018-09-27 12:53:40 +02:00
btrtl.c Bluetooth: btrtl: Restore old logic to assume firmware is already loaded 2019-01-28 13:23:59 +01:00
btrtl.h Bluetooth: btrtl: Add support for a config filename postfix 2018-08-03 13:27:46 +02:00
btsdio.c Bluetooth: btsdio: Do not bind to non-removable BCM43430 2018-10-14 10:23:47 +02:00
btusb.c Bluetooth: btusb: Add shutdown routine for BTUSB_INTEL_NEW devices 2019-01-29 16:15:29 +01:00
btwilink.c Bluetooth: Style fix - align block comments 2017-07-22 08:39:39 +02:00
dtl1_cs.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
h4_recv.h Bluetooth: remove redundant zero check on count 2019-02-18 11:46:45 +01:00
hci_ag6xx.c Bluetooth: hci_uart: Add diag and address support for Intel/AG6xx 2016-02-29 19:25:22 +02:00
hci_ath.c Bluetooth: hci_ath: Replace mdelay with msleep in ath_wakeup_ar3k 2018-02-07 09:47:04 +01:00
hci_bcm.c Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading 2018-12-19 13:43:42 +01:00
hci_bcsp.c Bluetooth: Convert timers to use timer_setup() 2017-10-06 20:37:11 +02:00
hci_h4.c Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() 2019-01-22 09:51:19 +01:00
hci_h5.c Bluetooth: hci_h5: Turn off RTL8723BS on suspend, reprobe on resume 2018-12-19 00:49:33 +01:00
hci_intel.c Bluetooth: hci_intel: clean an indentation issue, remove extraneous spaces 2018-12-19 00:46:30 +01:00
hci_ldisc.c Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() 2019-02-26 09:55:39 +01:00
hci_ll.c Bluetooth: hci_serdev: Move serdev_device_close/open into common hci_serdev code 2018-05-30 08:47:42 +02:00
hci_mrvl.c networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
hci_nokia.c bluetooth: hci_nokia: Don't include linux/unaligned/le_struct.h directly. 2018-06-17 08:38:55 +09:00
hci_qca.c Bluetooth: hci_qca: Disable IBS state machine and flush Tx buffer 2019-02-18 11:49:53 +01:00
hci_serdev.c Bluetooth: hci_serdev: Remove setting of HCI_QUIRK_RESET_ON_CLOSE. 2018-12-19 00:41:59 +01:00
hci_uart.h Bluetooth: hci_serdev: Fix HCI_UART_INIT_PENDING not working 2018-05-30 08:49:20 +02:00
hci_vhci.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
Kconfig Bluetooth: btmrvl: add support for sd8977 chipset 2019-01-22 09:51:20 +01:00
Makefile Bluetooth: mediatek: Add protocol support for MediaTek serial devices 2018-08-07 21:33:25 +02:00