From patchwork Fri Oct 25 11:40:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 13850550 Received: from forward102a.mail.yandex.net (forward102a.mail.yandex.net [178.154.239.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD1E720103F for ; Fri, 25 Oct 2024 11:40:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.85 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729856436; cv=none; b=ZU8oHwOnpIVTRnjMcGdCoEEs/Od2vPucwUZ38gw3F6DoNLHJLcR7p6rrP9V3Pok8vibbQH+muKzc2eKpSWfTSCPHf6L/tmD6lHzRv/jAKDcOCjO+52MasoS06nyQqTspTHjglTAllDCRSDtKDKHlalU4k+zLOfXqa3Q3ud6LsuE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729856436; c=relaxed/simple; bh=BaSNYLDn5CaKf66hrsneBs0SFxrfIqFx8IhK3M98mNw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qWagq0+XVaU23N1DbZtHP9Wwm5zIFoAmtHpqqjePS9rFUa7eHYPhKbHqxaPXRmqrVtUB1hRA02re6W5PpaRPDAVajrbf/2mj3yveRAbL3Cowcj6QjRVquSU7atZjCeM7tmAydWxZC6o4PWjDUS3D6WyMZ1mSGAzV6YgOrD15u0U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=Qq9yMMzD; arc=none smtp.client-ip=178.154.239.85 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="Qq9yMMzD" Received: from mail-nwsmtp-smtp-production-main-38.myt.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-38.myt.yp-c.yandex.net [IPv6:2a02:6b8:c12:519b:0:640:6288:0]) by forward102a.mail.yandex.net (Yandex) with ESMTPS id C9F8660D2E; Fri, 25 Oct 2024 14:40:23 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-38.myt.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id KeTsSg7oEGk0-FZjSg9ue; Fri, 25 Oct 2024 14:40:22 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1729856423; bh=A/Iq8FpRcnCxhMgvI3KA98eWjUxlaBWpnJJDUjOrFUg=; h=Message-ID:Date:Cc:Subject:To:From; b=Qq9yMMzD9I8/5Mg+x/SGGX1A3m2SA3aZx5k8kPoST3raG9BprOn/xF+/f+J941pBT 2KWZcAYO9XzLOmnGHVnnsUHkh+uyzFI4zG/j7VW1Mw9QIXRt8crGh7DFP26UQqUzgG J9Zd6PihV+H09QZg6eWm6PA6mbqbB5WbI2W/3qE4= Authentication-Results: mail-nwsmtp-smtp-production-main-38.myt.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Luiz Augusto von Dentz Cc: Marcel Holtmann , Johan Hedberg , linux-bluetooth@vger.kernel.org, lvc-project@linuxtesting.org, Dmitry Antipov , syzbot+6cf5652d3df49fae2e3f@syzkaller.appspotmail.com Subject: [PATCH] Bluetooth: fix use-after-free in device_for_each_child() Date: Fri, 25 Oct 2024 14:40:18 +0300 Message-ID: <20241025114018.574041-1-dmantipov@yandex.ru> X-Mailer: git-send-email 2.47.0 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Syzbot has reported the following KASAN splat: BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0 Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980 CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: dump_stack_lvl+0x100/0x190 ? device_for_each_child+0x18f/0x1a0 print_report+0x13a/0x4cb ? __virt_addr_valid+0x5e/0x590 ? __phys_addr+0xc6/0x150 ? device_for_each_child+0x18f/0x1a0 kasan_report+0xda/0x110 ? device_for_each_child+0x18f/0x1a0 ? __pfx_dev_memalloc_noio+0x10/0x10 device_for_each_child+0x18f/0x1a0 ? __pfx_device_for_each_child+0x10/0x10 pm_runtime_set_memalloc_noio+0xf2/0x180 netdev_unregister_kobject+0x1ed/0x270 unregister_netdevice_many_notify+0x123c/0x1d80 ? __mutex_trylock_common+0xde/0x250 ? __pfx_unregister_netdevice_many_notify+0x10/0x10 ? trace_contention_end+0xe6/0x140 ? __mutex_lock+0x4e7/0x8f0 ? __pfx_lock_acquire.part.0+0x10/0x10 ? rcu_is_watching+0x12/0xc0 ? unregister_netdev+0x12/0x30 unregister_netdevice_queue+0x30d/0x3f0 ? __pfx_unregister_netdevice_queue+0x10/0x10 ? __pfx_down_write+0x10/0x10 unregister_netdev+0x1c/0x30 bnep_session+0x1fb3/0x2ab0 ? __pfx_bnep_session+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_woken_wake_function+0x10/0x10 ? __kthread_parkme+0x132/0x200 ? __pfx_bnep_session+0x10/0x10 ? kthread+0x13a/0x370 ? __pfx_bnep_session+0x10/0x10 kthread+0x2b7/0x370 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x48/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Allocated by task 4974: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 __kmalloc_noprof+0x1d1/0x440 hci_alloc_dev_priv+0x1d/0x2820 __vhci_create_device+0xef/0x7d0 vhci_write+0x2c7/0x480 vfs_write+0x6a0/0xfc0 ksys_write+0x12f/0x260 do_syscall_64+0xc7/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 4979: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x4f/0x70 kfree+0x141/0x490 hci_release_dev+0x4d9/0x600 bt_host_release+0x6a/0xb0 device_release+0xa4/0x240 kobject_put+0x1ec/0x5a0 put_device+0x1f/0x30 vhci_release+0x81/0xf0 __fput+0x3f6/0xb30 task_work_run+0x151/0x250 do_exit+0xa79/0x2c30 do_group_exit+0xd5/0x2a0 get_signal+0x1fcd/0x2210 arch_do_signal_or_restart+0x93/0x780 syscall_exit_to_user_mode+0x140/0x290 do_syscall_64+0xd4/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by doing 'device_del()' later and immediately before freeing its 'struct hci_dev' container. Otherwise the former might race against 'unregister_netdev()' innards called when 'bnep_session()' is going to terminate. Reported-by: syzbot+6cf5652d3df49fae2e3f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6cf5652d3df49fae2e3f Fixes: bdc3e0f1d201 ("Bluetooth: Move device_add handling into hci_register_dev") Signed-off-by: Dmitry Antipov --- net/bluetooth/hci_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 96d097b21d13..f1195b110495 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2716,7 +2716,6 @@ void hci_unregister_dev(struct hci_dev *hdev) rfkill_destroy(hdev->rfkill); } - device_del(&hdev->dev); /* Actual cleanup is deferred until hci_release_dev(). */ hci_dev_put(hdev); } @@ -2756,6 +2755,8 @@ void hci_release_dev(struct hci_dev *hdev) kfree_skb(hdev->sent_cmd); kfree_skb(hdev->req_skb); kfree_skb(hdev->recv_event); + + device_del(&hdev->dev); kfree(hdev); } EXPORT_SYMBOL(hci_release_dev);