mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-01 02:36:02 +00:00
10f9f426ac
Tying the msft->data lifetime to hdev by freeing it in
hci_release_dev() to fix the following case:
[use]
msft_do_close()
msft = hdev->msft_data;
if (!msft) ...(1) <- passed.
return;
mutex_lock(&msft->filter_lock); ...(4) <- used after freed.
[free]
msft_unregister()
msft = hdev->msft_data;
hdev->msft_data = NULL; ...(2)
kfree(msft); ...(3) <- msft is freed.
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common
kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30
kernel/locking/mutex.c:752
Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309
Fixes: bf6a4e30ff
("Bluetooth: disable advertisement filters during suspend")
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
79 lines
2.4 KiB
C
79 lines
2.4 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (C) 2020 Google Corporation
|
|
*/
|
|
|
|
#define MSFT_FEATURE_MASK_BREDR_RSSI_MONITOR BIT(0)
|
|
#define MSFT_FEATURE_MASK_LE_CONN_RSSI_MONITOR BIT(1)
|
|
#define MSFT_FEATURE_MASK_LE_ADV_RSSI_MONITOR BIT(2)
|
|
#define MSFT_FEATURE_MASK_LE_ADV_MONITOR BIT(3)
|
|
#define MSFT_FEATURE_MASK_CURVE_VALIDITY BIT(4)
|
|
#define MSFT_FEATURE_MASK_CONCURRENT_ADV_MONITOR BIT(5)
|
|
|
|
#if IS_ENABLED(CONFIG_BT_MSFTEXT)
|
|
|
|
bool msft_monitor_supported(struct hci_dev *hdev);
|
|
void msft_register(struct hci_dev *hdev);
|
|
void msft_release(struct hci_dev *hdev);
|
|
void msft_do_open(struct hci_dev *hdev);
|
|
void msft_do_close(struct hci_dev *hdev);
|
|
void msft_vendor_evt(struct hci_dev *hdev, void *data, struct sk_buff *skb);
|
|
__u64 msft_get_features(struct hci_dev *hdev);
|
|
int msft_add_monitor_pattern(struct hci_dev *hdev, struct adv_monitor *monitor);
|
|
int msft_remove_monitor(struct hci_dev *hdev, struct adv_monitor *monitor);
|
|
void msft_req_add_set_filter_enable(struct hci_request *req, bool enable);
|
|
int msft_set_filter_enable(struct hci_dev *hdev, bool enable);
|
|
int msft_suspend_sync(struct hci_dev *hdev);
|
|
int msft_resume_sync(struct hci_dev *hdev);
|
|
bool msft_curve_validity(struct hci_dev *hdev);
|
|
|
|
#else
|
|
|
|
static inline bool msft_monitor_supported(struct hci_dev *hdev)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
static inline void msft_register(struct hci_dev *hdev) {}
|
|
static inline void msft_release(struct hci_dev *hdev) {}
|
|
static inline void msft_do_open(struct hci_dev *hdev) {}
|
|
static inline void msft_do_close(struct hci_dev *hdev) {}
|
|
static inline void msft_vendor_evt(struct hci_dev *hdev, void *data,
|
|
struct sk_buff *skb) {}
|
|
static inline __u64 msft_get_features(struct hci_dev *hdev) { return 0; }
|
|
static inline int msft_add_monitor_pattern(struct hci_dev *hdev,
|
|
struct adv_monitor *monitor)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline int msft_remove_monitor(struct hci_dev *hdev,
|
|
struct adv_monitor *monitor)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline void msft_req_add_set_filter_enable(struct hci_request *req,
|
|
bool enable) {}
|
|
static inline int msft_set_filter_enable(struct hci_dev *hdev, bool enable)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline int msft_suspend_sync(struct hci_dev *hdev)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline int msft_resume_sync(struct hci_dev *hdev)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline bool msft_curve_validity(struct hci_dev *hdev)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
#endif
|