From patchwork Tue Apr 30 23:19:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1929865 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VTbkD4cRkz23jG for ; Wed, 1 May 2024 09:19:15 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s1wke-0002U1-KS; Tue, 30 Apr 2024 23:19:08 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s1wkb-0002TK-6v for kernel-team@lists.ubuntu.com; Tue, 30 Apr 2024 23:19:05 +0000 Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 0B11E3F15B for ; Tue, 30 Apr 2024 23:19:05 +0000 (UTC) Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-36b16d8e3a8so49748915ab.0 for ; Tue, 30 Apr 2024 16:19:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714519143; x=1715123943; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e0di88l7kLJtMT/uSwYCDFMvqaki+cvIbHFd98jbtqI=; b=UCMgZZzGGKHswtVqu/B8ZPxCvORFuhNBvZXSCgBUCMxtqwVxQ/PTxr0xqVg/E/FaUp M3hNYPB91q7o3HnxxfNO7PnDSL/RLj+Qxkzt2MX+0IsIymn7f8ItgnDjUhFtPIMeQpOc +hHxj9GNPhMcumECUmtPIjjJBycoydsQjQXpr0EmAPE5/okGShIbOmpG9ImaLFpqtRFG kCwOXyZMsK3aBLX5cZjzU8ps21K23PEn07Msny0SrgEl01zRSJlgczotiqF2v2L9rlaG APr3ThJDgSxCO0ManT0+jh5PrlWJdqDxm8OSb8aQcb30oP6/rszdR1HesLzcqYTFu9nA H7kA== X-Gm-Message-State: AOJu0YyDp/2UEXrX8yAMceviiYsfQLR10YleXdV9jdJo32owR7mHd2Uo Cenxj/d2TusxiyI9ZX98SwzVW5HulMGm10PREaQ2AbIITbFrlx3OmBeE0O8PjhpM/7SerX1bD4W i1bvlRegqNrYFmGVHJaAUABQFp+QvtpxXlqkrJVSzlT4aHolL10XAF98Ulwtn0+LWliMnqW+Ade xySSngvRFvqw== X-Received: by 2002:a92:cdaa:0:b0:36b:85e:7d6c with SMTP id g10-20020a92cdaa000000b0036b085e7d6cmr1363173ild.28.1714519143492; Tue, 30 Apr 2024 16:19:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGTtGEFZCp5dGJieoBxg/YrtRgenJqnRy1vNFXIQjvwfiaPUwdeAAgMRuRIHdhoKr7XQtWzIA== X-Received: by 2002:a92:cdaa:0:b0:36b:85e:7d6c with SMTP id g10-20020a92cdaa000000b0036b085e7d6cmr1363162ild.28.1714519143153; Tue, 30 Apr 2024 16:19:03 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id jt12-20020a056638a08c00b00482fa811097sm7888001jab.51.2024.04.30.16.19.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 16:19:02 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH 1/2] Bluetooth: hci_h5: Add ability to allocate memory for private data Date: Tue, 30 Apr 2024 18:19:00 -0500 Message-Id: <20240430231901.76648-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240430231901.76648-1-bethany.jamison@canonical.com> References: <20240430231901.76648-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Andrey Skvortsov In some cases uart-base drivers may need to use priv data. For example, to store information needed for devcoredump. Fixes: 044014ce85a1 ("Bluetooth: btrtl: Add Realtek devcoredump support") Signed-off-by: Andrey Skvortsov Signed-off-by: Luiz Augusto von Dentz (cherry picked from commit 7a6d793e9ca8bc0c1d2f0aa0a02ec380d1124c74) CVE-2024-26890 Signed-off-by: Bethany Jamison --- drivers/bluetooth/hci_h5.c | 4 +++- drivers/bluetooth/hci_serdev.c | 9 +++++---- drivers/bluetooth/hci_uart.h | 12 +++++++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c index fefc37b98b4ac..de9cd8cc87adb 100644 --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c @@ -113,6 +113,7 @@ struct h5_vnd { int (*suspend)(struct h5 *h5); int (*resume)(struct h5 *h5); const struct acpi_gpio_mapping *acpi_gpio_map; + int sizeof_priv; }; struct h5_device_data { @@ -863,7 +864,8 @@ static int h5_serdev_probe(struct serdev_device *serdev) if (IS_ERR(h5->device_wake_gpio)) return PTR_ERR(h5->device_wake_gpio); - return hci_uart_register_device(&h5->serdev_hu, &h5p); + return hci_uart_register_device_priv(&h5->serdev_hu, &h5p, + h5->vnd->sizeof_priv); } static void h5_serdev_remove(struct serdev_device *serdev) diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c index f16fd79bc02b8..611a11fbb2f3a 100644 --- a/drivers/bluetooth/hci_serdev.c +++ b/drivers/bluetooth/hci_serdev.c @@ -300,8 +300,9 @@ static const struct serdev_device_ops hci_serdev_client_ops = { .write_wakeup = hci_uart_write_wakeup, }; -int hci_uart_register_device(struct hci_uart *hu, - const struct hci_uart_proto *p) +int hci_uart_register_device_priv(struct hci_uart *hu, + const struct hci_uart_proto *p, + int sizeof_priv) { int err; struct hci_dev *hdev; @@ -325,7 +326,7 @@ int hci_uart_register_device(struct hci_uart *hu, set_bit(HCI_UART_PROTO_READY, &hu->flags); /* Initialize and register HCI device */ - hdev = hci_alloc_dev(); + hdev = hci_alloc_dev_priv(sizeof_priv); if (!hdev) { BT_ERR("Can't allocate HCI device"); err = -ENOMEM; @@ -394,7 +395,7 @@ int hci_uart_register_device(struct hci_uart *hu, percpu_free_rwsem(&hu->proto_lock); return err; } -EXPORT_SYMBOL_GPL(hci_uart_register_device); +EXPORT_SYMBOL_GPL(hci_uart_register_device_priv); void hci_uart_unregister_device(struct hci_uart *hu) { diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h index fb4a2d0d8cc80..68c8c7e95d64d 100644 --- a/drivers/bluetooth/hci_uart.h +++ b/drivers/bluetooth/hci_uart.h @@ -97,7 +97,17 @@ struct hci_uart { int hci_uart_register_proto(const struct hci_uart_proto *p); int hci_uart_unregister_proto(const struct hci_uart_proto *p); -int hci_uart_register_device(struct hci_uart *hu, const struct hci_uart_proto *p); + +int hci_uart_register_device_priv(struct hci_uart *hu, + const struct hci_uart_proto *p, + int sizeof_priv); + +static inline int hci_uart_register_device(struct hci_uart *hu, + const struct hci_uart_proto *p) +{ + return hci_uart_register_device_priv(hu, p, 0); +} + void hci_uart_unregister_device(struct hci_uart *hu); int hci_uart_tx_wakeup(struct hci_uart *hu); From patchwork Tue Apr 30 23:19:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1929864 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VTbkD4WDCz1ymp for ; Wed, 1 May 2024 09:19:15 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1s1wke-0002UK-UF; Tue, 30 Apr 2024 23:19:08 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1s1wkb-0002TS-Fb for kernel-team@lists.ubuntu.com; Tue, 30 Apr 2024 23:19:05 +0000 Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 4AF103F125 for ; Tue, 30 Apr 2024 23:19:05 +0000 (UTC) Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-36c520ec766so23530995ab.0 for ; Tue, 30 Apr 2024 16:19:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714519144; x=1715123944; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nDlk/9MfIgvbE+7LukMFr2uB2mhwMJDteVLNqxBF5bQ=; b=KHvBPQoKelaAiyLofAcXHjsOKNh4BVCEVMSbv2QjjuWEV8ea3ibAmUtYPvkIW5i5Sx /luTeq3n1+/YnGKqlI0zZM1v1rgxrzNEk/EKSVWjoTm6DSlAP62SPx8wP6FVg0vxuABw AuQ7A0atw+kUzMUeRWEE2/pieZQu6oLs3OV+Q7nZ39x8bRW0rSRNM8mvwXffxRAiSz55 zdUviumAzPyp8+LmTpS31dCfofavfc5t9FV9lLYO6RJaqZ1q8W64u34qY3pLEzXz44Uw KBuYP8mPHsg+FnpQDrgK74tIhP0r8sw1O6QObFNU9iK+YENt1Hck+C7SnpVVbltnnO+f r7xA== X-Gm-Message-State: AOJu0YyBvXvl2agnlBgRz1gokZ07EegKXGNda+0g6IyDUJ9da/zP2NIp 6nTaFLBkNjY3GSf9kwf060Xo6u8W5JOKjN6UKI6f+3IaNRIKeKHp7ayfdrWN85wAeBLANIC/NN/ qMc9JEYvFejUL2knGT7HCo7aO9XgyHnZpRzoTX9++/xK1eHzcOObspVpMgkjP0ydNqU/dsPVXyJ UaoH/JWh7cxQ== X-Received: by 2002:a05:6e02:1fcb:b0:36c:4bed:d0e2 with SMTP id dj11-20020a056e021fcb00b0036c4bedd0e2mr1283278ilb.23.1714519144045; Tue, 30 Apr 2024 16:19:04 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGS1Z8qq5UhhblPDr6ABT0/KQx1/BNVbhFQbVwAFjtjYFBL4Lp6g27ZKpc51pcrKQo6dqSg3Q== X-Received: by 2002:a05:6e02:1fcb:b0:36c:4bed:d0e2 with SMTP id dj11-20020a056e021fcb00b0036c4bedd0e2mr1283264ilb.23.1714519143681; Tue, 30 Apr 2024 16:19:03 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id jt12-20020a056638a08c00b00482fa811097sm7888001jab.51.2024.04.30.16.19.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 16:19:03 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH 2/2] Bluetooth: btrtl: fix out of bounds memory access Date: Tue, 30 Apr 2024 18:19:01 -0500 Message-Id: <20240430231901.76648-3-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240430231901.76648-1-bethany.jamison@canonical.com> References: <20240430231901.76648-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Andrey Skvortsov [ Upstream commit de4e88ec58c4202efd1f02eebb4939bbf6945358 ] The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ================================================================== Fixes: 5b355944b190 ("Bluetooth: btrtl: Add btrealtek data struct") Fixes: 044014ce85a1 ("Bluetooth: btrtl: Add Realtek devcoredump support") Signed-off-by: Andrey Skvortsov Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit dd163fa34c483f1674aa2510accce11a224f649e linux.6.6.y) CVE-2024-26890 Signed-off-by: Bethany Jamison --- drivers/bluetooth/hci_h5.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c index de9cd8cc87adb..97f8eebf7005f 100644 --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c @@ -1072,6 +1072,7 @@ static struct h5_vnd rtl_vnd = { .suspend = h5_btrtl_suspend, .resume = h5_btrtl_resume, .acpi_gpio_map = acpi_btrtl_gpios, + .sizeof_priv = sizeof(struct btrealtek_data), }; static const struct h5_device_data h5_data_rtl8822cs = {