Patch "Bluetooth: btrtl: fix out of bounds memory access" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    Bluetooth: btrtl: fix out of bounds memory access

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-btrtl-fix-out-of-bounds-memory-access.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d8445e7b4ba516e27e73653f919697a16d561c5d
Author: Andrey Skvortsov <andrej.skvortzov@xxxxxxxxx>
Date:   Sat Feb 24 00:37:04 2024 +0300

    Bluetooth: btrtl: fix out of bounds memory access
    
    [ Upstream commit de4e88ec58c4202efd1f02eebb4939bbf6945358 ]
    
    The problem is detected by KASAN.
    btrtl driver uses private hci data to store 'struct btrealtek_data'.
    If btrtl driver is used with btusb, then memory for private hci data
    is allocated in btusb. But no private data is allocated after hci_dev,
    when btrtl is used with hci_h5.
    
    This commit adds memory allocation for hci_h5 case.
    
     ==================================================================
     BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl]
     Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76
    
     Hardware name: Pine64 PinePhone (1.2) (DT)
     Workqueue: hci0 hci_power_on [bluetooth]
     Call trace:
      dump_backtrace+0x9c/0x128
      show_stack+0x20/0x38
      dump_stack_lvl+0x48/0x60
      print_report+0xf8/0x5d8
      kasan_report+0x90/0xd0
      __asan_store8+0x9c/0xc0
             [btrtl]
      h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
      h5_setup+0x50/0x80 [hci_uart]
      hci_uart_setup+0xd4/0x260 [hci_uart]
      hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
      hci_dev_do_open+0x34/0x90 [bluetooth]
      hci_power_on+0xc4/0x3c8 [bluetooth]
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
    
     Allocated by task 53:
      kasan_save_stack+0x3c/0x68
      kasan_save_track+0x20/0x40
      kasan_save_alloc_info+0x68/0x78
      __kasan_kmalloc+0xd4/0xd8
      __kmalloc+0x1b4/0x3b0
      hci_alloc_dev_priv+0x28/0xa58 [bluetooth]
      hci_uart_register_device+0x118/0x4f8 [hci_uart]
      h5_serdev_probe+0xf4/0x178 [hci_uart]
      serdev_drv_probe+0x54/0xa0
      really_probe+0x254/0x588
      __driver_probe_device+0xc4/0x210
      driver_probe_device+0x64/0x160
      __driver_attach_async_helper+0x88/0x158
      async_run_entry_fn+0xd0/0x388
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
    
     Last potentially related work creation:
      kasan_save_stack+0x3c/0x68
      __kasan_record_aux_stack+0xb0/0x150
      kasan_record_aux_stack_noalloc+0x14/0x20
      __queue_work+0x33c/0x960
      queue_work_on+0x98/0xc0
      hci_recv_frame+0xc8/0x1e8 [bluetooth]
      h5_complete_rx_pkt+0x2c8/0x800 [hci_uart]
      h5_rx_payload+0x98/0xb8 [hci_uart]
      h5_recv+0x158/0x3d8 [hci_uart]
      hci_uart_receive_buf+0xa0/0xe8 [hci_uart]
      ttyport_receive_buf+0xac/0x178
      flush_to_ldisc+0x130/0x2c8
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
    
     Second to last potentially related work creation:
      kasan_save_stack+0x3c/0x68
      __kasan_record_aux_stack+0xb0/0x150
      kasan_record_aux_stack_noalloc+0x14/0x20
      __queue_work+0x788/0x960
      queue_work_on+0x98/0xc0
      __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth]
      __hci_cmd_sync+0x24/0x38 [bluetooth]
      btrtl_initialize+0x760/0x958 [btrtl]
      h5_btrtl_setup+0xd0/0x2f8 [hci_uart]
      h5_setup+0x50/0x80 [hci_uart]
      hci_uart_setup+0xd4/0x260 [hci_uart]
      hci_dev_open_sync+0x1cc/0xf68 [bluetooth]
      hci_dev_do_open+0x34/0x90 [bluetooth]
      hci_power_on+0xc4/0x3c8 [bluetooth]
      process_one_work+0x328/0x6f0
      worker_thread+0x410/0x778
      kthread+0x168/0x178
      ret_from_fork+0x10/0x20
     ==================================================================
    
    Fixes: 5b355944b190 ("Bluetooth: btrtl: Add btrealtek data struct")
    Fixes: 044014ce85a1 ("Bluetooth: btrtl: Add Realtek devcoredump support")
    Signed-off-by: Andrey Skvortsov <andrej.skvortzov@xxxxxxxxx>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index b66136348bd64..c0436881a533c 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -1072,6 +1072,7 @@ static struct h5_vnd rtl_vnd = {
 	.suspend	= h5_btrtl_suspend,
 	.resume		= h5_btrtl_resume,
 	.acpi_gpio_map	= acpi_btrtl_gpios,
+	.sizeof_priv    = sizeof(struct btrealtek_data),
 };
 
 static const struct h5_device_data h5_data_rtl8822cs = {
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux