1. 24 Jun, 2020 2 commits
  2. 23 Jun, 2020 3 commits
    • Sean Wang's avatar
      Bluetooth: btmtksdio: fix up firmware download sequence · 737cd060
      Sean Wang authored
      Data RAM on the device have to be powered on before starting to download
      the firmware.
      
      Fixes: 9aebfd4a ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices")
      Co-developed-by: default avatarMark Chen <Mark-YW.Chen@mediatek.com>
      Signed-off-by: default avatarMark Chen <Mark-YW.Chen@mediatek.com>
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      737cd060
    • Sean Wang's avatar
      Bluetooth: btusb: fix up firmware download sequence · f6451257
      Sean Wang authored
      Data RAM on the device have to be powered on before starting to download
      the firmware.
      
      Fixes: a1c49c43 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices")
      Co-developed-by: default avatarMark Chen <Mark-YW.Chen@mediatek.com>
      Signed-off-by: default avatarMark Chen <Mark-YW.Chen@mediatek.com>
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      f6451257
    • Lihong Kou's avatar
      Bluetooth: add a mutex lock to avoid UAF in do_enale_set · f9c70bdc
      Lihong Kou authored
      In the case we set or free the global value listen_chan in
      different threads, we can encounter the UAF problems because
      the method is not protected by any lock, add one to avoid
      this bug.
      
      BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
      net/bluetooth/l2cap_core.c:730
      Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868
      
      CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 01/01/2011
      Workqueue: events do_enable_set
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1fb/0x318 lib/dump_stack.c:118
       print_address_description+0x74/0x5c0 mm/kasan/report.c:374
       __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
       kasan_report+0x26/0x50 mm/kasan/common.c:641
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
       do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
       process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
       worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
       kthread+0x332/0x350 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 2870:
       save_stack mm/kasan/common.c:72 [inline]
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
       kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
       kmalloc include/linux/slab.h:555 [inline]
       kzalloc include/linux/slab.h:669 [inline]
       l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
       chan_create net/bluetooth/6lowpan.c:640 [inline]
       bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
       do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
       process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
       worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
       kthread+0x332/0x350 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Freed by task 2870:
       save_stack mm/kasan/common.c:72 [inline]
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:337 [inline]
       __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x10d/0x220 mm/slab.c:3757
       l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
       kref_put include/linux/kref.h:65 [inline]
       l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
       do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
       process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
       worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
       kthread+0x332/0x350 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      The buggy address belongs to the object at ffff888096950000
       which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 0 bytes inside of
       2048-byte region [ffff888096950000, ffff888096950800)
      The buggy address belongs to the page:
      page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
      flags: 0xfffe0000000200(slab)
      raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
      raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
       ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
      Signed-off-by: default avatarLihong Kou <koulihong@huawei.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      f9c70bdc
  3. 22 Jun, 2020 3 commits
  4. 18 Jun, 2020 14 commits
  5. 12 Jun, 2020 11 commits
  6. 10 Jun, 2020 3 commits
  7. 08 Jun, 2020 4 commits