mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
5df5dafc17
Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'.
Possible race is when someone calls 'hci_tty_uart_close()' after this bit
is set, but 'hci_uart_register_dev()' wasn't done. This leads to access
to uninitialized fields. To fix it let's set this bit after device was
registered (as before patch c411c62cc133) and to fix previous problem let's
add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to
perform power up without original bit set (pls see commit c411c62cc133).
Crash backtrace from syzbot report:
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
Call Trace:
<TASK>
skb_queue_purge include/linux/skbuff.h:3364 [inline]
mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100
hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557
tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613
tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690
tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861
__fput+0x86/0x2a0 fs/file_table.c:450
task_work_run+0x82/0xb0 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218
do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/
Fixes: 366ceff495 ("Bluetooth: hci_uart: fix race during initialization")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
218 lines
5.1 KiB
C
218 lines
5.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/*
|
|
*
|
|
* Bluetooth HCI UART driver
|
|
*
|
|
* Copyright (C) 2000-2001 Qualcomm Incorporated
|
|
* Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com>
|
|
* Copyright (C) 2004-2005 Marcel Holtmann <marcel@holtmann.org>
|
|
*/
|
|
|
|
#ifndef N_HCI
|
|
#define N_HCI 15
|
|
#endif
|
|
|
|
/* Ioctls */
|
|
#define HCIUARTSETPROTO _IOW('U', 200, int)
|
|
#define HCIUARTGETPROTO _IOR('U', 201, int)
|
|
#define HCIUARTGETDEVICE _IOR('U', 202, int)
|
|
#define HCIUARTSETFLAGS _IOW('U', 203, int)
|
|
#define HCIUARTGETFLAGS _IOR('U', 204, int)
|
|
|
|
/* UART protocols */
|
|
#define HCI_UART_MAX_PROTO 13
|
|
|
|
#define HCI_UART_H4 0
|
|
#define HCI_UART_BCSP 1
|
|
#define HCI_UART_3WIRE 2
|
|
#define HCI_UART_H4DS 3
|
|
#define HCI_UART_LL 4
|
|
#define HCI_UART_ATH3K 5
|
|
#define HCI_UART_INTEL 6
|
|
#define HCI_UART_BCM 7
|
|
#define HCI_UART_QCA 8
|
|
#define HCI_UART_AG6XX 9
|
|
#define HCI_UART_NOKIA 10
|
|
#define HCI_UART_MRVL 11
|
|
#define HCI_UART_AML 12
|
|
|
|
#define HCI_UART_RAW_DEVICE 0
|
|
#define HCI_UART_RESET_ON_INIT 1
|
|
#define HCI_UART_INIT_PENDING 3
|
|
#define HCI_UART_EXT_CONFIG 4
|
|
#define HCI_UART_VND_DETECT 5
|
|
|
|
struct hci_uart;
|
|
struct serdev_device;
|
|
|
|
struct hci_uart_proto {
|
|
unsigned int id;
|
|
const char *name;
|
|
unsigned int manufacturer;
|
|
unsigned int init_speed;
|
|
unsigned int oper_speed;
|
|
int (*open)(struct hci_uart *hu);
|
|
int (*close)(struct hci_uart *hu);
|
|
int (*flush)(struct hci_uart *hu);
|
|
int (*setup)(struct hci_uart *hu);
|
|
int (*set_baudrate)(struct hci_uart *hu, unsigned int speed);
|
|
int (*recv)(struct hci_uart *hu, const void *data, int len);
|
|
int (*enqueue)(struct hci_uart *hu, struct sk_buff *skb);
|
|
struct sk_buff *(*dequeue)(struct hci_uart *hu);
|
|
};
|
|
|
|
struct hci_uart {
|
|
struct tty_struct *tty;
|
|
struct serdev_device *serdev;
|
|
struct hci_dev *hdev;
|
|
unsigned long flags;
|
|
unsigned long hdev_flags;
|
|
|
|
struct work_struct init_ready;
|
|
struct work_struct write_work;
|
|
|
|
const struct hci_uart_proto *proto;
|
|
struct percpu_rw_semaphore proto_lock; /* Stop work for proto close */
|
|
void *priv;
|
|
|
|
struct sk_buff *tx_skb;
|
|
unsigned long tx_state;
|
|
|
|
unsigned int init_speed;
|
|
unsigned int oper_speed;
|
|
|
|
u8 alignment;
|
|
u8 padding;
|
|
};
|
|
|
|
/* HCI_UART proto flag bits */
|
|
#define HCI_UART_PROTO_SET 0
|
|
#define HCI_UART_REGISTERED 1
|
|
#define HCI_UART_PROTO_READY 2
|
|
#define HCI_UART_NO_SUSPEND_NOTIFIER 3
|
|
#define HCI_UART_PROTO_INIT 4
|
|
|
|
/* TX states */
|
|
#define HCI_UART_SENDING 1
|
|
#define HCI_UART_TX_WAKEUP 2
|
|
|
|
int hci_uart_register_proto(const struct hci_uart_proto *p);
|
|
int hci_uart_unregister_proto(const struct hci_uart_proto *p);
|
|
|
|
int hci_uart_register_device_priv(struct hci_uart *hu,
|
|
const struct hci_uart_proto *p,
|
|
int sizeof_priv);
|
|
|
|
static inline int hci_uart_register_device(struct hci_uart *hu,
|
|
const struct hci_uart_proto *p)
|
|
{
|
|
return hci_uart_register_device_priv(hu, p, 0);
|
|
}
|
|
|
|
void hci_uart_unregister_device(struct hci_uart *hu);
|
|
|
|
int hci_uart_tx_wakeup(struct hci_uart *hu);
|
|
int hci_uart_wait_until_sent(struct hci_uart *hu);
|
|
int hci_uart_init_ready(struct hci_uart *hu);
|
|
void hci_uart_init_work(struct work_struct *work);
|
|
void hci_uart_set_baudrate(struct hci_uart *hu, unsigned int speed);
|
|
bool hci_uart_has_flow_control(struct hci_uart *hu);
|
|
void hci_uart_set_flow_control(struct hci_uart *hu, bool enable);
|
|
void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed,
|
|
unsigned int oper_speed);
|
|
|
|
#ifdef CONFIG_BT_HCIUART_H4
|
|
int h4_init(void);
|
|
int h4_deinit(void);
|
|
|
|
struct h4_recv_pkt {
|
|
u8 type; /* Packet type */
|
|
u8 hlen; /* Header length */
|
|
u8 loff; /* Data length offset in header */
|
|
u8 lsize; /* Data length field size */
|
|
u16 maxlen; /* Max overall packet length */
|
|
int (*recv)(struct hci_dev *hdev, struct sk_buff *skb);
|
|
};
|
|
|
|
#define H4_RECV_ACL \
|
|
.type = HCI_ACLDATA_PKT, \
|
|
.hlen = HCI_ACL_HDR_SIZE, \
|
|
.loff = 2, \
|
|
.lsize = 2, \
|
|
.maxlen = HCI_MAX_FRAME_SIZE \
|
|
|
|
#define H4_RECV_SCO \
|
|
.type = HCI_SCODATA_PKT, \
|
|
.hlen = HCI_SCO_HDR_SIZE, \
|
|
.loff = 2, \
|
|
.lsize = 1, \
|
|
.maxlen = HCI_MAX_SCO_SIZE
|
|
|
|
#define H4_RECV_EVENT \
|
|
.type = HCI_EVENT_PKT, \
|
|
.hlen = HCI_EVENT_HDR_SIZE, \
|
|
.loff = 1, \
|
|
.lsize = 1, \
|
|
.maxlen = HCI_MAX_EVENT_SIZE
|
|
|
|
#define H4_RECV_ISO \
|
|
.type = HCI_ISODATA_PKT, \
|
|
.hlen = HCI_ISO_HDR_SIZE, \
|
|
.loff = 2, \
|
|
.lsize = 2, \
|
|
.maxlen = HCI_MAX_FRAME_SIZE \
|
|
|
|
struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb,
|
|
const unsigned char *buffer, int count,
|
|
const struct h4_recv_pkt *pkts, int pkts_count);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_BCSP
|
|
int bcsp_init(void);
|
|
int bcsp_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_LL
|
|
int ll_init(void);
|
|
int ll_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_ATH3K
|
|
int ath_init(void);
|
|
int ath_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_3WIRE
|
|
int h5_init(void);
|
|
int h5_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_INTEL
|
|
int intel_init(void);
|
|
int intel_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_BCM
|
|
int bcm_init(void);
|
|
int bcm_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_QCA
|
|
int qca_init(void);
|
|
int qca_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_AG6XX
|
|
int ag6xx_init(void);
|
|
int ag6xx_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_MRVL
|
|
int mrvl_init(void);
|
|
int mrvl_deinit(void);
|
|
#endif
|
|
|
|
#ifdef CONFIG_BT_HCIUART_AML
|
|
int aml_init(void);
|
|
int aml_deinit(void);
|
|
#endif
|