Re: [PATCH v7 1/2] bluetooth: Handle MSFT Monitor Device Event

From: Dan Carpenter
Date: Mon Dec 06 2021 - 08:58:32 EST

Next message: Andy Shevchenko: "Re: [PATCH v2] driver: pmc_atom: free pmc->regmap when pmc_setup_clks fails"
Previous message: Joakim Zhang: "[PATCH net V2] net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()"
In reply to: Luiz Augusto von Dentz: "Re: [PATCH v7 1/2] bluetooth: Handle MSFT Monitor Device Event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Manish,

url: https://github.com/0day-ci/linux/commits/Manish-Mandlik/bluetooth-Handle-MSFT-Monitor-Device-Event/20211203-151659
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
config: x86_64-randconfig-m001-20211203 (https://download.01.org/0day-ci/archive/20211205/202112050416.RYsEcWkk-lkp@xxxxxxxxx/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

smatch warnings:
net/bluetooth/msft.c:312 msft_le_cancel_monitor_advertisement_cb() error: dereferencing freed memory 'handle_data'

vim +/handle_data +312 net/bluetooth/msft.c

182ee45da083db Luiz Augusto von Dentz 2021-10-27 266 static void msft_le_cancel_monitor_advertisement_cb(struct hci_dev *hdev,
182ee45da083db Luiz Augusto von Dentz 2021-10-27 267 u8 status, u16 opcode,
182ee45da083db Luiz Augusto von Dentz 2021-10-27 268 struct sk_buff *skb)
ce81843be24e9d Manish Mandlik 2021-09-21 269 {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 270 struct msft_cp_le_cancel_monitor_advertisement *cp;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 271 struct msft_rp_le_cancel_monitor_advertisement *rp;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 272 struct adv_monitor *monitor;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 273 struct msft_monitor_advertisement_handle_data *handle_data;
ce81843be24e9d Manish Mandlik 2021-09-21 274 struct msft_data *msft = hdev->msft_data;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 275 int err;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 276 bool pending;
eb96f195e598b7 Manish Mandlik 2021-12-02 277 struct monitored_device *dev, *tmp;
ce81843be24e9d Manish Mandlik 2021-09-21 278
182ee45da083db Luiz Augusto von Dentz 2021-10-27 279 if (status)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 280 goto done;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 281
182ee45da083db Luiz Augusto von Dentz 2021-10-27 282 rp = (struct msft_rp_le_cancel_monitor_advertisement *)skb->data;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 283 if (skb->len < sizeof(*rp)) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 284 status = HCI_ERROR_UNSPECIFIED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 285 goto done;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 286 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 287
182ee45da083db Luiz Augusto von Dentz 2021-10-27 288 hci_dev_lock(hdev);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 289
182ee45da083db Luiz Augusto von Dentz 2021-10-27 290 cp = hci_sent_cmd_data(hdev, hdev->msft_opcode);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 291 handle_data = msft_find_handle_data(hdev, cp->handle, false);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 292
182ee45da083db Luiz Augusto von Dentz 2021-10-27 293 if (handle_data) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 294 monitor = idr_find(&hdev->adv_monitors_idr,
182ee45da083db Luiz Augusto von Dentz 2021-10-27 295 handle_data->mgmt_handle);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 296
182ee45da083db Luiz Augusto von Dentz 2021-10-27 297 if (monitor && monitor->state == ADV_MONITOR_STATE_OFFLOADED)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 298 monitor->state = ADV_MONITOR_STATE_REGISTERED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 299
182ee45da083db Luiz Augusto von Dentz 2021-10-27 300 /* Do not free the monitor if it is being removed due to
182ee45da083db Luiz Augusto von Dentz 2021-10-27 301 * suspend. It will be re-monitored on resume.
182ee45da083db Luiz Augusto von Dentz 2021-10-27 302 */
182ee45da083db Luiz Augusto von Dentz 2021-10-27 303 if (monitor && !msft->suspending)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 304 hci_free_adv_monitor(hdev, monitor);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 305
182ee45da083db Luiz Augusto von Dentz 2021-10-27 306 list_del(&handle_data->list);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 307 kfree(handle_data);
^^^^^^^^^^^^^^^^^^
Free

eb96f195e598b7 Manish Mandlik 2021-12-02 308
eb96f195e598b7 Manish Mandlik 2021-12-02 309 /* Clear any monitored devices by this Adv Monitor */
eb96f195e598b7 Manish Mandlik 2021-12-02 310 list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices,
eb96f195e598b7 Manish Mandlik 2021-12-02 311 list) {
eb96f195e598b7 Manish Mandlik 2021-12-02 @312 if (dev->handle == handle_data->mgmt_handle) {
^^^^^^^^^^^^^^^^^^^^^^^^
Use after free.

eb96f195e598b7 Manish Mandlik 2021-12-02 313 list_del(&dev->list);
eb96f195e598b7 Manish Mandlik 2021-12-02 314 kfree(dev);
eb96f195e598b7 Manish Mandlik 2021-12-02 315 }
eb96f195e598b7 Manish Mandlik 2021-12-02 316 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 317 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 318
182ee45da083db Luiz Augusto von Dentz 2021-10-27 319 /* If remove all monitors is required, we need to continue the process
182ee45da083db Luiz Augusto von Dentz 2021-10-27 320 * here because the earlier it was paused when waiting for the
182ee45da083db Luiz Augusto von Dentz 2021-10-27 321 * response from controller.
182ee45da083db Luiz Augusto von Dentz 2021-10-27 322 */
182ee45da083db Luiz Augusto von Dentz 2021-10-27 323 if (msft->pending_remove_handle == 0) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 324 pending = hci_remove_all_adv_monitor(hdev, &err);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 325 if (pending) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27 326 hci_dev_unlock(hdev);
ce81843be24e9d Manish Mandlik 2021-09-21 327 return;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 328 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 329
182ee45da083db Luiz Augusto von Dentz 2021-10-27 330 if (err)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 331 status = HCI_ERROR_UNSPECIFIED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27 332 }
182ee45da083db Luiz Augusto von Dentz 2021-10-27 333
182ee45da083db Luiz Augusto von Dentz 2021-10-27 334 hci_dev_unlock(hdev);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 335
182ee45da083db Luiz Augusto von Dentz 2021-10-27 336 done:
182ee45da083db Luiz Augusto von Dentz 2021-10-27 337 if (!msft->suspending)
182ee45da083db Luiz Augusto von Dentz 2021-10-27 338 hci_remove_adv_monitor_complete(hdev, status);
182ee45da083db Luiz Augusto von Dentz 2021-10-27 339 }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Next message: Andy Shevchenko: "Re: [PATCH v2] driver: pmc_atom: free pmc->regmap when pmc_setup_clks fails"
Previous message: Joakim Zhang: "[PATCH net V2] net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()"
In reply to: Luiz Augusto von Dentz: "Re: [PATCH v7 1/2] bluetooth: Handle MSFT Monitor Device Event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]