Commit aea24ef5 authored Jul 10, 2023 by Lee, Chun-Yi Committed by Greg Kroah-Hartman Sep 04, 2024

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO



commit 9c33663af9ad115f90c076a1828129a3fbadea98 upstream.

This patch adds code to check HCI_UART_PROTO_READY flag before
accessing hci_uart->proto. It fixes the race condition in
hci_uart_tty_ioctl() between HCIUARTSETPROTO and HCIUARTGETPROTO.
This issue bug found by Yu Hao and Weiteng Chen:

BUG: general protection fault in hci_uart_tty_ioctl [1]

The information of C reproducer can also reference the link [2]

Reported-by: Yu Hao <yhao016@ucr.edu>
Closes: https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/

 [1]
Reported-by: Weiteng Chen <wchen130@ucr.edu>
Closes: https://lore.kernel.org/lkml/CA+UBctDPEvHdkHMwD340=n02rh+jNRJNNQ5LBZNA+Wm4Keh2ow@mail.gmail.com/T/

 [2]
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent bfe0ba95

drivers/bluetooth/hci_ldisc.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -773,7 +773,8 @@ static int hci_uart_tty_ioctl(struct tty_struct tty, struct file file,
	break;		break;

	case HCIUARTGETPROTO:		case HCIUARTGETPROTO:
	if (test_bit(HCI_UART_PROTO_SET, &hu->flags))		if (test_bit(HCI_UART_PROTO_SET, &hu->flags) &&
			test_bit(HCI_UART_PROTO_READY, &hu->flags))
	err = hu->proto->id;		err = hu->proto->id;
	else		else
	err = -EUNATCH;		err = -EUNATCH;