Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
On Thu, Aug 01, 2019 at 01:16:39PM -0400, Sasha Levin wrote:
> On Thu, Aug 01, 2019 at 03:50:44PM +0200, Greg KH wrote:
> > On Thu, Aug 01, 2019 at 01:31:31PM +, Sasha Levin wrote:
> > > Hi,
> > >
> > > [This is an automated email]
> > >
> > > This commit has been processed because it contains a "Fixes:" tag,
> > > fixing commit: .
> > >
> > > The bot has tested the following trees: v5.2.4, v5.1.21, v4.19.62,
> > > v4.14.134, v4.9.186, v4.4.186.
> > >
> > > v5.2.4: Build OK!
> > > v5.1.21: Build OK!
> > > v4.19.62: Build OK!
> > > v4.14.134: Failed to apply! Possible dependencies:
> > > 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with
> > > GFP_KERNEL")
> > >
> > > v4.9.186: Failed to apply! Possible dependencies:
> > > 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with
> > > GFP_KERNEL")
> > >
> > > v4.4.186: Failed to apply! Possible dependencies:
> > > 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
> > > 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with
> > > GFP_KERNEL")
> > > 395174bb07c1 ("Bluetooth: hci_uart: Add Intel/AG6xx support")
> > > 9e69130c4efc ("Bluetooth: hci_uart: Add Nokia Protocol identifier")
> > >
> > >
> > > NOTE: The patch will not be queued to stable trees until it is upstream.
> > >
> > > How should we proceed with this patch?
> >
> > Already fixed up by hand and queued up, your automated email is a bit
> > slow :)
>
> /me scratches head
>
> The patch went out two days ago:
> https://lore.kernel.org/lkml/20190730093345.25573-1-mar...@holtmann.org/
>
> How did it make it upstream already?
It's in Linus's tree as b36a1552d731 ("Bluetooth: hci_uart: check for
missing tty operations") now.
thanks,
greg k-h
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
On Thu, Aug 01, 2019 at 03:50:44PM +0200, Greg KH wrote:
On Thu, Aug 01, 2019 at 01:31:31PM +, Sasha Levin wrote:
Hi,
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag,
fixing commit: .
The bot has tested the following trees: v5.2.4, v5.1.21, v4.19.62, v4.14.134,
v4.9.186, v4.4.186.
v5.2.4: Build OK!
v5.1.21: Build OK!
v4.19.62: Build OK!
v4.14.134: Failed to apply! Possible dependencies:
25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
v4.9.186: Failed to apply! Possible dependencies:
25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
v4.4.186: Failed to apply! Possible dependencies:
162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
395174bb07c1 ("Bluetooth: hci_uart: Add Intel/AG6xx support")
9e69130c4efc ("Bluetooth: hci_uart: Add Nokia Protocol identifier")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
Already fixed up by hand and queued up, your automated email is a bit
slow :)
/me scratches head
The patch went out two days ago:
https://lore.kernel.org/lkml/20190730093345.25573-1-mar...@holtmann.org/
How did it make it upstream already?
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
Hello, Greg, all, I've just double-checked your backports, indeed, they are fine. Check for operations is not added for protocols which does not use these operations. Thanks! Best regards, Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer - Original Message - > From: "Greg KH" > To: "Vladis Dronov" > Cc: "Sasha Levin" , "Marcel Holtmann" > , torva...@linux-foundation.org, > linux-kernel@vger.kernel.org, linux-blueto...@vger.kernel.org, > sta...@vger.kernel.org > Sent: Thursday, August 1, 2019 4:06:39 PM > Subject: Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty > operations > > On Thu, Aug 01, 2019 at 09:55:55AM -0400, Vladis Dronov wrote: > > Thank you, Greg! > > > > I've just noticed the patch landed in the upstream and was going to start > > stable > > backports, but it appeared you've already done this. > > Verifying that I got the 4.4.y and 4.9.y and 4.14.y backports done > properly would be good, as I took a guess at them :) > > thanks, > > greg k-h
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
On Thu, Aug 01, 2019 at 09:55:55AM -0400, Vladis Dronov wrote: > Thank you, Greg! > > I've just noticed the patch landed in the upstream and was going to start > stable > backports, but it appeared you've already done this. Verifying that I got the 4.4.y and 4.9.y and 4.14.y backports done properly would be good, as I took a guess at them :) thanks, greg k-h
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
Thank you, Greg!
I've just noticed the patch landed in the upstream and was going to start stable
backports, but it appeared you've already done this.
So, not only automated mailers are slow :)
Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
- Original Message -
> From: "Greg KH"
> To: "Sasha Levin"
> Cc: "Marcel Holtmann" , "Vladis Dronov"
> , torva...@linux-foundation.org,
> linux-kernel@vger.kernel.org, linux-blueto...@vger.kernel.org,
> sta...@vger.kernel.org
> Sent: Thursday, August 1, 2019 3:50:44 PM
> Subject: Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty
> operations
>
> On Thu, Aug 01, 2019 at 01:31:31PM +, Sasha Levin wrote:
> > Hi,
> >
> > [This is an automated email]
> >
> > This commit has been processed because it contains a "Fixes:" tag,
> > fixing commit: .
> >
> > The bot has tested the following trees: v5.2.4, v5.1.21, v4.19.62,
> > v4.14.134, v4.9.186, v4.4.186.
> >
> > v5.2.4: Build OK!
> > v5.1.21: Build OK!
> > v4.19.62: Build OK!
> > v4.14.134: Failed to apply! Possible dependencies:
> > 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
> >
> > v4.9.186: Failed to apply! Possible dependencies:
> > 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
> >
> > v4.4.186: Failed to apply! Possible dependencies:
> > 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
> > 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
> > 395174bb07c1 ("Bluetooth: hci_uart: Add Intel/AG6xx support")
> > 9e69130c4efc ("Bluetooth: hci_uart: Add Nokia Protocol identifier")
> >
> >
> > NOTE: The patch will not be queued to stable trees until it is upstream.
> >
> > How should we proceed with this patch?
>
> Already fixed up by hand and queued up, your automated email is a bit
> slow :)
>
> greg k-h
>
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
On Thu, Aug 01, 2019 at 01:31:31PM +, Sasha Levin wrote:
> Hi,
>
> [This is an automated email]
>
> This commit has been processed because it contains a "Fixes:" tag,
> fixing commit: .
>
> The bot has tested the following trees: v5.2.4, v5.1.21, v4.19.62, v4.14.134,
> v4.9.186, v4.4.186.
>
> v5.2.4: Build OK!
> v5.1.21: Build OK!
> v4.19.62: Build OK!
> v4.14.134: Failed to apply! Possible dependencies:
> 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
>
> v4.9.186: Failed to apply! Possible dependencies:
> 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
>
> v4.4.186: Failed to apply! Possible dependencies:
> 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
> 25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
> 395174bb07c1 ("Bluetooth: hci_uart: Add Intel/AG6xx support")
> 9e69130c4efc ("Bluetooth: hci_uart: Add Nokia Protocol identifier")
>
>
> NOTE: The patch will not be queued to stable trees until it is upstream.
>
> How should we proceed with this patch?
Already fixed up by hand and queued up, your automated email is a bit
slow :)
greg k-h
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
Hi,
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag,
fixing commit: .
The bot has tested the following trees: v5.2.4, v5.1.21, v4.19.62, v4.14.134,
v4.9.186, v4.4.186.
v5.2.4: Build OK!
v5.1.21: Build OK!
v4.19.62: Build OK!
v4.14.134: Failed to apply! Possible dependencies:
25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
v4.9.186: Failed to apply! Possible dependencies:
25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
v4.4.186: Failed to apply! Possible dependencies:
162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
25a13e382de2 ("bluetooth: hci_qca: Replace GFP_ATOMIC with GFP_KERNEL")
395174bb07c1 ("Bluetooth: hci_uart: Add Intel/AG6xx support")
9e69130c4efc ("Bluetooth: hci_uart: Add Nokia Protocol identifier")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
--
Thanks,
Sasha
Re: [PATCH v5.3-rc2] Bluetooth: hci_uart: check for missing tty operations
On Tue, 2019-07-30 at 11:33 +0200, Marcel Holtmann wrote:
> From: Vladis Dronov
>
> Certain ttys operations (pty_unix98_ops) lack tiocmget() and
> tiocmset()
> functions which are called by the certain HCI UART protocols
> (hci_ath,
> hci_bcm, hci_intel, hci_mrvl, hci_qca) via
> hci_uart_set_flow_control()
> or directly. This leads to an execution at NULL and can be triggered
> by
> an unprivileged user. Fix this by adding a helper function and a
> check
> for the missing tty operations in the protocols code.
>
> This fixes CVE-2019-10207. The Fixes: lines list commits where calls
> to
> tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI
> UART
> protocols.
>
> Link:
> https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
> Reported-by: syzbot+79337b501d6aa974d...@syzkaller.appspotmail.com
> Cc: sta...@vger.kernel.org # v2.6.36+
> Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial
> chip")
> Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM
> functions")
> Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate
> configuration support")
> Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
> Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm
> Bluetooth chip wcn3990")
> Signed-off-by: Vladis Dronov
> Signed-off-by: Marcel Holtmann
Reviewed-by: Yu-Chen, Cho
Tested-by: Yu-Chen, Cho
> ---
> drivers/bluetooth/hci_ath.c | 3 +++
> drivers/bluetooth/hci_bcm.c | 3 +++
> drivers/bluetooth/hci_intel.c | 3 +++
> drivers/bluetooth/hci_ldisc.c | 13 +
> drivers/bluetooth/hci_mrvl.c | 3 +++
> drivers/bluetooth/hci_qca.c | 3 +++
> drivers/bluetooth/hci_uart.h | 1 +
> 7 files changed, 29 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_ath.c
> b/drivers/bluetooth/hci_ath.c
> index a55be205b91a..dbfe34664633 100644
> --- a/drivers/bluetooth/hci_ath.c
> +++ b/drivers/bluetooth/hci_ath.c
> @@ -98,6 +98,9 @@ static int ath_open(struct hci_uart *hu)
>
> BT_DBG("hu %p", hu);
>
> + if (!hci_uart_has_flow_control(hu))
> + return -EOPNOTSUPP;
> +
> ath = kzalloc(sizeof(*ath), GFP_KERNEL);
> if (!ath)
> return -ENOMEM;
> diff --git a/drivers/bluetooth/hci_bcm.c
> b/drivers/bluetooth/hci_bcm.c
> index 8905ad2edde7..ae2624fce913 100644
> --- a/drivers/bluetooth/hci_bcm.c
> +++ b/drivers/bluetooth/hci_bcm.c
> @@ -406,6 +406,9 @@ static int bcm_open(struct hci_uart *hu)
>
> bt_dev_dbg(hu->hdev, "hu %p", hu);
>
> + if (!hci_uart_has_flow_control(hu))
> + return -EOPNOTSUPP;
> +
> bcm = kzalloc(sizeof(*bcm), GFP_KERNEL);
> if (!bcm)
> return -ENOMEM;
> diff --git a/drivers/bluetooth/hci_intel.c
> b/drivers/bluetooth/hci_intel.c
> index 207bae5e0d46..31f25153087d 100644
> --- a/drivers/bluetooth/hci_intel.c
> +++ b/drivers/bluetooth/hci_intel.c
> @@ -391,6 +391,9 @@ static int intel_open(struct hci_uart *hu)
>
> BT_DBG("hu %p", hu);
>
> + if (!hci_uart_has_flow_control(hu))
> + return -EOPNOTSUPP;
> +
> intel = kzalloc(sizeof(*intel), GFP_KERNEL);
> if (!intel)
> return -ENOMEM;
> diff --git a/drivers/bluetooth/hci_ldisc.c
> b/drivers/bluetooth/hci_ldisc.c
> index 8950e07889fe..85a30fb9177b 100644
> --- a/drivers/bluetooth/hci_ldisc.c
> +++ b/drivers/bluetooth/hci_ldisc.c
> @@ -292,6 +292,19 @@ static int hci_uart_send_frame(struct hci_dev
> *hdev, struct sk_buff *skb)
> return 0;
> }
>
> +/* Check the underlying device or tty has flow control support */
> +bool hci_uart_has_flow_control(struct hci_uart *hu)
> +{
> + /* serdev nodes check if the needed operations are present */
> + if (hu->serdev)
> + return true;
> +
> + if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops-
> >tiocmset)
> + return true;
> +
> + return false;
> +}
> +
> /* Flow control or un-flow control the device */
> void hci_uart_set_flow_control(struct hci_uart *hu, bool enable)
> {
> diff --git a/drivers/bluetooth/hci_mrvl.c
> b/drivers/bluetooth/hci_mrvl.c
> index f98e5cc343b2..fbc3f7c3a5c7 100644
> --- a/drivers/bluetooth/hci_mrvl.c
> +++ b/drivers/bluetooth/hci_mrvl.c
> @@ -59,6 +59,9 @@ static int mrvl_open(struct hci_uart *hu)
>
> BT_DBG("hu %p", hu);
>
> + if (!hci_uart_has_flow_control(hu))
> + return -EOPNOTSUPP;
> +
> mrvl = kzalloc(sizeof(*mrvl), GFP_KERNEL);
> if (!mrvl)
> return -ENOMEM;
> diff --git a/drivers/bluetooth/hci_qca.c
> b/drivers/bluetooth/hci_qca.c
> index 9a5c9c1f9484..82a0a3691a63 100644
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -473,6 +473,9 @@ static int qca_open(struct hci_uart *hu)
>
> BT_DBG("hu %p qca_open", hu);
>
> + if (!hci_uart_has_flow_control(hu))
> + return -EOPNOTSUPP;
> +
> qca = kzalloc(sizeof(struct qca_data), GFP_KERNEL);
> if (!qca)
>
