[PATCH v2] Bluetooth: btnxpuart: Fix use-after-free in probe error path

[PATCH v2] Bluetooth: btnxpuart: Fix use-after-free in probe error path

[Zhao Dongdong]

From: Zhao Dongdong <zhaodongdong@kylinos.cn>

In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
fails, the error path jumps to 'probe_fail' which only calls
hci_free_dev() and asserts the reset GPIO, but does NOT call
hci_unregister_dev() first.

This leaves the HCI device registered in the system with its backing
memory freed, leading to a use-after-free when userspace subsequently
accesses the device (e.g. via hciconfig or bluetoothd).

Fix by adding a 'probe_fail_unregister' label that calls
hci_unregister_dev() before falling through to the existing
'probe_fail' label. The original 'probe_fail' label is preserved
for the case where hci_register_dev() itself fails (device was
never registered, so no unregister is needed).

Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
v2: Fix SubjectPrefix
v1: https://lore.kernel.org/linux-bluetooth/tencent_05373BA21CEEB5195F2ECCED0C77D0C57108@qq.com/
---
 drivers/bluetooth/btnxpuart.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index e7036a48ce48..a4d7747e5be0 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1907,13 +1907,15 @@ static int nxp_serdev_probe(struct serdev_device *serdev)
 	}
 
 	if (ps_setup(hdev))
-		goto probe_fail;
+		goto probe_fail_unregister;
 
 	hci_devcd_register(hdev, nxp_coredump, nxp_coredump_hdr,
 			   nxp_coredump_notify);
 
 	return 0;
 
+probe_fail_unregister:
+	hci_unregister_dev(hdev);
 probe_fail:
 	reset_control_assert(nxpdev->pdn);
 	hci_free_dev(hdev);
-- 
2.25.1

RE: [v2] Bluetooth: btnxpuart: Fix use-after-free in probe error path

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1094755

---Test result---

Test Summary:
CheckPatch                    PASS      0.78 seconds
GitLint                       FAIL      0.32 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      26.41 seconds
CheckAllWarning               PASS      28.81 seconds
CheckSparse                   PASS      27.58 seconds
BuildKernel32                 PASS      25.67 seconds
TestRunnerSetup               PASS      566.44 seconds
IncrementalBuild              PASS      24.58 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2] Bluetooth: btnxpuart: Fix use-after-free in probe error path

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
23: B1 Line exceeds max length (96>80): "v1: https://lore.kernel.org/linux-bluetooth/tencent_05373BA21CEEB5195F2ECCED0C77D0C57108@qq.com/"


https://github.com/bluez/bluetooth-next/pull/188

---
Regards,
Linux Bluetooth