Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 32333edb82fb2009980eefc5518100068147ab82
commit32333edb82fb2009980eefc5518100068147ab82[log] [tgz]
authorVignesh Raman <Vignesh_Raman@mentor.com>Tue Jul 22 19:24:25 2014 +0530
committerMarcel Holtmann <marcel@holtmann.org>Tue Jul 22 16:07:31 2014 +0200
tree3ff5cec73569dde9741d04af5edbc6f0df5a0bb4
parentc2aef6e8cbebd60f79555baeb9266e220f135a44 [diff]
Bluetooth: Avoid use of session socket after the session gets freed

The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.

Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.

The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.

Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
1 file changed
tree: 3ff5cec73569dde9741d04af5edbc6f0df5a0bb4
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS