mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 07:13:34 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/net
History
Luiz Augusto von Dentz 5bb3953343 Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 
commit d0be8347c6 upstream.

This fixes the following trace which is caused by hci_rx_work starting up
*after* the final channel reference has been put() during sock_close() but
*before* the references to the channel have been destroyed, so instead
the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.

  refcount_t: increment on 0; use-after-free.
  BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0
  Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705

  CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S      W
  4.14.234-00003-g1fb6d0bd49a4-dirty #28
  Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150
  Google Inc. MSM sm8150 Flame DVT (DT)
  Workqueue: hci0 hci_rx_work
  Call trace:
   dump_backtrace+0x0/0x378
   show_stack+0x20/0x2c
   dump_stack+0x124/0x148
   print_address_description+0x80/0x2e8
   __kasan_report+0x168/0x188
   kasan_report+0x10/0x18
   __asan_load4+0x84/0x8c
   refcount_dec_and_test+0x20/0xd0
   l2cap_chan_put+0x48/0x12c
   l2cap_recv_frame+0x4770/0x6550
   l2cap_recv_acldata+0x44c/0x7a4
   hci_acldata_packet+0x100/0x188
   hci_rx_work+0x178/0x23c
   process_one_work+0x35c/0x95c
   worker_thread+0x4cc/0x960
   kthread+0x1a8/0x1c4
   ret_from_fork+0x10/0x18

Cc: stable@kernel.org
Reported-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-25 11:11:08 +02:00
..
9p
bluetooth Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-08-25 11:11:08 +02:00
caif net: caif: add proper error handling 2021-06-10 12:43:51 +02:00
iucv License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netfilter netfilter: conntrack: re-fetch conntrack after insertion 2022-06-06 08:20:57 +02:00
netns tcp: add tcp_min_snd_mss sysctl 2019-06-17 19:52:44 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-12-08 08:46:52 +01:00
phonet phonet: fix building with clang 2019-03-23 14:35:16 +01:00
sctp sctp: use call_rcu to free endpoint 2022-01-05 12:33:49 +01:00
tc_act net/sched: don't dereference a->goto_chain to read the chain index 2019-05-04 09:15:20 +02:00
6lowpan.h
act_api.h net sched: fix reporting the first-time use timestamp 2020-06-03 08:17:33 +02:00
addrconf.h ipv6: fix memory leaks on IPV6_ADDRFORM path 2020-08-21 09:48:00 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h net: split out functions related to registering inflight socket files 2021-08-04 12:22:14 +02:00
af_vsock.h VSOCK: use TCP state constants for sk_state 2019-08-04 09:31:59 +02:00
ah.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
arp.h ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled 2019-06-11 12:21:51 +02:00
atmclip.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ax25.h ax25: fix reference count leaks of ax25_dev 2022-04-27 13:15:32 +02:00
ax88796.h
bond_3ad.h bonding: fix data-races around agg_select_timer 2022-02-23 11:57:34 +01:00
bond_alb.h
bond_options.h
bonding.h bonding: wait for sysfs kobject destruction before freeing struct slave 2020-12-08 10:17:33 +01:00
busy_poll.h net: annotate data race around sk_ll_usec 2021-08-04 12:22:14 +02:00
calipso.h
cfg80211-wext.h
cfg80211.h mac80211: properly handle A-MSDUs that start with an RFC 1042 header 2021-06-03 08:36:13 +02:00
cfg802154.h
checksum.h openvswitch: Fix setting ipv6 fields causing hw csum failure 2022-03-02 11:33:55 +01:00
cipso_ipv4.h
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
datalink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dcbevent.h
dcbnl.h
devlink.h
dn.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_dev.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_fib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_neigh.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_nsp.h
dn_route.h
dsa.h
dsfield.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst.h net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb 2020-07-22 09:22:20 +02:00
dst_cache.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-16 12:44:51 +01:00
dst_ops.h net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 14:00:14 +01:00
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-07-12 16:27:27 +02:00
ethoc.h
fib_notifier.h
fib_rules.h fib: add missing attribute validation for tun_id 2020-03-20 10:54:10 +01:00
firewire.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
flow.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
flow_dissector.h net: sched: correct flower port blocking 2020-03-11 18:02:48 +01:00
fou.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fq.h net/flow_dissector: switch to siphash 2019-11-10 11:25:37 +01:00
fq_impl.h net/flow_dissector: switch to siphash 2019-11-10 11:25:37 +01:00
garp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gen_stats.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
genetlink.h genetlink: remove genl_bind 2020-07-22 09:22:19 +02:00
geneve.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gre.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gro_cells.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gtp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gue.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hwbm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
icmp.h net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-03 18:22:57 +01:00
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h
ife.h net: sched: ife: handle malformed tlv length 2018-04-29 11:33:13 +02:00
ila.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
inet_connection_sock.h net: refactor bind_bucket fastreuse into helper 2020-08-21 09:48:14 +02:00
inet_ecn.h vlan: consolidate VLAN parsing code and limit max parsing depth 2020-12-11 13:39:03 +01:00
inet_frag.h net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-04-27 09:35:40 +02:00
inet_hashtables.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-06-06 08:20:56 +02:00
inet_sock.h tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. 2022-07-29 17:06:49 +02:00
inet_timewait_sock.h soreuseport: initialise timewait reuseport field 2018-05-16 10:10:24 +02:00
inetpeer.h net: ipv4: use a dedicated counter for icmp_v4 redirect packets 2019-02-23 09:06:42 +01:00
ip.h ip: Fix a data-race around sysctl_fwmark_reflect. 2022-07-29 17:06:49 +02:00
ip6_checksum.h
ip6_fib.h ipv6: fix the check before getting the cookie in rt6_get_cookie 2019-06-11 12:21:47 +02:00
ip6_route.h net: ipv6: fix return value of ip6_skb_dst_mtu 2021-07-28 11:12:15 +02:00
ip6_tunnel.h ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL 2019-07-21 09:04:28 +02:00
ip_fib.h net: ipv4: Fix memory leak in network namespace dismantle 2019-01-31 08:13:42 +01:00
ip_tunnels.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip_vs.h ipvs: allow connection reuse for unconfirmed conntrack 2020-08-21 09:48:08 +02:00
ipcomp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipconfig.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipv6.h net: ipv6: add net argument to ip6_dst_lookup_flow 2020-05-20 08:17:02 +02:00
ipv6_frag.h ip6: fix skb leak in ip6frag_expire_frag_queue() 2019-09-16 08:20:44 +02:00
ipx.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iw_handler.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
kcm.h
l3mdev.h ipvlan, l3mdev: fix broken l3s mode wrt local routes 2019-02-06 17:31:33 +01:00
lapb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lib80211.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-26 11:40:36 +01:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: fix sk_buff leak in llc_conn_service() 2019-11-06 12:43:36 +01:00
llc_if.h
llc_pdu.h net: llc: fix skb_over_panic 2021-08-04 12:22:17 +02:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mac80211.h mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 2018-05-30 07:51:58 +02:00
mac802154.h
mip6.h
mld.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpls.h
mpls_iptunnel.h
mrp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ncsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ndisc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
neighbour.h net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:17:59 +01:00
net_namespace.h netns: provide pure entropy for net_hash_mix() 2019-04-17 08:37:50 +02:00
net_ratelimit.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netevent.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netlabel.h
netlink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netprio_cgroup.h
netrom.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nexthop.h net: fix rtnh_ok() 2018-05-16 10:10:23 +02:00
nl802154.h net: ieee802154: handle iftypes as u32 2021-12-08 08:46:48 +01:00
nsh.h
p8022.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ping.h
pkt_cls.h net_sched: introduce tcf_exts_get_net() and tcf_exts_put_net() 2017-11-09 10:03:09 +09:00
pkt_sched.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pptp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
protocol.h
psample.h psample: Add a fwd declaration for skbuff 2021-08-26 08:37:02 -04:00
psnap.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raw.h
rawv6.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
red.h sch_red: fix off-by-one checks in red_check_params() 2021-04-16 11:57:49 +02:00
regulatory.h regulatory: add NUL to request alpha2 2018-05-30 07:52:01 +02:00
request_sock.h net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head 2020-01-27 14:46:50 +01:00
rose.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
route.h ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu 2018-05-30 07:52:14 +02:00
rtnetlink.h can: dev: Move device back to init netns on owning netns delete 2021-03-30 14:40:12 +02:00
sch_generic.h net_sched: restore "mpu xxx" handling 2022-01-27 09:01:01 +01:00
scm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-06-06 08:20:56 +02:00
seg6.h
seg6_hmac.h
slhc_vj.h slip: Check if rstate is initialized before uncompressing 2018-04-19 08:56:16 +02:00
smc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
snmp.h
sock.h net: Fix data-races around sysctl_mem. 2022-07-21 20:42:44 +02:00
sock_reuseport.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Space.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
strparser.h
switchdev.h
tcp.h tcp: Fix a data-race around sysctl_tcp_notsent_lowat. 2022-07-29 17:06:50 +02:00
tcp_states.h
timewait_sock.h
tls.h tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used. 2018-12-05 19:41:10 +01:00
transp_v6.h udp: fix rx queue len reported by diag and proc interface 2018-06-26 08:06:28 +08:00
tso.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tun_proto.h
udp.h udp: fix rx queue len reported by diag and proc interface 2018-06-26 08:06:28 +08:00
udp_tunnel.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udplite.h udplite: fix partial checksum initialization 2018-03-08 22:41:10 -08:00
vsock_addr.h
vxlan.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wext.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wimax.h
x25.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
x25device.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm.h xfrm: policy: match with both mark and mask on user interfaces 2022-04-20 09:08:31 +02:00