Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
kernel-fxtec-pro1x/net/bluetooth
History
Dan Carpenter 71729b05e7 Bluetooth: Fix race condition in hci_release_sock() 
commit 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 upstream.

Syzbot managed to trigger a use after free "KASAN: use-after-free Write
in hci_sock_bind".  I have reviewed the code manually and one possibly
cause I have found is that we are not holding lock_sock(sk) when we do
the hci_dev_put(hdev) in hci_sock_release().  My theory is that the bind
and the release are racing against each other which results in this use
after free.

Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-05 14:43:39 +00:00
..
bnep
cmtp
hidp
rfcomm
6lowpan.c Bluetooth: 6lowpan: search for destination address in all peers 2019-07-26 09:14:16 +02:00
a2mp.c
a2mp.h
af_bluetooth.c net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
amp.c
amp.h
ecdh_helper.c
ecdh_helper.h
hci_conn.c Bluetooth: Fix memory leak in hci_connect_le_scan 2020-01-09 10:19:04 +01:00
hci_core.c Bluetooth: hci_core: fix init for HCI_USER_CHANNEL 2019-12-31 16:35:19 +01:00
hci_debugfs.c
hci_debugfs.h
hci_event.c Revert "Bluetooth: validate BLE connection interval updates" 2019-10-01 08:25:59 +02:00
hci_request.c Bluetooth: Fix advertising duplicated flags 2019-12-31 16:35:34 +01:00
hci_request.h
hci_sock.c Bluetooth: Fix race condition in hci_release_sock() 2020-02-05 14:43:39 +00:00
hci_sysfs.c
Kconfig
l2cap_core.c Bluetooth: delete a stray unlock 2020-01-09 10:19:04 +01:00
l2cap_sock.c
leds.c
leds.h
lib.c
Makefile
mgmt.c
mgmt_util.c
mgmt_util.h
sco.c
selftest.c
selftest.h
smp.c Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug 2019-07-26 09:14:30 +02:00
smp.h