Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-21 03:43:03 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net/bluetooth
History
Vignesh Raman 07b41b3449 Bluetooth: Avoid use of session socket after the session gets freed 
commit 32333edb82fb2009980eefc5518100068147ab82 upstream.

The commits 08c30aca9e "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.

Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.

The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.

Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-17 09:04:00 -07:00
..
bnep Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
cmtp Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
hidp HID: fix unused rsize usage 2013-10-13 16:08:28 -07:00
rfcomm Bluetooth: Avoid use of session socket after the session gets freed 2014-09-17 09:04:00 -07:00
a2mp.c Bluetooth: Replaced kzalloc and memcpy with kmemdup 2013-03-18 14:01:50 -03:00
af_bluetooth.c net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
amp.c Bluetooth: AMP: Use set_bit / test_bit for amp_mgr state 2013-01-09 17:05:05 -02:00
hci_conn.c Bluetooth: Fix check for connection encryption 2014-07-09 11:14:01 -07:00
hci_core.c Bluetooth: Fix rfkill functionality during the HCI setup stage 2013-10-13 16:08:32 -07:00
hci_event.c Bluetooth: Fix SSP acceptor just-works confirmation without MITM 2014-07-09 11:14:00 -07:00
hci_sock.c net: rework recvmsg handler msg_name and msg_namelen logic 2013-12-08 07:29:25 -08:00
hci_sysfs.c Bluetooth: Track feature pages in a single table 2013-04-18 00:26:20 -03:00
Kconfig Bluetooth: trivial: Remove newline before EOF 2012-10-24 00:42:47 -02:00
l2cap_core.c Bluetooth: Fix invalid length check in l2cap_information_rsp() 2013-06-23 00:24:58 +01:00
l2cap_sock.c Bluetooth: never linger on process exit 2014-09-17 09:04:00 -07:00
lib.c bluetooth: Remove unneeded batostr function 2012-09-27 18:10:43 -03:00
Makefile Bluetooth: AMP: Use HCI cmd to Read Loc AMP Assoc 2012-09-27 17:10:32 -03:00
mgmt.c Bluetooth: Fix locking of hdev when calling into SMP code 2014-07-09 11:14:01 -07:00
sco.c Bluetooth: never linger on process exit 2014-09-17 09:04:00 -07:00
smp.c Bluetooth: Fix checks for LE support on LE-only controllers 2013-06-12 10:20:54 -04:00