system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-13 23:08:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Andrzej Kaczmarek ede81a2a12 Bluetooth: Fix NULL pointer dereference when sending data 
When trying to allocate skb for new PDU, l2cap_chan is unlocked so we
can sleep waiting for memory as otherwise there's possible deadlock as
fixed in e454c84464. However, in a6a5568c03 lock was moved from socket
to channel level and it's no longer safe to just unlock and lock again
without checking l2cap_chan state since channel can be disconnected
when lock is not held.

This patch adds missing checks for l2cap_chan state when returning from
call which allocates skb.

Scenario is easily reproducible by running rfcomm-tester in a loop.

BUG: unable to handle kernel NULL pointer dereference at         (null)
IP: [<ffffffffa0442169>] l2cap_do_send+0x29/0x120 [bluetooth]
PGD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 7 PID: 4038 Comm: krfcommd Not tainted 3.14.0-rc2+ #15
Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A10 11/24/2011
task: ffff8802bdd731c0 ti: ffff8801ec986000 task.ti: ffff8801ec986000
RIP: 0010:[<ffffffffa0442169>]  [<ffffffffa0442169>] l2cap_do_send+0x29/0x120
RSP: 0018:ffff8801ec987ad8  EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8800c5796800 RCX: 0000000000000000
RDX: ffff880410e7a800 RSI: ffff8802b6c1da00 RDI: ffff8800c5796800
RBP: ffff8801ec987af8 R08: 00000000000000c0 R09: 0000000000000300
R10: 000000000000573b R11: 000000000000573a R12: ffff8802b6c1da00
R13: 0000000000000000 R14: ffff8802b6c1da00 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88042dce0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000041257c000 CR4: 00000000000407e0
Stack:
 ffff8801ec987d78 ffff8800c5796800 ffff8801ec987d78 0000000000000000
 ffff8801ec987ba8 ffffffffa0449e37 0000000000000004 ffff8801ec987af0
 ffff8801ec987d40 0000000000000282 0000000000000000 ffffffff00000004
Call Trace:
 [<ffffffffa0449e37>] l2cap_chan_send+0xaa7/0x1120 [bluetooth]
 [<ffffffff81770100>] ? _raw_spin_unlock_bh+0x20/0x40
 [<ffffffffa045188b>] l2cap_sock_sendmsg+0xcb/0x110 [bluetooth]
 [<ffffffff81652b0f>] sock_sendmsg+0xaf/0xc0
 [<ffffffff810a8381>] ? update_curr+0x141/0x200
 [<ffffffff810a8961>] ? dequeue_entity+0x181/0x520
 [<ffffffff81652b60>] kernel_sendmsg+0x40/0x60
 [<ffffffffa04a8505>] rfcomm_send_frame+0x45/0x70 [rfcomm]
 [<ffffffff810766f0>] ? internal_add_timer+0x20/0x50
 [<ffffffffa04a8564>] rfcomm_send_cmd+0x34/0x60 [rfcomm]
 [<ffffffffa04a8605>] rfcomm_send_disc+0x75/0xa0 [rfcomm]
 [<ffffffffa04aacec>] rfcomm_run+0x8cc/0x1a30 [rfcomm]
 [<ffffffffa04aa420>] ? rfcomm_check_accept+0xc0/0xc0 [rfcomm]
 [<ffffffff8108e3a9>] kthread+0xc9/0xe0
 [<ffffffff8108e2e0>] ? flush_kthread_worker+0xb0/0xb0
 [<ffffffff817795fc>] ret_from_fork+0x7c/0xb0
 [<ffffffff8108e2e0>] ? flush_kthread_worker+0xb0/0xb0
Code: 00 00 66 66 66 66 90 55 48 89 e5 48 83 ec 20 f6 05 d6 a3 02 00 04
RIP  [<ffffffffa0442169>] l2cap_do_send+0x29/0x120 [bluetooth]
 RSP <ffff8801ec987ad8>
CR2: 0000000000000000

Signed-off-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2014-02-25 10:02:53 -08:00
..
9p net/9p: remove virtio default hack and set appropriate bits instead 2013-11-23 16:13:36 -06:00
802 neigh: use NEIGH_VAR_INIT in ndo_neigh_setup functions. 2014-01-16 11:31:58 -08:00
8021q 8021q: Use ether_addr_copy 2014-01-21 18:13:04 -08:00
appletalk net: Fix some fallout from the etner_addr_copy() changes. 2014-01-21 18:57:26 -08:00
atm net: Fix some fallout from the etner_addr_copy() changes. 2014-01-21 18:57:26 -08:00
ax25 net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-01-18 00:55:41 -08:00
bluetooth Bluetooth: Fix NULL pointer dereference when sending data 2014-02-25 10:02:53 -08:00
bridge bridge: Remove unnecessary vlan_put_tag in br_handle_vlan 2014-01-22 21:29:27 -08:00
caif net: Missing change from the ether_addr_copy() fixups. 2014-01-21 22:54:01 -08:00
can net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
ceph libceph: do not dereference a NULL bio pointer 2014-02-07 11:37:07 -08:00
core net: Fix warning on make htmldocs caused by skbuff.c 2014-01-28 18:06:06 -08:00
dcb dcb: use __dev_get_by_name instead of dev_get_by_name to find interface 2014-01-14 18:50:46 -08:00
dccp ipv4: introduce hardened ip_no_pmtu_disc mode 2014-01-13 11:22:55 -08:00
decnet net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
dns_resolver net/*: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
dsa dsa: Use ether_addr_copy 2014-01-21 18:13:05 -08:00
ethernet net: eth_type_trans() should use skb_header_pointer() 2014-01-16 15:30:31 -08:00
hsr net/hsr: using kfree_rcu() to simplify the code 2013-12-17 16:32:30 -05:00
ieee802154 net: 6lowpan: fixup for code movement 2014-01-27 16:43:03 -08:00
ipv4 net: gre: use icmp_hdr() to get inner ip header 2014-01-27 20:38:26 -08:00
ipv6 net: Fix memory leak if TPROXY used with TCP early demux 2014-01-27 16:22:11 -08:00
ipx net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
irda net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
iucv net: rework recvmsg handler msg_name and msg_namelen logic 2013-11-20 21:52:30 -05:00
key xfrm: export verify_userspi_info for pkfey and netlink interface 2013-12-16 12:54:02 +01:00
l2tp ipv6: protect protocols not handling ipv4 from v4 connection/bind attempts 2014-01-21 16:59:19 -08:00
lapb
llc llc: remove noisy WARN from llc_mac_hdr_init 2014-01-28 18:01:32 -08:00
mac80211 mac80211: propagate STBC / LDPC flags to radiotap 2014-02-06 09:34:58 +01:00
mac802154 mac802154: fix following checkpath.pl warning Prefer pr_warn(... to pr_warning(... 2013-12-22 18:53:08 -05:00
mpls ipip: add GSO/TSO support 2013-10-19 19:36:19 -04:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
netlabel netlabel: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
netlink net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
netrom net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
openvswitch net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
packet af_packet: Add Queue mapping mode to af_packet fanout operation 2014-01-22 17:35:50 -08:00
phonet net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
rds net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
rfkill net: rfkill: move poll work to power efficient workqueue 2014-02-04 21:58:16 +01:00
rose net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
rxrpc RxRPC fixes 2014-01-28 18:04:18 -08:00
sched net: add and use skb_gso_transport_seglen() 2014-01-26 22:38:23 -08:00
sctp sctp: remove macros sctp_bh_[un]lock_sock 2014-01-21 18:41:36 -08:00
sunrpc NFS client bugfixes for Linux 3.14 2014-01-31 15:39:07 -08:00
tipc net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
unix net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
vmw_vsock net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
wimax wimax: remove dead code 2013-11-21 13:09:42 -05:00
wireless cfg80211: regulatory introduce maximum bandwidth calculation 2014-02-05 14:03:19 +01:00
x25 net: add build-time checks for msg->msg_name size 2014-01-18 23:04:16 -08:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
compat.c x86, x32: Correct invalid use of user timespec in the kernel 2014-01-30 18:44:13 -08:00
Kconfig net: netprio: rename config to be more consistent with cgroup configs 2014-01-03 23:41:42 +01:00
Makefile net: move 6lowpan compression code to separate module 2014-01-15 15:36:38 -08:00
nonet.c
socket.c net: handle error more gracefully in socketpair() 2013-12-10 22:24:13 -05:00
sysctl_net.c net: Update the sysctl permissions handler to test effective uid/gid 2013-10-07 15:57:56 -04:00