linux/net/bluetooth
Vignesh Raman 32333edb82 Bluetooth: Avoid use of session socket after the session gets freed
The commits 08c30aca9e "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.

Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.

The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.

Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
2014-07-22 16:07:31 +02:00
..
bnep net/*: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
cmtp Bluetooth: cmtp: Remove unnecessary null test 2014-07-14 23:00:13 +02:00
hidp Merge branch 'for-3.15/hid-core-ll-transport-cleanup' into for-linus 2014-04-01 19:05:09 +02:00
rfcomm Bluetooth: Avoid use of session socket after the session gets freed 2014-07-22 16:07:31 +02:00
6lowpan.c Bluetooth: 6LoWPAN: Remove network devices when unloading 2014-07-03 17:42:44 +02:00
a2mp.c Bluetooth: Provide L2CAP ops callback for memcpy_fromiovec 2014-07-03 17:42:43 +02:00
a2mp.h Bluetooth: Move a2mp.h header file into net/bluetooth/ 2013-10-11 00:10:05 +02:00
af_bluetooth.c Bluetooth: constify seq_operations 2014-07-03 17:42:52 +02:00
amp.c Bluetooth: Remove unneeded variable assignment in hmac_sha256 2014-07-20 19:53:11 +03:00
amp.h Bluetooth: Move amp.h header file into net/bluetooth/ 2013-10-11 00:10:03 +02:00
hci_conn.c Bluetooth: Prefer sizeof(*ptr) when allocating memory 2014-07-21 12:59:38 +02:00
hci_core.c Bluetooth: Prefer sizeof(*ptr) when allocating memory 2014-07-21 12:59:38 +02:00
hci_event.c Bluetooth: Fix allowing initiating pairing when not pairable 2014-07-17 14:39:40 +02:00
hci_sock.c Bluetooth: Move struct hci_pinfo into net/bluetooth/hci_sock.c 2014-07-11 13:55:14 +03:00
hci_sysfs.c Bluetooth: Convert to use ATTRIBUTE_GROUPS macro 2014-02-13 09:51:34 +02:00
Kconfig 6lowpan: introduce new net/6lowpan directory 2014-07-12 01:53:30 +02:00
l2cap_core.c Bluetooth: Prefer sizeof(*ptr) when allocating memory 2014-07-21 12:59:38 +02:00
l2cap_sock.c Bluetooth: Use EOPNOTSUPP instead of ENOTSUPP 2014-07-18 11:11:38 +02:00
lib.c Bluetooth: Add error mapping for Directed Advertising Timeout 2014-03-26 09:31:36 -07:00
Makefile Bluetooth: 6LoWPAN: Create a kernel module 2014-07-03 17:42:44 +02:00
mgmt.c Bluetooth: Pass initiator/acceptor information to hci_conn_security() 2014-07-17 14:39:39 +02:00
sco.c Bluetooth: never linger on process exit 2014-07-17 12:13:06 +02:00
smp.c Bluetooth: Use EOPNOTSUPP instead of ENOTSUPP 2014-07-18 11:11:38 +02:00
smp.h Bluetooth: Remove HCI prefix from SMP LTK defines 2014-07-03 17:42:42 +02:00