Skip to content

GitLab

Switch branch/tag
History Find file
Clone
Bluetooth: L2CAP: Fix user-after-free
Luiz Augusto von Dentz authored 
[ Upstream commit 35fcbc42 ]

This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:

Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org

Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
0c108cf3
Name Last commit Last update
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index
802 net/802/garp: fix memleak in garp_request_join()
8021q net: make free_netdev() more lenient with unregistering devices
9p net/9p: Initialize the iounit field during fid creation
appletalk appletalk: Fix skb allocation size in loopback case
atm net: atm: fix update of position index in lec_seq_next
ax25 net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
batman-adv batman-adv: Don't skb_split skbuffs with frag_list
bluetooth Bluetooth: L2CAP: Fix user-after-free
bpf bpf: Don't redirect packets with invalid pkt_len
bpfilter bpfilter: Specify the log level for the kmsg message
bridge netfilter: ebtables: fix memory leak when blob is malformed
caif net-caif: avoid user-triggerable WARN_ON(1)
can can: bcm: check the result of can_send() in bcm_can_tx()
ceph libceph: fix potential use-after-free on linger ping and resends
core net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
dcb net: dcb: disable softirqs in dcbnl_flush_dev()
dccp dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
decnet net: Fix data-races around sysctl_[rw]mem(_offset)?.
dns_resolver docs: networking: convert dns_resolver.txt to ReST
dsa net: dsa: Add missing of_node_put() in dsa_port_link_register_of
ethernet net: move devres helpers into a separate source file
ethtool ethtool: do not perform operations on net devices being unregistered
hsr net: hsr: fix mac_len checks
ieee802154 net/ieee802154: reject zero-sized raw_sendmsg()
ife net: Fix Kconfig indentation
ipv4 tcp: annotate data-race around tcp_md5sig_pool_populated
ipv6 netfilter: nft_fib: Fix for rpath check with VRF devices
iucv net/af_iucv: remove WARN_ONCE on malformed RX packets
kcm kcm: fix strp_init() order and cleanup
key af_key: Do not call xfrm_probe_algs in parallel
l2tp ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
lapb net: lapb: Copy the skb before sending a packet
llc llc: only change llc->dev when bind() succeeds
mac80211 wifi: mac80211: allow bw change during channel switch in mesh
mac802154 net: mac802154: Fix a condition in the receive path
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch.
mptcp net: Fix data-races around sysctl_[rw]mem(_offset)?.
ncsi net/ncsi: check for error return from call to nla_put_u32
netfilter netfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()
netlabel netlabel: fix out-of-bounds memory accesses
netlink net: genl: fix error path memory leak in policy dumping
netrom netrom: fix api breakage in nr_setsockopt()
nfc NFC: NULL out the dev->rfkill to prevent UAF
nsh treewide: replace '---help---' in Kconfig files with 'help'
openvswitch openvswitch: Fix overreporting of drops in dropwatch
packet net/af_packet: check len when min_header_len equals to 0
phonet phonet: refcount leak in pep_sock_accep
psample net: psample: Fix netlink skb length with tunnel info
qrtr
rds
rfkill
rose
rxrpc
sched
sctp
smc
strparser
sunrpc
switchdev
tipc
tls
unix
vmw_vsock
wimax
wireless
x25
xdp
xfrm
Kconfig
Makefile
compat.c
devres.c
socket.c
sysctl_net.c