]>
Commit | Line | Data |
---|---|---|
8b77cbea GKH |
1 | From 32333edb82fb2009980eefc5518100068147ab82 Mon Sep 17 00:00:00 2001 |
2 | From: Vignesh Raman <Vignesh_Raman@mentor.com> | |
3 | Date: Tue, 22 Jul 2014 19:24:25 +0530 | |
4 | Subject: Bluetooth: Avoid use of session socket after the session gets freed | |
5 | ||
6 | From: Vignesh Raman <Vignesh_Raman@mentor.com> | |
7 | ||
8 | commit 32333edb82fb2009980eefc5518100068147ab82 upstream. | |
9 | ||
10 | The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove | |
11 | RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905 | |
12 | "Bluetooth: Return RFCOMM session ptrs to avoid freed session" | |
13 | allow rfcomm_recv_ua and rfcomm_session_close to delete the session | |
14 | (and free the corresponding socket) and propagate NULL session pointer | |
15 | to the upper callers. | |
16 | ||
17 | Additional fix is required to terminate the loop in rfcomm_process_rx | |
18 | function to avoid use of freed 'sk' memory. | |
19 | ||
20 | The issue is only reproducible with kernel option CONFIG_PAGE_POISONING | |
21 | enabled making freed memory being changed and filled up with fixed char | |
22 | value used to unmask use-after-free issues. | |
23 | ||
24 | Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com> | |
25 | Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com> | |
26 | Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com> | |
27 | Signed-off-by: Marcel Holtmann <marcel@holtmann.org> | |
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
29 | ||
30 | --- | |
31 | net/bluetooth/rfcomm/core.c | 7 +++++-- | |
32 | 1 file changed, 5 insertions(+), 2 deletions(-) | |
33 | ||
34 | --- a/net/bluetooth/rfcomm/core.c | |
35 | +++ b/net/bluetooth/rfcomm/core.c | |
36 | @@ -1909,10 +1909,13 @@ static struct rfcomm_session *rfcomm_pro | |
37 | /* Get data directly from socket receive queue without copying it. */ | |
38 | while ((skb = skb_dequeue(&sk->sk_receive_queue))) { | |
39 | skb_orphan(skb); | |
40 | - if (!skb_linearize(skb)) | |
41 | + if (!skb_linearize(skb)) { | |
42 | s = rfcomm_recv_frame(s, skb); | |
43 | - else | |
44 | + if (!s) | |
45 | + break; | |
46 | + } else { | |
47 | kfree_skb(skb); | |
48 | + } | |
49 | } | |
50 | ||
51 | if (s && (sk->sk_state == BT_CLOSED)) |