[thirdparty/kernel/stable-queue.git] / releases / 3.16.3 / bluetooth-avoid-use-of-session-socket-after-the-session-gets-freed.patch

From 32333edb82fb2009980eefc5518100068147ab82 Mon Sep 17 00:00:00 2001
From: Vignesh Raman <Vignesh_Raman@mentor.com>
Date: Tue, 22 Jul 2014 19:24:25 +0530
Subject: Bluetooth: Avoid use of session socket after the session gets freed

From: Vignesh Raman <Vignesh_Raman@mentor.com>

commit 32333edb82fb2009980eefc5518100068147ab82 upstream.

The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.

Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.

The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.

Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/rfcomm/core.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1909,10 +1909,13 @@ static struct rfcomm_session *rfcomm_pro
 	/* Get data directly from socket receive queue without copying it. */
 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
 		skb_orphan(skb);
-		if (!skb_linearize(skb))
+		if (!skb_linearize(skb)) {
 			s = rfcomm_recv_frame(s, skb);
-		else
+			if (!s)
+				break;
+		} else {
 			kfree_skb(skb);
+		}
 	}
 
 	if (s && (sk->sk_state == BT_CLOSED))
Commit	Line	Data
8b77cbea GKH	1	From 32333edb82fb2009980eefc5518100068147ab82 Mon Sep 17 00:00:00 2001
	2	From: Vignesh Raman <Vignesh_Raman@mentor.com>
	3	Date: Tue, 22 Jul 2014 19:24:25 +0530
	4	Subject: Bluetooth: Avoid use of session socket after the session gets freed
	5
	6	From: Vignesh Raman <Vignesh_Raman@mentor.com>
	7
	8	commit 32333edb82fb2009980eefc5518100068147ab82 upstream.
	9
	10	The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove
	11	RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905
	12	"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
	13	allow rfcomm_recv_ua and rfcomm_session_close to delete the session
	14	(and free the corresponding socket) and propagate NULL session pointer
	15	to the upper callers.
	16
	17	Additional fix is required to terminate the loop in rfcomm_process_rx
	18	function to avoid use of freed 'sk' memory.
	19
	20	The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
	21	enabled making freed memory being changed and filled up with fixed char
	22	value used to unmask use-after-free issues.
	23
	24	Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
	25	Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
	26	Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
	27	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
	28	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	29
	30	---
	31	net/bluetooth/rfcomm/core.c \| 7 +++++--
	32	1 file changed, 5 insertions(+), 2 deletions(-)
	33
	34	--- a/net/bluetooth/rfcomm/core.c
	35	+++ b/net/bluetooth/rfcomm/core.c
	36	@@ -1909,10 +1909,13 @@ static struct rfcomm_session *rfcomm_pro
	37	/* Get data directly from socket receive queue without copying it. */
	38	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
	39	skb_orphan(skb);
	40	- if (!skb_linearize(skb))
	41	+ if (!skb_linearize(skb)) {
	42	s = rfcomm_recv_frame(s, skb);
	43	- else
	44	+ if (!s)
	45	+ break;
	46	+ } else {
	47	kfree_skb(skb);
	48	+ }
	49	}
	50
	51	if (s && (sk->sk_state == BT_CLOSED))