davidlt/kernel-ark
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
92c385f46b
kernel-ark/net
History
Andre Guedes 61a0cfb008 Bluetooth: Fix use-after-free bug in SMP 
If SMP fails, we should always cancel security_timer delayed work.
Otherwise, security_timer function may run after l2cap_conn object
has been freed.

This patch fixes the following warning reported by ODEBUG:

WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
Hardware name: Bochs
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27
Modules linked in: btusb bluetooth
Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4
Call Trace:
 [<ffffffff81174600>] ? free_obj_work+0x4a/0x7f
 [<ffffffff81023eb8>] warn_slowpath_common+0x7e/0x97
 [<ffffffff81023f65>] warn_slowpath_fmt+0x41/0x43
 [<ffffffff811746b1>] debug_print_object+0x7c/0x8d
 [<ffffffff810394f0>] ? __queue_work+0x241/0x241
 [<ffffffff81174fdd>] debug_check_no_obj_freed+0x92/0x159
 [<ffffffff810ac08e>] slab_free_hook+0x6f/0x77
 [<ffffffffa0019145>] ? l2cap_conn_del+0x148/0x157 [bluetooth]
 [<ffffffff810ae408>] kfree+0x59/0xac
 [<ffffffffa0019145>] l2cap_conn_del+0x148/0x157 [bluetooth]
 [<ffffffffa001b9a2>] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]
 [<ffffffff810592f9>] ? trace_hardirqs_on_caller+0x112/0x1ad
 [<ffffffffa001c86c>] l2cap_recv_acldata+0xe2/0x264 [bluetooth]
 [<ffffffffa0002b2f>] hci_rx_work+0x235/0x33c [bluetooth]
 [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
 [<ffffffff81038e22>] process_one_work+0x185/0x2fe
 [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
 [<ffffffff81059f2e>] ? lock_acquired+0x1b5/0x1cf
 [<ffffffffa00028fa>] ? le_scan_work+0x11d/0x11d [bluetooth]
 [<ffffffff81036fb6>] ? spin_lock_irq+0x9/0xb
 [<ffffffff81039209>] worker_thread+0xcf/0x175
 [<ffffffff8103913a>] ? rescuer_thread+0x175/0x175
 [<ffffffff8103cfe0>] kthread+0x95/0x9d
 [<ffffffff812c5054>] kernel_threadi_helper+0x4/0x10
 [<ffffffff812c36b0>] ? retint_restore_args+0x13/0x13
 [<ffffffff8103cf4b>] ? flush_kthread_worker+0xdb/0xdb
 [<ffffffff812c5050>] ? gs_change+0x13/0x13

This bug can be reproduced using hctool lecc or l2test tools and
bluetoothd not running.

Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
2012-08-15 01:06:23 -03:00
..
9p net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
802
8021q netpoll: move np->dev and np->dev_name init into __netpoll_setup() 2012-07-17 09:02:36 -07:00
appletalk net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
atm
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-07-19 11:17:30 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-07-10 23:56:33 -07:00
bluetooth Bluetooth: Fix use-after-free bug in SMP 2012-08-15 01:06:23 -03:00
bridge bridge: make port attributes const 2012-07-30 14:53:22 -07:00
caif netvm: prevent a stream-specific deadlock 2012-07-31 18:42:47 -07:00
can can: gw: Remove pointless casts 2012-07-10 22:36:17 +02:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2012-07-31 14:35:28 -07:00
core tcp: Apply device TSO segment limit earlier 2012-08-02 00:19:17 -07:00
dcb net: Fix non-kernel-doc comments with kernel-doc start marker 2012-07-10 23:13:45 -07:00
dccp ipv4: Prepare for change of rt->rt_iif encoding. 2012-07-23 16:36:26 -07:00
decnet ipv4: Restore old dst_free() behavior. 2012-07-31 14:41:38 -07:00
dns_resolver
dsa
ethernet ipx: move peII functions 2012-07-19 10:48:00 -07:00
ieee802154 6lowpan: Change byte order when storing/accessing to len field 2012-07-16 22:52:02 -07:00
ipv4 ipv4: route.c cleanup 2012-08-02 02:54:43 -07:00
ipv6 Merge branch 'akpm' (Andrew's patch-bomb) 2012-07-31 19:25:39 -07:00
ipx ipx: move peII functions 2012-07-19 10:48:00 -07:00
irda irda: Fix typo in irda 2012-07-16 23:23:52 -07:00
iucv
key
l2tp net: l2tp_eth: provide tx_dropped counter 2012-06-29 00:52:32 -07:00
lapb
llc net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
mac80211 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2012-08-02 13:49:38 -04:00
mac802154 mac802154: sparse warnings: make symbols static 2012-07-12 07:54:45 -07:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-07-19 11:17:30 -07:00
netlabel
netlink genetlink: define lockdep_genl_is_held() when CONFIG_LOCKDEP 2012-07-24 00:01:30 -07:00
netrom
nfc Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2012-07-20 12:30:48 -04:00
openvswitch Revert "openvswitch: potential NULL deref in sample()" 2012-07-27 13:45:51 -07:00
packet
phonet
rds rds: set correct msg_namelen 2012-07-23 01:01:44 -07:00
rfkill
rose
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-07-10 23:56:33 -07:00
sched ipv4: Prepare for change of rt->rt_iif encoding. 2012-07-23 16:36:26 -07:00
sctp netvm: prevent a stream-specific deadlock 2012-07-31 18:42:47 -07:00
sunrpc Merge branch 'akpm' (Andrew's patch-bomb) 2012-07-31 19:25:39 -07:00
tipc tipc: remove print_buf and deprecated log buffer code 2012-07-13 19:34:43 -04:00
unix Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-08-01 10:26:23 -07:00
wanrouter wanmain: comparing array with NULL 2012-07-24 13:55:21 -07:00
wimax
wireless cfg80211: process pending events when unregistering net device 2012-08-06 14:29:58 -04:00
x25 net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
xfrm Fix unexpected SA hard expiration after changing date 2012-08-02 00:19:17 -07:00
compat.c net: Fix references to out-of-scope variables in put_cmsg_compat() 2012-07-22 17:50:49 -07:00
Kconfig
Makefile
nonet.c
socket.c net: netprio_cgroup: rework update socket logic 2012-07-22 12:44:01 -07:00
sysctl_net.c