shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 11:26:02 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
5e144fff509d2aa60a17257be626294bb8e269b3
linux/net
History
Luiz Augusto von Dentz ba1db5d97e Bluetooth: L2CAP: Fix user-after-free 
[ Upstream commit 35fcbc4243 ]

This uses l2cap_chan_hold_unless_zero() after calling
__l2cap_get_chan_blah() to prevent the following trace:

Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
*kref)
Bluetooth: chan 0000000023c4974d
Bluetooth: parent 00000000ae861c08
==================================================================
BUG: KASAN: use-after-free in __mutex_waiter_is_first
kernel/locking/mutex.c:191 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common
kernel/locking/mutex.c:671 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
kernel/locking/mutex.c:729
Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389

Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-06-29 09:27:02 +09:00
..
6lowpan
6lowpan: Off by one handling ->nexthdr
2023-05-15 16:44:57 +09:00
9p
net/9p: Initialize the iounit field during fid creation
2023-06-29 09:26:48 +09:00
802
net/802/garp: fix memleak in garp_request_join()
2023-05-16 11:34:46 +09:00
8021q
vlan: fix memory leak in vlan_dev_set_egress_priority
2023-05-15 16:32:51 +09:00
appletalk
appletalk: Fix skb allocation size in loopback case
2023-05-16 10:49:55 +09:00
atm
atm: fix a memory leak of vcc->user_back
2023-05-16 09:16:14 +09:00
ax25
ax25: Fix NULL pointer dereference in ax25_kill_by_device
2023-05-16 12:45:55 +09:00
batman-adv
batman-adv: Don't expect inter-netns unique iflink indices
2023-05-16 12:46:11 +09:00
bluetooth
Bluetooth: L2CAP: Fix user-after-free
2023-06-29 09:27:02 +09:00
bridge
netfilter: br_netfilter: Drop dst references before setting.
2023-06-29 09:26:53 +09:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2023-05-16 11:46:39 +09:00
can
can: bcm: check the result of can_send() in bcm_can_tx()
2023-06-29 09:27:01 +09:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2023-05-16 09:45:38 +09:00
core
net: Fix a data-race around sysctl_net_busy_read.
2023-06-29 09:26:50 +09:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2023-05-16 12:44:53 +09:00
dccp
dccp: don't duplicate ccid when cloning dccp sock
2023-05-16 11:46:42 +09:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2023-05-16 11:34:05 +09:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2023-05-12 16:29:40 +09:00
dsa
net: dsa: tag_brcm: Fix skb->fwd_offload_mark location
2023-05-15 17:13:02 +09:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2023-05-15 16:31:00 +09:00
hsr
hsr: use netdev_err() instead of WARN_ONCE()
2023-05-16 10:54:56 +09:00
ieee802154
net/ieee802154: fix uninit value bug in dgram_sendmsg
2023-06-29 09:26:56 +09:00
ipv4
tcp: annotate data-race around tcp_md5sig_pool_populated
2023-06-29 09:27:01 +09:00
ipv6
net: ping6: Fix memleak in ipv6_renew_options().
2023-06-29 09:26:45 +09:00
ipx
irda
irda: Fix memory leak caused by repeated binds of irda socket
2023-05-12 17:27:16 +09:00
iucv
net/af_iucv: set correct sk_protocol for child sockets
2023-05-16 09:50:42 +09:00
kcm
kcm: switch order of device registration to fix a crash
2023-05-15 12:22:31 +09:00
key
af_key: Do not call xfrm_probe_algs in parallel
2023-06-29 09:26:50 +09:00
l2tp
l2tp: fix race in pppol2tp_release with session object destroy
2023-06-29 09:26:38 +09:00
l3mdev
lapb
net: lapb: Copy the skb before sending a packet
2023-05-16 10:34:08 +09:00
llc
llc: only change llc->dev when bind() succeeds
2023-05-16 12:47:02 +09:00
mac80211
wifi: mac80211: allow bw change during channel switch in mesh
2023-06-29 09:26:58 +09:00
mac802154
net: mac802154: Fix a condition in the receive path
2023-06-29 09:26:52 +09:00
mpls
net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
2023-05-16 10:46:16 +09:00
ncsi
net/ncsi: Use real net-device for response handler
2023-05-16 10:24:55 +09:00
netfilter
netfilter: nf_conntrack_irc: Tighten matching on DCC message
2023-06-29 09:26:54 +09:00
netlabel
cipso,calipso: resolve a number of problems with the DOI refcounts
2023-05-16 12:33:58 +09:00
netlink
netlink: do not reset transport header in netlink_recvmsg()
2023-06-29 09:26:14 +09:00
netrom
netrom: Decrease sock refcount when sock timers expire
2023-05-16 11:34:06 +09:00
nfc
NFC: NULL out the dev->rfkill to prevent UAF
2023-06-29 09:26:19 +09:00
openvswitch
openvswitch: Fix overreporting of drops in dropwatch
2023-06-29 09:27:01 +09:00
packet
net/packet: fix packet_sock xmit return value checking
2023-06-29 09:26:10 +09:00
phonet
phonet: refcount leak in pep_sock_accep
2023-05-16 12:30:20 +09:00
qrtr
net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()
2023-05-16 10:49:33 +09:00
rds
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
2023-06-29 09:26:59 +09:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2023-05-15 16:32:30 +09:00
rose
rose: check NULL rose_loopback_neigh->loopback
2023-06-29 09:26:50 +09:00
rxrpc
rxrpc: Don't try to resend the request if we're receiving the reply
2023-06-29 09:26:20 +09:00
sched
sch_sfb: Also store skb len before calling child enqueue
2023-06-29 09:26:53 +09:00
sctp
sctp: read sk->sk_bound_dev_if once in sctp_rcv()
2023-06-29 09:26:20 +09:00
strparser
strparser: Fix incorrect strp->need_bytes value.
2018-04-29 11:32:02 +02:00
sunrpc
SUNRPC: use _bh spinlocking on ->transport_lock
2023-06-29 09:26:53 +09:00
switchdev
tipc
tipc: fix shift wrapping bug in map_get()
2023-06-29 09:26:53 +09:00
unix
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
2023-05-16 12:33:30 +09:00
vmw_vsock
vsock: Fix memory leak in vsock_connect()
2023-06-29 09:26:48 +09:00
wimax
wireguard
ODROID: Remove some redefined variables.
2023-06-29 09:26:34 +09:00
wireless
wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()
2023-06-29 09:26:51 +09:00
x25
net/x25: Fix null-ptr-deref caused by x25_disconnect
2023-06-29 09:26:04 +09:00
xfrm
xfrm: Update ipcomp_scratches with NULL when freed
2023-06-29 09:27:01 +09:00
compat.c
net: Return the correct errno code
2023-05-16 11:14:47 +09:00
Kconfig
net/wireguard: add WireGuard 1.0.20200712
2023-05-15 17:31:52 +09:00
Makefile
net: split out functions related to registering inflight socket files
2023-05-16 11:34:41 +09:00
socket.c
net: Fix a data-race around sysctl_somaxconn.
2023-06-29 09:26:50 +09:00
sysctl_net.c