lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d2972f90d6
android_kernel_xiaomi_sm8350/include
History
Luiz Augusto von Dentz fffb2b5bad BACKPORT: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 
commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream.

This fixes the following trace which is caused by hci_rx_work starting up
*after* the final channel reference has been put() during sock_close() but
*before* the references to the channel have been destroyed, so instead
the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.

  refcount_t: increment on 0; use-after-free.
  BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0
  Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705

  CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S      W
  4.14.234-00003-g1fb6d0bd49a4-dirty #28
  Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150
  Google Inc. MSM sm8150 Flame DVT (DT)
  Workqueue: hci0 hci_rx_work
  Call trace:
   dump_backtrace+0x0/0x378
   show_stack+0x20/0x2c
   dump_stack+0x124/0x148
   print_address_description+0x80/0x2e8
   __kasan_report+0x168/0x188
   kasan_report+0x10/0x18
   __asan_load4+0x84/0x8c
   refcount_dec_and_test+0x20/0xd0
   l2cap_chan_put+0x48/0x12c
   l2cap_recv_frame+0x4770/0x6550
   l2cap_recv_acldata+0x44c/0x7a4
   hci_acldata_packet+0x100/0x188
   hci_rx_work+0x178/0x23c
   process_one_work+0x35c/0x95c
   worker_thread+0x4cc/0x960
   kthread+0x1a8/0x1c4
   ret_from_fork+0x10/0x18

Bug: 165329981
Cc: stable@kernel.org
Reported-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I6efae55d8014740aebc8c3534846c2d249068b29
2022-08-03 13:09:03 +01:00
..
acpi ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions 2022-01-27 09:19:45 +01:00
asm-generic This is the 5.4.190 stable release 2022-04-21 14:13:50 +02:00
clocksource
crypto BACKPORT: crypto: blake2b - sync with blake2s implementation 2021-10-23 19:32:26 -07:00
drm
dt-bindings
keys
kvm
linux Merge tag 'android11-5.4.197_r00' into 'android11-5.4' 2022-07-27 11:19:48 +02:00
math-emu
media
misc
net BACKPORT: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-08-03 13:09:03 +01:00
pcmcia
ras
rdma This is the 5.4.162 stable release 2021-11-26 11:38:38 +01:00
scsi
soc
sound ANDROID: Fix up abi issue with struct snd_pcm_runtime 2022-06-30 16:11:23 +00:00
target scsi: target: Fix ordered tag handling 2021-11-26 10:47:16 +01:00
trace This is the 5.4.162 stable release 2021-11-26 11:38:38 +01:00
uapi This is the 5.4.196 stable release 2022-05-25 10:40:14 +02:00
vdso
video
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-11 11:22:39 +01:00
OWNERS