diff options
author | Vignesh Raman <Vignesh_Raman@mentor.com> | 2014-07-22 19:24:25 +0530 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2014-07-22 16:07:31 +0200 |
commit | 32333edb82fb2009980eefc5518100068147ab82 (patch) | |
tree | 3ff5cec73569dde9741d04af5edbc6f0df5a0bb4 /firmware/3com | |
parent | c2aef6e8cbebd60f79555baeb9266e220f135a44 (diff) | |
download | linux-32333edb82fb2009980eefc5518100068147ab82.tar.bz2 |
Bluetooth: Avoid use of session socket after the session gets freed
The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.
Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.
The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.
Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Diffstat (limited to 'firmware/3com')
0 files changed, 0 insertions, 0 deletions