iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Johan Hedberg 0a66cf2036 Bluetooth: Fix potential NULL pointer dereference in SMP 
If a sudden disconnection happens the l2cap_conn pointer may already
have been cleaned up by the time hci_conn_security gets called,
resulting in the following oops if we don't have a proper NULL check:

BUG: unable to handle kernel NULL pointer dereference at 000000c8
IP: [<c132e2ed>] smp_conn_security+0x26/0x151
*pde = 00000000
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU: 1 PID: 673 Comm: memcheck-x86-li Not tainted 3.14.0-rc2+ #437
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: f0ef0520 ti: f0d6a000 task.ti: f0d6a000
EIP: 0060:[<c132e2ed>] EFLAGS: 00010246 CPU: 1
EIP is at smp_conn_security+0x26/0x151
EAX: f0ec1770 EBX: f0ec1770 ECX: 00000002 EDX: 00000002
ESI: 00000002 EDI: 00000000 EBP: f0d6bdc0 ESP: f0d6bda0
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 80050033 CR2: 000000c8 CR3: 30f0f000 CR4: 00000690
Stack:
 f4f55000 00000002 f0d6bdcc c1097a2b c1319f40 f0ec1770 00000002 f0d6bdd0
 f0d6bde8 c1312a82 f0d6bdfc c1312a82 c1319f84 00000008 f4d81c20 f0e5fd86
 f0ec1770 f0d6bdfc f0d6be28 c131be3b c131bdc1 f0d25270 c131be3b 00000008
Call Trace:
 [<c1097a2b>] ? __kmalloc+0x118/0x128
 [<c1319f40>] ? mgmt_pending_add+0x49/0x9b
 [<c1312a82>] hci_conn_security+0x4a/0x1dd
 [<c1312a82>] ? hci_conn_security+0x4a/0x1dd
 [<c1319f84>] ? mgmt_pending_add+0x8d/0x9b
 [<c131be3b>] pair_device+0x1e1/0x206
 [<c131bdc1>] ? pair_device+0x167/0x206
 [<c131be3b>] ? pair_device+0x1e1/0x206
 [<c131ed44>] mgmt_control+0x275/0x2d6

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2014-03-24 07:51:55 -07:00
..
9p
net/9p: remove virtio default hack and set appropriate bits instead
2013-11-23 16:13:36 -06:00
802
neigh: use NEIGH_VAR_INIT in ndo_neigh_setup functions.
2014-01-16 11:31:58 -08:00
8021q
8021q: Use ether_addr_copy
2014-01-21 18:13:04 -08:00
appletalk
net: Fix some fallout from the etner_addr_copy() changes.
2014-01-21 18:57:26 -08:00
atm
net: Fix some fallout from the etner_addr_copy() changes.
2014-01-21 18:57:26 -08:00
ax25
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
batman-adv
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2014-01-18 00:55:41 -08:00
bluetooth
Bluetooth: Fix potential NULL pointer dereference in SMP
2014-03-24 07:51:55 -07:00
bridge
bridge: Remove unnecessary vlan_put_tag in br_handle_vlan
2014-01-22 21:29:27 -08:00
caif
net: Missing change from the ether_addr_copy() fixups.
2014-01-21 22:54:01 -08:00
can
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
ceph
libceph: do not dereference a NULL bio pointer
2014-02-07 11:37:07 -08:00
core
net: Fix warning on make htmldocs caused by skbuff.c
2014-01-28 18:06:06 -08:00
dcb
dcb: use __dev_get_by_name instead of dev_get_by_name to find interface
2014-01-14 18:50:46 -08:00
dccp
ipv4: introduce hardened ip_no_pmtu_disc mode
2014-01-13 11:22:55 -08:00
decnet
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
dns_resolver
net/*: Fix FSF address in file headers
2013-12-06 12:37:57 -05:00
dsa
dsa: Use ether_addr_copy
2014-01-21 18:13:05 -08:00
ethernet
net: eth_type_trans() should use skb_header_pointer()
2014-01-16 15:30:31 -08:00
hsr
net/hsr: using kfree_rcu() to simplify the code
2013-12-17 16:32:30 -05:00
ieee802154
net: 6lowpan: fixup for code movement
2014-01-27 16:43:03 -08:00
ipv4
net: gre: use icmp_hdr() to get inner ip header
2014-01-27 20:38:26 -08:00
ipv6
net: Fix memory leak if TPROXY used with TCP early demux
2014-01-27 16:22:11 -08:00
ipx
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
irda
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
iucv
net: rework recvmsg handler msg_name and msg_namelen logic
2013-11-20 21:52:30 -05:00
key
xfrm: export verify_userspi_info for pkfey and netlink interface
2013-12-16 12:54:02 +01:00
l2tp
ipv6: protect protocols not handling ipv4 from v4 connection/bind attempts
2014-01-21 16:59:19 -08:00
lapb
net/lapb: re-send packets on timeout
2013-09-23 16:52:45 -04:00
llc
llc: remove noisy WARN from llc_mac_hdr_init
2014-01-28 18:01:32 -08:00
mac80211
mac80211: propagate STBC / LDPC flags to radiotap
2014-02-06 09:34:58 +01:00
mac802154
mac802154: fix following checkpath.pl warning Prefer pr_warn(... to pr_warning(...
2013-12-22 18:53:08 -05:00
mpls
ipip: add GSO/TSO support
2013-10-19 19:36:19 -04:00
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2014-01-25 11:17:34 -08:00
netlabel
netlabel: Fix FSF address in file headers
2013-12-06 12:37:56 -05:00
netlink
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
netrom
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
nfc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2014-01-25 11:17:34 -08:00
openvswitch
net: replace macros net_random and net_srandom with direct calls to prandom
2014-01-14 15:15:25 -08:00
packet
af_packet: Add Queue mapping mode to af_packet fanout operation
2014-01-22 17:35:50 -08:00
phonet
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
rds
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
rfkill
net: rfkill: move poll work to power efficient workqueue
2014-02-04 21:58:16 +01:00
rose
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
rxrpc
RxRPC fixes
2014-01-28 18:04:18 -08:00
sched
net: add and use skb_gso_transport_seglen()
2014-01-26 22:38:23 -08:00
sctp
sctp: remove macros sctp_bh_[un]lock_sock
2014-01-21 18:41:36 -08:00
sunrpc
NFS client bugfixes for Linux 3.14
2014-01-31 15:39:07 -08:00
tipc
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
unix
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
vmw_vsock
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
wimax
wimax: remove dead code
2013-11-21 13:09:42 -05:00
wireless
cfg80211: regulatory introduce maximum bandwidth calculation
2014-02-05 14:03:19 +01:00
x25
net: add build-time checks for msg->msg_name size
2014-01-18 23:04:16 -08:00
xfrm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2014-01-25 11:17:34 -08:00
compat.c
x86, x32: Correct invalid use of user timespec in the kernel
2014-01-30 18:44:13 -08:00
Kconfig
net: netprio: rename config to be more consistent with cgroup configs
2014-01-03 23:41:42 +01:00
Makefile
net: move 6lowpan compression code to separate module
2014-01-15 15:36:38 -08:00
nonet.c
socket.c
net: handle error more gracefully in socketpair()
2013-12-10 22:24:13 -05:00
sysctl_net.c
net: Update the sysctl permissions handler to test effective uid/gid
2013-10-07 15:57:56 -04:00