iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Luiz Augusto von Dentz 7453847fb2 Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync 
Fixes the following trace where hci_acl_create_conn_sync attempts to
call hci_abort_conn_sync after timeout:

BUG: KASAN: slab-use-after-free in hci_abort_conn_sync
(net/bluetooth/hci_sync.c:5439)
Read of size 2 at addr ffff88800322c032 by task kworker/u3:2/36

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38
04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl (./arch/x86/include/asm/irqflags.h:26
./arch/x86/include/asm/irqflags.h:67 ./arch/x86/include/asm/irqflags.h:127
lib/dump_stack.c:107)
print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
? preempt_count_sub (kernel/sched/core.c:5889)
? __virt_addr_valid (./arch/x86/include/asm/preempt.h:103 (discriminator 1)
./include/linux/rcupdate.h:865 (discriminator 1)
./include/linux/mmzone.h:2026 (discriminator 1)
arch/x86/mm/physaddr.c:65 (discriminator 1))
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
kasan_report (mm/kasan/report.c:603)
? hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
hci_abort_conn_sync (net/bluetooth/hci_sync.c:5439)
? __pfx_hci_abort_conn_sync (net/bluetooth/hci_sync.c:5433)
hci_acl_create_conn_sync (net/bluetooth/hci_sync.c:6681)

Fixes: 45340097ce6e ("Bluetooth: hci_conn: Only do ACL connections sequentially")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2024-03-06 17:24:28 -05:00
..
6lowpan
net: fill in MODULE_DESCRIPTION()s for 6LoWPAN
2024-02-09 14:12:01 -08:00
9p
net: 9p: avoid freeing uninit memory in p9pdu_vreadf
2023-12-13 05:44:30 +09:00
802
net: fill in MODULE_DESCRIPTION()s under net/802*
2023-10-28 11:29:28 +01:00
8021q
rtnetlink: prepare nla_put_iflink() to run under RCU
2024-02-26 11:46:12 +00:00
appletalk
net: remove SOCK_DEBUG leftovers
2023-12-26 20:31:01 +00:00
atm
net: fill in MODULE_DESCRIPTION()s for mpoa
2024-02-09 14:12:01 -08:00
ax25
batman-adv
This cleanup patchset includes the following patches:
2024-02-02 12:44:16 +00:00
bluetooth
Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
2024-03-06 17:24:28 -05:00
bpf
bpf: treewide: Annotate BPF kfuncs in BTF
2024-01-31 20:40:56 -08:00
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-29 14:24:56 -08:00
caif
net: fill in MODULE_DESCRIPTION()s for CAIF
2024-01-05 08:06:35 -08:00
can
linux-can-next-for-6.9-20240220
2024-02-20 15:32:45 +01:00
ceph
libceph: just wait for more data to be available on the socket
2024-02-07 14:43:29 +01:00
core
netdev: let netlink core handle -EMSGSIZE errors
2024-03-06 08:07:44 +00:00
dcb
dccp
net: dccp: Simplify the allocation of slab caches in dccp_ackvec_init
2024-02-02 12:19:26 +00:00
devlink
devlink: fix port dump cmd type
2024-02-21 17:11:04 -08:00
dns_resolver
Networking changes for 6.8.
2024-01-11 10:07:29 -08:00
dsa
rtnetlink: prepare nla_put_iflink() to run under RCU
2024-02-26 11:46:12 +00:00
ethernet
ethtool
ethtool: ignore unused/unreliable fields in set_eee op
2024-03-05 19:07:13 -08:00
handshake
net/handshake: Fix handshake_req_destroy_test1
2024-02-08 18:32:29 -08:00
hsr
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-29 14:24:56 -08:00
ieee802154
rtnetlink: prepare nla_put_iflink() to run under RCU
2024-02-26 11:46:12 +00:00
ife
net: sched: ife: fix potential use-after-free
2023-12-15 10:50:18 +00:00
ipv4
inet: Add getsockopt support for IP_ROUTER_ALERT and IPV6_ROUTER_ALERT
2024-03-06 12:37:06 +00:00
ipv6
inet: Add getsockopt support for IP_ROUTER_ALERT and IPV6_ROUTER_ALERT
2024-03-06 12:37:06 +00:00
iucv
net/af_iucv: fix virtual vs physical address confusion
2024-02-22 18:28:13 -08:00
kcm
net: kcm: Simplify the allocation of slab caches
2024-02-21 11:28:57 +00:00
key
net: fill in MODULE_DESCRIPTION()s for af_key
2024-02-09 14:12:01 -08:00
l2tp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-22 15:29:26 -08:00
l3mdev
lapb
llc
llc: call sock_orphan() at release time
2024-01-30 13:49:09 +01:00
mac80211
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-29 14:24:56 -08:00
mac802154
mac802154: Avoid new associations while disassociating
2023-12-15 11:14:57 +01:00
mctp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-29 14:24:56 -08:00
mpls
inet: allow ip_valid_fib_dump_req() to be called with RTNL or RCU
2024-02-26 11:46:12 +00:00
mptcp
mptcp: get addr in userspace pm list
2024-03-04 13:07:46 +00:00
ncsi
net/ncsi: Add NC-SI 1.2 Get MC MAC Address command
2023-11-18 15:00:51 +00:00
netfilter
bpf-next-for-netdev
2024-03-02 20:50:59 -08:00
netlabel
netlabel: remove impossible return value in netlbl_bitmap_walk
2024-02-28 19:37:34 -08:00
netlink
genetlink: fit NLMSG_DONE into same read() as families
2024-03-06 08:07:45 +00:00
netrom
nfc
nfc: core: make nfc_class constant
2024-03-05 11:21:18 -08:00
nsh
openvswitch
net: openvswitch: limit the number of recursions from action sets
2024-02-09 12:54:38 -08:00
packet
net: Re-use and set mono_delivery_time bit for userspace tstamp packets
2024-03-05 13:41:16 +01:00
phonet
phonet/pep: fix racy skb_queue_empty() use
2024-02-22 09:05:50 +01:00
psample
genetlink: Use internal flags for multicast groups
2023-12-29 08:43:59 +00:00
qrtr
net: qrtr: ns: Return 0 if server port is not present
2024-01-01 18:41:29 +00:00
rds
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-15 16:20:04 -08:00
rfkill
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2023-12-21 22:17:23 +01:00
rose
net/rose: fix races in rose_kill_by_device()
2023-12-15 11:59:53 +00:00
rxrpc
rxrpc: Fix counting of new acks and nacks
2024-02-05 12:34:07 +00:00
sched
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-22 15:29:26 -08:00
sctp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-15 16:20:04 -08:00
smc
net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()
2024-03-05 15:49:35 +01:00
strparser
sunrpc
NFSv4.1: Assign the right value for initval and retries for rpc timeout
2024-01-29 13:39:48 -05:00
switchdev
net: bridge: switchdev: Skip MDB replays of deferred events on offload
2024-02-16 09:36:37 +00:00
tipc
tipc: Cleanup tipc_nl_bearer_add() error paths
2024-02-15 13:18:19 +01:00
tls
tls: fix use-after-free on failed backlog decryption
2024-02-29 09:07:16 -08:00
unix
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-22 15:29:26 -08:00
vmw_vsock
sock_diag: add module pointer to "struct sock_diag_handler"
2024-01-23 15:13:54 +01:00
wireless
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-02-29 14:24:56 -08:00
x25
net: remove SOCK_DEBUG leftovers
2023-12-26 20:31:01 +00:00
xdp
bpf-next-for-netdev
2024-03-02 20:50:59 -08:00
xfrm
bpf-next-for-netdev
2024-03-02 20:50:59 -08:00
compat.c
file: stop exposing receive_fd_user()
2023-12-12 14:24:14 +01:00
devres.c
Kconfig
net: bql: allow the config to be disabled
2024-02-18 10:19:21 +00:00
Kconfig.debug
Makefile
af_unix: Remove CONFIG_UNIX_SCM.
2024-01-31 16:41:16 -08:00
socket.c
net: remove SLAB_MEM_SPREAD flag usage
2024-02-28 19:29:46 -08:00
sysctl_net.c