linux_dsm_epyc7002/net/bluetooth
Dan Carpenter 11eb85ec42 Bluetooth: Fix race condition in hci_release_sock()
Syzbot managed to trigger a use after free "KASAN: use-after-free Write
in hci_sock_bind".  I have reviewed the code manually and one possibly
cause I have found is that we are not holding lock_sock(sk) when we do
the hci_dev_put(hdev) in hci_sock_release().  My theory is that the bind
and the release are racing against each other which results in this use
after free.

Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2020-01-26 10:34:17 +02:00
..
bnep netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
cmtp
hidp
rfcomm
6lowpan.c
a2mp.c
a2mp.h
af_bluetooth.c
amp.c
amp.h
ecdh_helper.c
ecdh_helper.h
hci_conn.c Bluetooth: Fix memory leak in hci_connect_le_scan 2019-11-22 10:42:53 +01:00
hci_core.c Bluetooth: Add missing checks for HCI_ISODATA_PKT packet type 2020-01-25 16:33:46 +02:00
hci_debugfs.c Bluetooth: Move {min,max}_key_size debugfs into hci_debugfs_create_le 2020-01-25 16:33:52 +02:00
hci_debugfs.h
hci_event.c Bluetooth: Add support for LE PHY Update Complete event 2020-01-04 10:49:23 +01:00
hci_request.c
hci_request.h
hci_sock.c Bluetooth: Fix race condition in hci_release_sock() 2020-01-26 10:34:17 +02:00
hci_sysfs.c
Kconfig
l2cap_core.c Bluetooth: remove redundant assignment to variable icid 2020-01-08 21:44:22 +01:00
l2cap_sock.c
leds.c
leds.h
lib.c Bluetooth: Adding a bt_dev_warn_ratelimited macro. 2020-01-04 10:41:03 +01:00
Makefile
mgmt_util.c
mgmt_util.h
mgmt.c Bluetooth: fix appearance typo in mgmt.c 2020-01-22 21:23:16 +01:00
sco.c
selftest.c
selftest.h
smp.c Bluetooth: Move {min,max}_key_size debugfs into hci_debugfs_create_le 2020-01-25 16:33:52 +02:00
smp.h