GitHub-Mirror/linux-bl808
2
0
Fork 0
mirror of https://github.com/Fishwaldo/linux-bl808.git synced 2025-06-16 03:25:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux-bl808/net/bluetooth
History
Ying Hsu 1d80d57ffc Bluetooth: Fix possible deadlock in rfcomm_sk_state_change 
syzbot reports a possible deadlock in rfcomm_sk_state_change [1].
While rfcomm_sock_connect acquires the sk lock and waits for
the rfcomm lock, rfcomm_sock_release could have the rfcomm
lock and hit a deadlock for acquiring the sk lock.
Here's a simplified flow:

rfcomm_sock_connect:
  lock_sock(sk)
  rfcomm_dlc_open:
    rfcomm_lock()

rfcomm_sock_release:
  rfcomm_sock_shutdown:
    rfcomm_lock()
    __rfcomm_dlc_close:
        rfcomm_k_state_change:
	  lock_sock(sk)

This patch drops the sk lock before calling rfcomm_dlc_open to
avoid the possible deadlock and holds sk's reference count to
prevent use-after-free after rfcomm_dlc_open completes.

Reported-by: syzbot+d7ce59...@syzkaller.appspotmail.com
Fixes: 1804fdf6e4 ("Bluetooth: btintel: Combine setting up MSFT extension")
Link: https://syzkaller.appspot.com/bug?extid=d7ce59b06b3eb14fd218 [1]

Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2023-01-17 15:59:02 -08:00
..
bnep
cmtp
hidp
rfcomm Bluetooth: Fix possible deadlock in rfcomm_sk_state_change 2023-01-17 15:59:02 -08:00
6lowpan.c iov_iter work; most of that is about getting rid of 2022-12-12 18:29:54 -08:00
a2mp.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
a2mp.h
af_bluetooth.c Bluetooth: Fix not cleanup led when bt_init fails 2022-12-02 13:09:31 -08:00
amp.c
amp.h
aosp.c
aosp.h
ecdh_helper.c
ecdh_helper.h
eir.c
eir.h
hci_codec.c Bluetooth: Fix support for Read Local Supported Codecs V2 2022-12-02 13:09:31 -08:00
hci_codec.h
hci_conn.c Bluetooth: hci_conn: Fix memory leaks 2023-01-17 15:59:02 -08:00
hci_core.c Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() 2022-12-12 14:19:26 -08:00
hci_debugfs.c Bluetooth: hci_sync: Fix not able to set force_static_address 2022-12-12 14:19:23 -08:00
hci_debugfs.h Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c 2021-09-22 16:17:13 +02:00
hci_event.c Bluetooth: hci_event: Fix Invalid wait context 2023-01-17 15:59:02 -08:00
hci_request.c Bluetooth: silence a dmesg error message in hci_request.c 2022-12-02 13:09:30 -08:00
hci_request.h
hci_sock.c Bluetooth: Prevent double register of suspend 2022-09-28 12:16:10 -07:00
hci_sync.c Bluetooth: hci_sync: fix memory leak in hci_update_adv_data() 2023-01-17 15:59:02 -08:00
hci_sysfs.c Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times 2022-09-21 15:00:54 -07:00
iso.c Bluetooth: ISO: Fix possible circular locking dependency 2023-01-17 15:59:02 -08:00
Kconfig Bluetooth: Add CONFIG_BT_LE_L2CAP_ECRED 2022-12-12 14:19:24 -08:00
l2cap_core.c Bluetooth: Add CONFIG_BT_LE_L2CAP_ECRED 2022-12-12 14:19:24 -08:00
l2cap_sock.c Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt() 2022-01-07 08:40:11 +01:00
leds.c
leds.h
lib.c Bluetooth: Fix EALREADY and ELOOP cases in bt_status() 2022-12-12 14:19:24 -08:00
Makefile
mgmt.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
mgmt_config.c
mgmt_config.h
mgmt_util.c
mgmt_util.h Bluetooth: Fix a buffer overflow in mgmt_mesh_add() 2023-01-17 15:50:10 -08:00
msft.c
msft.h
sco.c
selftest.c crypto: ecdh - move curve_id of ECDH from the key to algorithm name 2021-03-13 00:04:03 +11:00
selftest.h Bluetooth: Add support for self testing framework 2014-12-30 08:53:55 +02:00
smp.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
smp.h