evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Kefeng Wang 29d9c57140 Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() 
commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.

task A:                                task B:
hci_uart_set_proto                     flush_to_ldisc
 - p->open(hu) -> h5_open  //alloc h5  - receive_buf
 - set_bit HCI_UART_PROTO_READY         - tty_port_default_receive_buf
 - hci_uart_register_dev                 - tty_ldisc_receive_buf
                                          - hci_uart_tty_receive
				           - test_bit HCI_UART_PROTO_READY
				            - h5_recv
 - clear_bit HCI_UART_PROTO_READY             while() {
 - p->open(hu) -> h5_close //free h5
				              - h5_rx_3wire_hdr
				               - h5_reset()  //use-after-free
                                              }

It could use ioctl to set hci uart proto, but there is
a use-after-free issue when hci_uart_register_dev() fail in
hci_uart_set_proto(), see stack above, fix this by setting
HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
return success.

Reported-by: syzbot+899a33dc0fa0dbaf06a6@syzkaller.appspotmail.com
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-25 15:54:18 +01:00
..
accessibility
acpi PCI/ACPI: Correct error message for ASPM disabling 2019-11-25 15:54:00 +01:00
amba
android ANDROID: binder: synchronize_rcu() when using POLLFREE. 2019-10-07 21:01:03 +02:00
ata libata: add SG safety checks in SFF pio transfers 2019-09-06 10:18:08 +02:00
atm Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 2019-09-21 07:12:50 +02:00
auxdisplay
base x86/bugs: Add ITLB_MULTIHIT bug infrastructure 2019-11-16 10:27:52 +01:00
bcma
block loop: Add LOOP_SET_DIRECT_IO to compat ioctl 2019-10-29 09:13:21 +01:00
bluetooth Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() 2019-11-25 15:54:18 +01:00
bus
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-27 09:33:52 +02:00
char ipmi_si: Only schedule continuously in the thread in maintenance mode 2019-10-07 21:00:59 +02:00
clk clk: sirf: Don't reference clk_init_data after registration 2019-10-07 21:01:00 +02:00
clocksource clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown 2019-03-23 08:44:35 +01:00
connector
cpufreq cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown 2019-10-29 09:13:31 +01:00
cpuidle cpuidle: big.LITTLE: fix refcount leak 2019-02-20 10:13:09 +01:00
crypto crypto: caam - fix concurrency issue in givencrypt descriptor 2019-10-17 13:40:56 -07:00
dca
devfreq
dio
dma dmaengine: dma-jz4780: Further residue status fix 2019-11-25 15:53:51 +01:00
dma-buf
edac EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec 2019-08-04 09:34:48 +02:00
eisa
extcon extcon: arizona: Disable mic detect if running when driver is removed 2019-06-11 12:24:01 +02:00
firewire
firmware firmware/psci: Expose SMCCC version through psci_ops 2019-11-10 11:21:19 +01:00
fmc
fpga
gpio gpio: omap: ensure irq is enabled before wakeup 2019-08-04 09:34:45 +02:00
gpu drm/i915/cmdparser: Fix jump whitelist clearing 2019-11-12 19:13:36 +01:00
hid HID: fix error message in hid_open_report() 2019-11-06 12:09:21 +01:00
hsi
hv Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels 2019-01-13 10:05:27 +01:00
hwmon hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' 2019-10-05 12:27:49 +02:00
hwspinlock
hwtracing stm class: Fix a double free of stm_source_device 2019-09-06 10:18:17 +02:00
i2c i2c: riic: Clear NACK in tend isr 2019-10-05 12:27:55 +02:00
ide ide: pmac: add of_node_put() 2018-12-21 14:09:52 +01:00
idle
iio iio: dac: mcp4922: fix error handling in mcp4922_write_raw 2019-11-25 15:53:44 +01:00
infiniband RDMA/iwcm: Fix a lock inversion issue 2019-11-06 12:09:13 +01:00
input Input: ff-memless - kill timer in destroy() 2019-11-25 15:53:42 +01:00
iommu iommu/amd: Move iommu_init_pci() to .init section 2019-08-25 10:53:05 +02:00
ipack
irqchip irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices 2019-10-05 12:27:39 +02:00
isdn mISDN: enforce CAP_NET_RAW for raw sockets 2019-10-05 12:27:42 +02:00
leds leds: leds-lp5562 allow firmware files up to the maximum length 2019-10-05 12:27:44 +02:00
lguest
lightnvm
macintosh
mailbox mailbox: handle failed named mailbox channel request 2019-08-04 09:34:58 +02:00
mcb
md dm: Use kzalloc for all structs with embedded biosets/mempools 2019-11-06 12:09:10 +01:00
media media: davinci: Fix implicit enum conversion warning 2019-11-25 15:54:08 +01:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-06-11 12:23:46 +02:00
memstick memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' 2019-10-29 09:13:31 +01:00
message
mfd mfd: intel-lpss: Remove D3cold delay 2019-10-07 21:01:01 +02:00
misc misc: genwqe: should return proper error value. 2019-11-25 15:54:13 +01:00
mmc mmc: sdhci-of-at91: fix quirk2 overwrite 2019-11-25 15:53:44 +01:00
mtd mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() 2019-10-05 12:27:37 +02:00
net net: smsc: fix return type of ndo_start_xmit function 2019-11-25 15:54:15 +01:00
nfc NFC: st21nfca: fix double free 2019-11-12 19:13:16 +01:00
ntb
nubus
nvdimm libnvdimm/btt: Fix a kmemdup failure check 2019-05-16 19:45:05 +02:00
nvme
nvmem nvmem: core: return error code instead of NULL from nvmem_device_get 2019-11-25 15:53:55 +01:00
of of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC 2019-11-25 15:53:50 +01:00
oprofile
parisc parisc: Disable HP HSC-PCI Cards to prevent kernel crash 2019-10-05 12:27:52 +02:00
parport parport: Fix mem leak in parport_register_dev_model 2019-07-10 09:56:31 +02:00
pci PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 2019-11-12 19:13:24 +01:00
pcmcia
perf
phy phy: renesas: rcar-gen2: Fix memory leak at error paths 2019-08-04 09:34:57 +02:00
pinctrl pinctrl: at91: don't use the same irqchip with multiple gpiochips 2019-11-25 15:53:58 +01:00
platform platform/chrome: cros_ec_proto: check for NULL transfer function 2019-06-22 08:18:20 +02:00
pnp
power power: supply: twl4030_charger: disable eoc interrupt on linear charge 2019-11-25 15:54:02 +01:00
powercap
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-08-04 09:35:02 +02:00
ps3
ptp ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl 2019-02-20 10:13:05 +01:00
pwm pwm: Fix deadlock warning when removing PWM device 2019-06-22 08:18:21 +02:00
rapidio
ras
regulator regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe() could be uninitialized 2019-11-10 11:21:05 +01:00
remoteproc
reset
rpmsg
rtc rtc: 88pm860x: prevent use-after-free on device remove 2019-06-11 12:23:54 +02:00
s390 s390/qeth: invoke softirqs after napi_schedule() 2019-11-25 15:53:59 +01:00
sbus drivers/sbus/char: add of_node_put() 2018-12-21 14:09:52 +01:00
scsi scsi: libsas: always unregister the old device if going to discover new 2019-11-25 15:54:14 +01:00
sfi
sh
sn
soc soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher 2019-06-22 08:18:20 +02:00
spi spi: bcm2835aux: fix corruptions for longer spi transfers 2019-09-10 10:29:50 +01:00
spmi
ssb ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit 2019-06-11 12:23:53 +02:00
staging Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc 2019-10-17 13:41:04 -07:00
target scsi: target: core: Do not overwrite CDB byte 1 2019-11-10 11:21:08 +01:00
tc
thermal thermal: Fix use-after-free when unregistering thermal zone device 2019-10-17 13:40:55 -07:00
thunderbolt thunderbolt: Use 32-bit writes when writing ring producer/consumer 2019-11-06 12:09:17 +01:00
tty serial: mxs-auart: Fix potential infinite loop 2019-11-25 15:54:00 +01:00
uio
usb usb: gadget: uvc: Only halt video streaming endpoint in bulk mode 2019-11-25 15:54:11 +01:00
uwb
vfio vfio/pci: Fix potential memory leak in vfio_msi_cap_len 2019-11-25 15:54:13 +01:00
vhost vhost: make sure log_num < in_num 2019-09-16 08:13:36 +02:00
video video: ssd1307fb: Start page range at page_offset 2019-10-07 21:00:59 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:45:18 +02:00
virtio
vlynq
vme
w1 w1: fix the resume command API 2019-06-11 12:23:55 +02:00
watchdog watchdog: bcm2835_wdt: Fix module autoload 2019-09-06 10:18:15 +02:00
xen xen/pci: reserve MCFG areas earlier 2019-10-17 13:40:55 -07:00
zorro
Kconfig
Makefile