evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net/bluetooth
History
Myungho Jung 59ae59920a Bluetooth: Fix decrementing reference count twice in releasing socket 
commit e20a2e9c42c9e4002d9e338d74e7819e88d77162 upstream.

When releasing socket, it is possible to enter hci_sock_release() and
hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
The reference count of hdev should be decremented only once from one of
them but if storing hdev to local variable in hci_sock_release() before
detached from socket and setting to NULL in hci_sock_dev_event(),
hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
referencing hdev from socket after bt_sock_unlink() in
hci_sock_release().

Reported-by: syzbot+fdc00003f4efff43bc5b@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-27 09:33:47 +02:00
..
bnep Bluetooth: bnep: fix possible might sleep error in bnep_session 2017-08-30 10:19:26 +02:00
cmtp Bluetooth: cmtp: fix possible might sleep error in cmtp_session 2017-08-30 10:19:26 +02:00
hidp Bluetooth: hidp: Fix handling of strncpy for hid->name information 2018-09-19 22:48:58 +02:00
rfcomm Bluetooth: Fix potential NULL dereference in RFCOMM bind callback 2015-06-06 08:44:33 +02:00
6lowpan.c Bluetooth: 6lowpan: Fix handling of uncompressed IPv6 packets 2016-03-03 15:07:16 -08:00
a2mp.c Bluetooth: Move get info completed callback to a2mp.c 2015-07-30 13:37:22 +02:00
a2mp.h Bluetooth: Add BT_HS config option 2015-07-30 13:31:59 +02:00
af_bluetooth.c net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
amp.c Bluetooth: Fix breakage in amp_write_rem_assoc_frag() 2015-08-10 20:41:34 +02:00
amp.h Bluetooth: Add BT_HS config option 2015-07-30 13:31:59 +02:00
ecc.c
ecc.h
hci_conn.c Bluetooth: Fix connection if directed advertising and privacy is used 2018-07-03 11:21:35 +02:00
hci_core.c Bluetooth: Send HCI Set Event Mask Page 2 command only when needed 2018-04-13 19:50:21 +02:00
hci_debugfs.c Bluetooth: Expose current Device ID information via debugfs 2015-04-02 08:40:35 +03:00
hci_debugfs.h
hci_event.c Bluetooth: Fix unnecessary error message for HCI request completion 2019-02-20 10:13:10 +01:00
hci_request.c Bluetooth: Fix incorrect removing of IRKs 2016-03-03 15:07:16 -08:00
hci_request.h Bluetooth: Introduce hci_req helper to abort a connection 2015-10-22 11:37:22 +02:00
hci_sock.c Bluetooth: Fix decrementing reference count twice in releasing socket 2019-04-27 09:33:47 +02:00
hci_sysfs.c
Kconfig Bluetooth: Add BT_HS config option 2015-07-30 13:31:59 +02:00
l2cap_core.c Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer 2019-04-03 06:23:20 +02:00
l2cap_sock.c Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU 2016-08-20 18:09:19 +02:00
lib.c Bluetooth: Add BT_WARN and bt_dev_warn logging macros 2015-09-24 16:25:44 +02:00
Makefile Bluetooth: Add BT_HS config option 2015-07-30 13:31:59 +02:00
mgmt.c Bluetooth: SMP: fix crash in unpairing 2018-11-10 07:41:33 -08:00
mgmt_util.c Bluetooth: Add generic mgmt helper API 2015-03-17 18:03:08 +01:00
mgmt_util.h Bluetooth: Add generic mgmt helper API 2015-03-17 18:03:08 +01:00
sco.c Bluetooth: avoid killing an already killed socket 2018-08-22 07:48:37 +02:00
selftest.c Bluetooth: Export ECDH selftest result in debugfs 2015-04-02 08:47:38 +03:00
selftest.h
smp.c Bluetooth: SMP: fix crash in unpairing 2018-11-10 07:41:33 -08:00
smp.h Bluetooth: SMP: fix crash in unpairing 2018-11-10 07:41:33 -08:00