[PATCH 0/1] Bluetooth: fix crash in L2CAP

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/1] Bluetooth: fix crash in L2CAP
@ 2010-10-21  5:19 Gustavo F. Padovan
  2010-10-21  5:19 ` [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req Gustavo F. Padovan
  2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH
  0 siblings, 2 replies; 5+ messages in thread
From: Gustavo F. Padovan @ 2010-10-21  5:19 UTC (permalink / raw)
  To: greg, linux-bluetooth; +Cc: stable, linux-kernel

Hi Greg,

The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth
and we didn't had time to put it into 2.6.36. It fixes a serious crash into
the L2CAP layer. The issue isn't in 2.6.35 and below.

Thanks.

Nathan Holstein (1):
  Bluetooth: fix oops in l2cap_connect_req

 net/bluetooth/l2cap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

-- 
1.7.3.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req
  2010-10-21  5:19 [PATCH 0/1] Bluetooth: fix crash in L2CAP Gustavo F. Padovan
@ 2010-10-21  5:19 ` Gustavo F. Padovan
  2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH
  1 sibling, 0 replies; 5+ messages in thread
From: Gustavo F. Padovan @ 2010-10-21  5:19 UTC (permalink / raw)
  To: greg, linux-bluetooth; +Cc: stable, linux-kernel, Nathan Holstein

From: Nathan Holstein <nathan.holstein@gmail.com>

In error cases when the ACL is insecure or we fail to allocate a new
struct sock, we jump to the "response" label.  If so, "sk" will be
null and the kernel crashes.

Signed-off-by: Nathan Holstein <nathan.holstein@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
---
 net/bluetooth/l2cap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 0b54b7d..dc60205 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -2891,7 +2891,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
 	struct l2cap_chan_list *list = &conn->chan_list;
 	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
 	struct l2cap_conn_rsp rsp;
-	struct sock *parent, *uninitialized_var(sk);
+	struct sock *parent, *sk = NULL;
 	int result, status = L2CAP_CS_NO_INFO;
 
 	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
@@ -3000,7 +3000,7 @@ sendresp:
 					L2CAP_INFO_REQ, sizeof(info), &info);
 	}
 
-	if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+	if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
 				result == L2CAP_CR_SUCCESS) {
 		u8 buf[128];
 		l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-- 
1.7.3.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/1] Bluetooth: fix crash in L2CAP
  2010-10-21  5:19 [PATCH 0/1] Bluetooth: fix crash in L2CAP Gustavo F. Padovan
  2010-10-21  5:19 ` [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req Gustavo F. Padovan
@ 2010-10-21 13:35 ` Greg KH
  2010-10-25 11:15   ` Gustavo F. Padovan
  1 sibling, 1 reply; 5+ messages in thread
From: Greg KH @ 2010-10-21 13:35 UTC (permalink / raw)
  To: Gustavo F. Padovan; +Cc: linux-bluetooth, stable, linux-kernel

On Thu, Oct 21, 2010 at 03:19:52AM -0200, Gustavo F. Padovan wrote:
> Hi Greg,
> 
> The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth
> and we didn't had time to put it into 2.6.36. It fixes a serious crash into
> the L2CAP layer. The issue isn't in 2.6.35 and below.

It needs to get into Linus's tree before I can accept it into the
-stable trees.  Please get it there and then send stable@kernel.org the
git commit id and I will add it.

Instructions on how to do this are in the file,
Documentation/stable_kernel_rules.txt.  Please read that for how to
properly do this.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/1] Bluetooth: fix crash in L2CAP
  2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH
@ 2010-10-25 11:15   ` Gustavo F. Padovan
  2010-10-29 22:05     ` [stable] " Greg KH
  0 siblings, 1 reply; 5+ messages in thread
From: Gustavo F. Padovan @ 2010-10-25 11:15 UTC (permalink / raw)
  To: Greg KH; +Cc: linux-bluetooth, stable, linux-kernel

Hi Greg,

* Greg KH <greg@kroah.com> [2010-10-21 06:35:07 -0700]:

> On Thu, Oct 21, 2010 at 03:19:52AM -0200, Gustavo F. Padovan wrote:
> > Hi Greg,
> > 
> > The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth
> > and we didn't had time to put it into 2.6.36. It fixes a serious crash into
> > the L2CAP layer. The issue isn't in 2.6.35 and below.
> 
> It needs to get into Linus's tree before I can accept it into the
> -stable trees.  Please get it there and then send stable@kernel.org the
> git commit id and I will add it.

It is now on Linus' tree, sorry for doing this wrong first time. It was
my first report to stable. ;)

commit d793fe8caa3911e6a1e826b45d4ee00d250cdec8

-- 
Gustavo F. Padovan
ProFUSION embedded systems - http://profusion.mobi

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [stable] [PATCH 0/1] Bluetooth: fix crash in L2CAP
  2010-10-25 11:15   ` Gustavo F. Padovan
@ 2010-10-29 22:05     ` Greg KH
  0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2010-10-29 22:05 UTC (permalink / raw)
  To: Gustavo F. Padovan; +Cc: linux-bluetooth, stable, linux-kernel

On Mon, Oct 25, 2010 at 09:15:30AM -0200, Gustavo F. Padovan wrote:
> Hi Greg,
> 
> * Greg KH <greg@kroah.com> [2010-10-21 06:35:07 -0700]:
> 
> > On Thu, Oct 21, 2010 at 03:19:52AM -0200, Gustavo F. Padovan wrote:
> > > Hi Greg,
> > > 
> > > The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth
> > > and we didn't had time to put it into 2.6.36. It fixes a serious crash into
> > > the L2CAP layer. The issue isn't in 2.6.35 and below.
> > 
> > It needs to get into Linus's tree before I can accept it into the
> > -stable trees.  Please get it there and then send stable@kernel.org the
> > git commit id and I will add it.
> 
> It is now on Linus' tree, sorry for doing this wrong first time. It was
> my first report to stable. ;)

No problem.

> commit d793fe8caa3911e6a1e826b45d4ee00d250cdec8

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-10-29 22:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-21  5:19 [PATCH 0/1] Bluetooth: fix crash in L2CAP Gustavo F. Padovan
2010-10-21  5:19 ` [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req Gustavo F. Padovan
2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH
2010-10-25 11:15   ` Gustavo F. Padovan
2010-10-29 22:05     ` [stable] " Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).