* [PATCH 0/1] Bluetooth: fix crash in L2CAP @ 2010-10-21 5:19 Gustavo F. Padovan 2010-10-21 5:19 ` [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req Gustavo F. Padovan 2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH 0 siblings, 2 replies; 5+ messages in thread From: Gustavo F. Padovan @ 2010-10-21 5:19 UTC (permalink / raw) To: greg, linux-bluetooth; +Cc: stable, linux-kernel Hi Greg, The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth and we didn't had time to put it into 2.6.36. It fixes a serious crash into the L2CAP layer. The issue isn't in 2.6.35 and below. Thanks. Nathan Holstein (1): Bluetooth: fix oops in l2cap_connect_req net/bluetooth/l2cap.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) -- 1.7.3.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req 2010-10-21 5:19 [PATCH 0/1] Bluetooth: fix crash in L2CAP Gustavo F. Padovan @ 2010-10-21 5:19 ` Gustavo F. Padovan 2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH 1 sibling, 0 replies; 5+ messages in thread From: Gustavo F. Padovan @ 2010-10-21 5:19 UTC (permalink / raw) To: greg, linux-bluetooth; +Cc: stable, linux-kernel, Nathan Holstein From: Nathan Holstein <nathan.holstein@gmail.com> In error cases when the ACL is insecure or we fail to allocate a new struct sock, we jump to the "response" label. If so, "sk" will be null and the kernel crashes. Signed-off-by: Nathan Holstein <nathan.holstein@gmail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> --- net/bluetooth/l2cap.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 0b54b7d..dc60205 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -2891,7 +2891,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd struct l2cap_chan_list *list = &conn->chan_list; struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; - struct sock *parent, *uninitialized_var(sk); + struct sock *parent, *sk = NULL; int result, status = L2CAP_CS_NO_INFO; u16 dcid = 0, scid = __le16_to_cpu(req->scid); @@ -3000,7 +3000,7 @@ sendresp: L2CAP_INFO_REQ, sizeof(info), &info); } - if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) && + if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) && result == L2CAP_CR_SUCCESS) { u8 buf[128]; l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT; -- 1.7.3.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/1] Bluetooth: fix crash in L2CAP 2010-10-21 5:19 [PATCH 0/1] Bluetooth: fix crash in L2CAP Gustavo F. Padovan 2010-10-21 5:19 ` [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req Gustavo F. Padovan @ 2010-10-21 13:35 ` Greg KH 2010-10-25 11:15 ` Gustavo F. Padovan 1 sibling, 1 reply; 5+ messages in thread From: Greg KH @ 2010-10-21 13:35 UTC (permalink / raw) To: Gustavo F. Padovan; +Cc: linux-bluetooth, stable, linux-kernel On Thu, Oct 21, 2010 at 03:19:52AM -0200, Gustavo F. Padovan wrote: > Hi Greg, > > The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth > and we didn't had time to put it into 2.6.36. It fixes a serious crash into > the L2CAP layer. The issue isn't in 2.6.35 and below. It needs to get into Linus's tree before I can accept it into the -stable trees. Please get it there and then send stable@kernel.org the git commit id and I will add it. Instructions on how to do this are in the file, Documentation/stable_kernel_rules.txt. Please read that for how to properly do this. thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/1] Bluetooth: fix crash in L2CAP 2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH @ 2010-10-25 11:15 ` Gustavo F. Padovan 2010-10-29 22:05 ` [stable] " Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Gustavo F. Padovan @ 2010-10-25 11:15 UTC (permalink / raw) To: Greg KH; +Cc: linux-bluetooth, stable, linux-kernel Hi Greg, * Greg KH <greg@kroah.com> [2010-10-21 06:35:07 -0700]: > On Thu, Oct 21, 2010 at 03:19:52AM -0200, Gustavo F. Padovan wrote: > > Hi Greg, > > > > The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth > > and we didn't had time to put it into 2.6.36. It fixes a serious crash into > > the L2CAP layer. The issue isn't in 2.6.35 and below. > > It needs to get into Linus's tree before I can accept it into the > -stable trees. Please get it there and then send stable@kernel.org the > git commit id and I will add it. It is now on Linus' tree, sorry for doing this wrong first time. It was my first report to stable. ;) commit d793fe8caa3911e6a1e826b45d4ee00d250cdec8 -- Gustavo F. Padovan ProFUSION embedded systems - http://profusion.mobi ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [stable] [PATCH 0/1] Bluetooth: fix crash in L2CAP 2010-10-25 11:15 ` Gustavo F. Padovan @ 2010-10-29 22:05 ` Greg KH 0 siblings, 0 replies; 5+ messages in thread From: Greg KH @ 2010-10-29 22:05 UTC (permalink / raw) To: Gustavo F. Padovan; +Cc: linux-bluetooth, stable, linux-kernel On Mon, Oct 25, 2010 at 09:15:30AM -0200, Gustavo F. Padovan wrote: > Hi Greg, > > * Greg KH <greg@kroah.com> [2010-10-21 06:35:07 -0700]: > > > On Thu, Oct 21, 2010 at 03:19:52AM -0200, Gustavo F. Padovan wrote: > > > Hi Greg, > > > > > > The following patch is good for 2.6.36.1. It arrived too late in linux-bluetooth > > > and we didn't had time to put it into 2.6.36. It fixes a serious crash into > > > the L2CAP layer. The issue isn't in 2.6.35 and below. > > > > It needs to get into Linus's tree before I can accept it into the > > -stable trees. Please get it there and then send stable@kernel.org the > > git commit id and I will add it. > > It is now on Linus' tree, sorry for doing this wrong first time. It was > my first report to stable. ;) No problem. > commit d793fe8caa3911e6a1e826b45d4ee00d250cdec8 Now queued up, thanks. greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-10-29 22:05 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-10-21 5:19 [PATCH 0/1] Bluetooth: fix crash in L2CAP Gustavo F. Padovan 2010-10-21 5:19 ` [PATCH 1/1] Bluetooth: fix oops in l2cap_connect_req Gustavo F. Padovan 2010-10-21 13:35 ` [PATCH 0/1] Bluetooth: fix crash in L2CAP Greg KH 2010-10-25 11:15 ` Gustavo F. Padovan 2010-10-29 22:05 ` [stable] " Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox