* [kernel PATCH v1] Bluetooth: L2CAP: Fix use-after-free
@ 2023-05-25 0:04 Zhengping Jiang
2023-05-26 22:50 ` patchwork-bot+bluetooth
0 siblings, 1 reply; 2+ messages in thread
From: Zhengping Jiang @ 2023-05-25 0:04 UTC (permalink / raw)
To: linux-bluetooth, marcel, luiz.dentz
Cc: chromeos-bluetooth-upstreaming, Zhengping Jiang, David S. Miller,
Eric Dumazet, Jakub Kicinski, Johan Hedberg, Paolo Abeni,
linux-kernel, netdev
Fix potential use-after-free in l2cap_le_command_rej.
Signed-off-by: Zhengping Jiang <jiangzp@google.com>
---
Changes in v1:
- Use l2cap_chan_hold_unless_zero to prevent adding refcnt when it is
already 0.
net/bluetooth/l2cap_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 376b523c7b26..19b0b1f7ffed 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6361,9 +6361,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn,
if (!chan)
goto done;
+ chan = l2cap_chan_hold_unless_zero(chan);
+ if (!chan)
+ goto done;
+
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
done:
mutex_unlock(&conn->chan_lock);
--
2.40.1.698.g37aff9b760-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [kernel PATCH v1] Bluetooth: L2CAP: Fix use-after-free
2023-05-25 0:04 [kernel PATCH v1] Bluetooth: L2CAP: Fix use-after-free Zhengping Jiang
@ 2023-05-26 22:50 ` patchwork-bot+bluetooth
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+bluetooth @ 2023-05-26 22:50 UTC (permalink / raw)
To: Zhengping Jiang
Cc: linux-bluetooth, marcel, luiz.dentz,
chromeos-bluetooth-upstreaming, davem, edumazet, kuba,
johan.hedberg, pabeni, linux-kernel, netdev
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 24 May 2023 17:04:15 -0700 you wrote:
> Fix potential use-after-free in l2cap_le_command_rej.
>
> Signed-off-by: Zhengping Jiang <jiangzp@google.com>
> ---
>
> Changes in v1:
> - Use l2cap_chan_hold_unless_zero to prevent adding refcnt when it is
> already 0.
>
> [...]
Here is the summary with links:
- [kernel,v1] Bluetooth: L2CAP: Fix use-after-free
https://git.kernel.org/bluetooth/bluetooth-next/c/a088d769ef3a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-05-26 22:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-25 0:04 [kernel PATCH v1] Bluetooth: L2CAP: Fix use-after-free Zhengping Jiang
2023-05-26 22:50 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox