From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Vinicius Costa Gomes <vinicius.gomes@openbossa.org>,
Frederic Dalleau <frederic.dalleau@intel.com>,
Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Subject: [ 05/68] Bluetooth: Fix not closing SCO sockets in the BT_CONNECT2 state
Date: Tue, 2 Apr 2013 15:12:54 -0700 [thread overview]
Message-ID: <20130402221330.547648340@linuxfoundation.org> (raw)
In-Reply-To: <20130402221329.915209206@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
commit eb20ff9c91ddcb2d55c1849a87d3db85af5e88a9 upstream.
With deferred setup for SCO, it is possible that userspace closes the
socket when it is in the BT_CONNECT2 state, after the Connect Request is
received but before the Accept Synchonous Connection is sent.
If this happens the following crash was observed, when the connection is
terminated:
[ +0.000003] hci_sync_conn_complete_evt: hci0 status 0x10
[ +0.000005] sco_connect_cfm: hcon ffff88003d1bd800 bdaddr 40:98:4e:32:d7:39 status 16
[ +0.000003] sco_conn_del: hcon ffff88003d1bd800 conn ffff88003cc8e300, err 110
[ +0.000015] BUG: unable to handle kernel NULL pointer dereference at 0000000000000199
[ +0.000906] IP: [<ffffffff810620dd>] __lock_acquire+0xed/0xe82
[ +0.000000] PGD 3d21f067 PUD 3d291067 PMD 0
[ +0.000000] Oops: 0002 [#1] SMP
[ +0.000000] Modules linked in: rfcomm bnep btusb bluetooth
[ +0.000000] CPU 0
[ +0.000000] Pid: 1481, comm: kworker/u:2H Not tainted 3.9.0-rc1-25019-gad82cdd #1 Bochs Bochs
[ +0.000000] RIP: 0010:[<ffffffff810620dd>] [<ffffffff810620dd>] __lock_acquire+0xed/0xe82
[ +0.000000] RSP: 0018:ffff88003c3c19d8 EFLAGS: 00010002
[ +0.000000] RAX: 0000000000000001 RBX: 0000000000000246 RCX: 0000000000000000
[ +0.000000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003d1be868
[ +0.000000] RBP: ffff88003c3c1a98 R08: 0000000000000002 R09: 0000000000000000
[ +0.000000] R10: ffff88003d1be868 R11: ffff88003e20b000 R12: 0000000000000002
[ +0.000000] R13: ffff88003aaa8000 R14: 000000000000006e R15: ffff88003d1be850
[ +0.000000] FS: 0000000000000000(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
[ +0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ +0.000000] CR2: 0000000000000199 CR3: 000000003c1cb000 CR4: 00000000000006b0
[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ +0.000000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ +0.000000] Process kworker/u:2H (pid: 1481, threadinfo ffff88003c3c0000, task ffff88003aaa8000)
[ +0.000000] Stack:
[ +0.000000] ffffffff81b16342 0000000000000000 0000000000000000 ffff88003d1be868
[ +0.000000] ffffffff00000000 00018c0c7863e367 000000003c3c1a28 ffffffff8101efbd
[ +0.000000] 0000000000000000 ffff88003e3d2400 ffff88003c3c1a38 ffffffff81007c7a
[ +0.000000] Call Trace:
[ +0.000000] [<ffffffff8101efbd>] ? kvm_clock_read+0x34/0x3b
[ +0.000000] [<ffffffff81007c7a>] ? paravirt_sched_clock+0x9/0xd
[ +0.000000] [<ffffffff81007fd4>] ? sched_clock+0x9/0xb
[ +0.000000] [<ffffffff8104fd7a>] ? sched_clock_local+0x12/0x75
[ +0.000000] [<ffffffff810632d1>] lock_acquire+0x93/0xb1
[ +0.000000] [<ffffffffa0022339>] ? spin_lock+0x9/0xb [bluetooth]
[ +0.000000] [<ffffffff8105f3d8>] ? lock_release_holdtime.part.22+0x4e/0x55
[ +0.000000] [<ffffffff814f6038>] _raw_spin_lock+0x40/0x74
[ +0.000000] [<ffffffffa0022339>] ? spin_lock+0x9/0xb [bluetooth]
[ +0.000000] [<ffffffff814f6936>] ? _raw_spin_unlock+0x23/0x36
[ +0.000000] [<ffffffffa0022339>] spin_lock+0x9/0xb [bluetooth]
[ +0.000000] [<ffffffffa00230cc>] sco_conn_del+0x76/0xbb [bluetooth]
[ +0.000000] [<ffffffffa002391d>] sco_connect_cfm+0x2da/0x2e9 [bluetooth]
[ +0.000000] [<ffffffffa000862a>] hci_proto_connect_cfm+0x38/0x65 [bluetooth]
[ +0.000000] [<ffffffffa0008d30>] hci_sync_conn_complete_evt.isra.79+0x11a/0x13e [bluetooth]
[ +0.000000] [<ffffffffa000cd96>] hci_event_packet+0x153b/0x239d [bluetooth]
[ +0.000000] [<ffffffff814f68ff>] ? _raw_spin_unlock_irqrestore+0x48/0x5c
[ +0.000000] [<ffffffffa00025f6>] hci_rx_work+0xf3/0x2e3 [bluetooth]
[ +0.000000] [<ffffffff8103efed>] process_one_work+0x1dc/0x30b
[ +0.000000] [<ffffffff8103ef83>] ? process_one_work+0x172/0x30b
[ +0.000000] [<ffffffff8103e07f>] ? spin_lock_irq+0x9/0xb
[ +0.000000] [<ffffffff8103fc8d>] worker_thread+0x123/0x1d2
[ +0.000000] [<ffffffff8103fb6a>] ? manage_workers+0x240/0x240
[ +0.000000] [<ffffffff81044211>] kthread+0x9d/0xa5
[ +0.000000] [<ffffffff81044174>] ? __kthread_parkme+0x60/0x60
[ +0.000000] [<ffffffff814f75bc>] ret_from_fork+0x7c/0xb0
[ +0.000000] [<ffffffff81044174>] ? __kthread_parkme+0x60/0x60
[ +0.000000] Code: d7 44 89 8d 50 ff ff ff 4c 89 95 58 ff ff ff e8 44 fc ff ff 44 8b 8d 50 ff ff ff 48 85 c0 4c 8b 95 58 ff ff ff 0f 84 7a 04 00 00 <f0> ff 80 98 01 00 00 83 3d 25 41 a7 00 00 45 8b b5 e8 05 00 00
[ +0.000000] RIP [<ffffffff810620dd>] __lock_acquire+0xed/0xe82
[ +0.000000] RSP <ffff88003c3c19d8>
[ +0.000000] CR2: 0000000000000199
[ +0.000000] ---[ end trace e73cd3b52352dd34 ]---
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Tested-by: Frederic Dalleau <frederic.dalleau@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/sco.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -378,6 +378,7 @@ static void __sco_sock_close(struct sock
sco_chan_del(sk, ECONNRESET);
break;
+ case BT_CONNECT2:
case BT_CONNECT:
case BT_DISCONN:
sco_chan_del(sk, ECONNRESET);
next prev parent reply other threads:[~2013-04-02 22:12 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 22:12 [ 00/68] 3.4.39-stable review Greg Kroah-Hartman
2013-04-02 22:12 ` [ 01/68] signal: Define __ARCH_HAS_SA_RESTORER so we know whether to clear sa_restorer Greg Kroah-Hartman
2013-04-02 22:12 ` [ 02/68] kernel/signal.c: use __ARCH_HAS_SA_RESTORER instead of SA_RESTORER Greg Kroah-Hartman
2013-04-02 22:12 ` [ 03/68] SUNRPC: Add barriers to ensure read ordering in rpc_wake_up_task_queue_locked Greg Kroah-Hartman
2013-04-02 22:12 ` [ 04/68] tile: expect new initramfs name from hypervisor file system Greg Kroah-Hartman
2013-04-02 22:12 ` Greg Kroah-Hartman [this message]
2013-04-02 22:12 ` [ 06/68] Bluetooth: Add support for Dell[QCA 0cf3:0036] Greg Kroah-Hartman
2013-04-02 22:12 ` [ 07/68] Bluetooth: Add support for Dell[QCA 0cf3:817a] Greg Kroah-Hartman
2013-04-02 22:12 ` [ 08/68] staging: comedi: s626: fix continuous acquisition Greg Kroah-Hartman
2013-04-02 22:12 ` [ 09/68] sysfs: fix race between readdir and lseek Greg Kroah-Hartman
2013-04-02 22:12 ` [ 10/68] sysfs: handle failure path correctly for readdir() Greg Kroah-Hartman
2013-04-02 22:13 ` [ 11/68] can: sja1000: fix define conflict on SH Greg Kroah-Hartman
2013-04-02 22:13 ` [ 12/68] ath9k_hw: revert chainmask to user configuration after calibration Greg Kroah-Hartman
2013-04-02 22:13 ` [ 13/68] HID: usbhid: quirk for Realtek Multi-card reader Greg Kroah-Hartman
2013-04-02 22:13 ` [ 14/68] rtlwifi: usb: add missing freeing of skbuff Greg Kroah-Hartman
2013-04-02 22:13 ` [ 15/68] b43: N-PHY: increase initial value of "mind" in RSSI calibration Greg Kroah-Hartman
2013-04-02 22:13 ` [ 16/68] b43: A fix for DMA transmission sequence errors Greg Kroah-Hartman
2013-04-02 22:13 ` [ 17/68] b43: N-PHY: use more bits for offset in RSSI calibration Greg Kroah-Hartman
2013-04-02 22:13 ` [ 18/68] tg3: fix length overflow in VPD firmware parsing Greg Kroah-Hartman
2013-04-02 22:13 ` [ 19/68] iommu/amd: Make sure dma_ops are set for hotplug devices Greg Kroah-Hartman
2013-04-02 22:13 ` [ 20/68] xen/blkback: correctly respond to unknown, non-native requests Greg Kroah-Hartman
2013-04-02 22:13 ` [ 21/68] xen-blkback: fix dispatch_rw_block_io() error path Greg Kroah-Hartman
2013-04-02 22:13 ` [ 22/68] tty: atmel_serial_probe(): index of atmel_ports[] fix Greg Kroah-Hartman
2013-04-02 22:13 ` [ 23/68] usb: ftdi_sio: Add support for Mitsubishi FX-USB-AW/-BD Greg Kroah-Hartman
2013-04-02 22:13 ` [ 24/68] vt: synchronize_rcu() under spinlock is not nice Greg Kroah-Hartman
2013-04-02 22:13 ` [ 25/68] mwifiex: cancel cmd timer and free curr_cmd in shutdown process Greg Kroah-Hartman
2013-04-08 18:01 ` Bing Zhao
2013-04-02 22:13 ` [ 26/68] pnfs-block: removing DM device maybe cause oops when call dev_remove Greg Kroah-Hartman
2013-04-02 22:13 ` [ 27/68] net/irda: add missing error path release_sock call Greg Kroah-Hartman
2013-04-02 22:13 ` [ 28/68] usb: xhci: Fix TRB transfer length macro used for Event TRB Greg Kroah-Hartman
2013-04-02 22:13 ` [ 29/68] Btrfs: fix race between mmap writes and compression Greg Kroah-Hartman
2013-04-02 22:13 ` [ 30/68] Btrfs: limit the global reserve to 512mb Greg Kroah-Hartman
2013-04-02 22:13 ` [ 31/68] Btrfs: dont drop path when printing out tree errors in scrub Greg Kroah-Hartman
2013-04-02 22:13 ` [ 32/68] usb: gadget: udc-core: fix a regression during gadget driver unbinding Greg Kroah-Hartman
2013-04-02 22:13 ` [ 33/68] loop: prevent bdev freeing while device in use Greg Kroah-Hartman
2013-04-02 22:13 ` [ 34/68] ARM: cns3xxx: fix mapping of private memory region Greg Kroah-Hartman
2013-04-02 22:13 ` [ 35/68] nfsd4: reject "negative" acl lengths Greg Kroah-Hartman
2013-04-02 22:13 ` [ 36/68] drm/i915: Dont clobber crtc->fb when queue_flip fails Greg Kroah-Hartman
2013-04-02 22:13 ` [ 37/68] Btrfs: fix space leak when we fail to reserve metadata space Greg Kroah-Hartman
2013-04-02 22:13 ` [ 38/68] efivars: explicitly calculate length of VariableName Greg Kroah-Hartman
2013-04-02 22:13 ` [ 39/68] efivars: Handle duplicate names from get_next_variable() Greg Kroah-Hartman
2013-04-02 22:13 ` [ 40/68] ext4: convert number of blocks to clusters properly Greg Kroah-Hartman
2013-04-02 22:13 ` [ 41/68] ext4: use atomic64_t for the per-flexbg free_clusters count Greg Kroah-Hartman
2013-04-02 22:13 ` [ 42/68] tracing: Protect tracer flags with trace_types_lock Greg Kroah-Hartman
2013-04-02 22:13 ` [ 43/68] tracing: Prevent buffer overwrite disabled for latency tracers Greg Kroah-Hartman
2013-04-02 22:13 ` [ 44/68] net: remove a WARN_ON() in net_enable_timestamp() Greg Kroah-Hartman
2013-04-02 22:13 ` [ 45/68] sky2: Receive Overflows not counted Greg Kroah-Hartman
2013-04-02 22:13 ` [ 46/68] sky2: Threshold for Pause Packet is set wrong Greg Kroah-Hartman
2013-04-02 22:13 ` [ 47/68] tcp: preserve ACK clocking in TSO Greg Kroah-Hartman
2013-04-02 22:13 ` [ 48/68] tcp: undo spurious timeout after SACK reneging Greg Kroah-Hartman
2013-04-02 22:13 ` [ 49/68] 8021q: fix a potential use-after-free Greg Kroah-Hartman
2013-04-02 22:13 ` [ 50/68] thermal: shorten too long mcast group name Greg Kroah-Hartman
2013-04-02 22:13 ` [ 51/68] unix: fix a race condition in unix_release() Greg Kroah-Hartman
2013-04-02 22:13 ` [ 52/68] af_unix: dont send SCM_CREDENTIAL when dest socket is NULL Greg Kroah-Hartman
2013-04-02 22:13 ` [ 53/68] bonding: remove already created master sysfs link on failure Greg Kroah-Hartman
2013-04-02 22:13 ` [ 54/68] bonding: fix miimon and arp_interval delayed work race conditions Greg Kroah-Hartman
2013-04-02 22:13 ` [ 55/68] bonding: fix disabling of arp_interval and miimon Greg Kroah-Hartman
2013-04-02 22:13 ` [ 56/68] drivers: net: ethernet: davinci_emac: use netif_wake_queue() while restarting tx queue Greg Kroah-Hartman
2013-04-02 22:13 ` [ 57/68] drivers: net: ethernet: cpsw: " Greg Kroah-Hartman
2013-04-02 22:13 ` [ 58/68] net: fix *_DIAG_MAX constants Greg Kroah-Hartman
2013-04-02 22:13 ` [ 59/68] aoe: reserve enough headroom on skbs Greg Kroah-Hartman
2013-04-02 22:13 ` [ 60/68] atl1e: drop pci-msi support because of packet corruption Greg Kroah-Hartman
2013-04-02 22:13 ` [ 61/68] DM9000B: driver initialization upgrade Greg Kroah-Hartman
2013-04-02 22:13 ` [ 62/68] ipv6: dont accept multicast traffic with scope 0 Greg Kroah-Hartman
2013-04-02 22:13 ` [ 63/68] ipv6: fix bad free of addrconf_init_net Greg Kroah-Hartman
2013-04-02 22:13 ` [ 64/68] ipv6: dont accept node local multicast traffic from the wire Greg Kroah-Hartman
2013-04-02 22:13 ` [ 65/68] ks8851: Fix interpretation of rxlen field Greg Kroah-Hartman
2013-04-02 22:13 ` [ 66/68] net: add a synchronize_net() in netdev_rx_handler_unregister() Greg Kroah-Hartman
2013-04-02 22:13 ` [ 67/68] pch_gbe: fix ip_summed checksum reporting on rx Greg Kroah-Hartman
2013-04-02 22:13 ` [ 68/68] smsc75xx: fix jumbo frame support Greg Kroah-Hartman
2013-04-03 15:19 ` [ 00/68] 3.4.39-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130402221330.547648340@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=frederic.dalleau@intel.com \
--cc=gustavo.padovan@collabora.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vinicius.gomes@openbossa.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).