lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 07 Jul 2007 14:58:39 -0400 From: David Woodhouse <dwmw2@...radead.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Marcel Holtmann <marcel@...tmann.org>, Jiri Kosina <jkosina@...e.cz>, Dmitry Torokhov <dtor@...ightbb.com>, Michal Piotrowski <michal.k.k.piotrowski@...il.com>, LKML <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org>, Greg KH <greg@...ah.com> Subject: [PATCH] Fix use-after-free oops in Bluetooth HID. When cleaning up HIDP sessions, we currently close the ACL connection before deregistering the input device. Closing the ACL connection schedules a workqueue to remove the associated objects from sysfs, but the input device still refers to them -- and if the workqueue happens to run before the input device removal, the kernel will oops when trying to look up PHYSDEVPATH for the removed input device. Fix this by deregistering the input device before closing the connections. Signed-off-by: David Woodhouse <dwmw2@...radead.org> Signed-off-by: Marcel Holtmann <marcel@...tmann.org> --- net/bluetooth/hidp/core.c~ 2007-07-06 21:34:25.000000000 -0400 +++ net/bluetooth/hidp/core.c 2007-07-06 22:06:48.000000000 -0400 @@ -581,15 +581,6 @@ static int hidp_session(void *arg) hidp_del_timer(session); - fput(session->intr_sock->file); - - wait_event_timeout(*(ctrl_sk->sk_sleep), - (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500)); - - fput(session->ctrl_sock->file); - - __hidp_unlink_session(session); - if (session->input) { input_unregister_device(session->input); session->input = NULL; @@ -601,6 +592,15 @@ static int hidp_session(void *arg) hid_free_device(session->hid); } + fput(session->intr_sock->file); + + wait_event_timeout(*(ctrl_sk->sk_sleep), + (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500)); + + fput(session->ctrl_sock->file); + + __hidp_unlink_session(session); + up_write(&hidp_session_sem); kfree(session); -- dwmw2 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists