lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4FBB8544.3040408@samsung.com>
Date:	Tue, 22 May 2012 21:23:32 +0900
From:	Chanyeol Park <chanyeol.park@...sung.com>
To:	Minho Ban <mhban@...sung.com>
Cc:	Gustavo Padovan <gustavo@...ovan.org>,
	Marcel Holtmann <marcel@...tmann.org>,
	Johan Hedberg <johan.hedberg@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [RFC/PATCH] Bluetooth: prevent double l2cap_chan_destroy

Hi

On 2012년 05월 22일 11:50, Minho Ban wrote:
> @@ -1343,10 +1343,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
>                  l2cap_chan_lock(chan);
>
>                  l2cap_chan_del(chan, err);
> +               chan->ops->close(chan->data);
>
>                  l2cap_chan_unlock(chan);
>
> -               chan->ops->close(chan->data);
>                  l2cap_chan_put(chan);
>          }
I think this patch does not make sense Because inside chan->ops->close() 
"chan" could be freed in the l2cap_chan_destroy().

> close callback must locate within chan_lock unless it can be scheduled to other thread
> which may wait for chan_lock in l2cap_sock_shutdown and this lead to duplicate sock_kill.
>
>   static void l2cap_sock_kill(struct sock *sk)
>   {
> -       if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
> +       if (!sock_flag(sk, SOCK_ZAPPED) || sock_flag(sk, SOCK_DEAD) ||
> +                       sk->sk_socket)
>                  return;
>
>          BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
>
> Duplicate sock_kill may happen anyway, need test SOCK_DEAD if chan_destroy is already called.
Even l2cap_sock_kill() is called twice, " if (!sock_flag(sk, 
SOCK_ZAPPED) || sk->sk_socket)" can't filter it.
I tested Mr.ban case. it works fine with me.

BR
Chanyeol Park.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ