| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <4FBAE9FE.9030807@samsung.com> Date: Tue, 22 May 2012 10:21:02 +0900 From: Minho Ban <mhban@...sung.com> To: Gustavo Padovan <gustavo@...ovan.org>, Marcel Holtmann <marcel@...tmann.org>, Johan Hedberg <johan.hedberg@...il.com>, "David S. Miller" <davem@...emloft.net>, linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] Bluetooth: Fix null pointer dereference in l2cap_chan_send On 05/22/2012 01:17 AM, Gustavo Padovan wrote: > Hi Minho, > > * Minho Ban <mhban@...sung.com> [2012-05-21 09:58:19 +0900]: > >> If l2cap_chan_send is called will null conn it will cause kernel Oops. >> This patch checks if conn is valid before entering l2cap_chan_send. > > chan->conn should be always valid, and if not we have a bug somewhere else in > the code and not in l2cap_chan_send(). It could be a locking problem maybe. > Also check if you can reproduce this with latest bluetooth-next. > > Gustavo > Thanks for comment. I'm using bluetooth-next backporting to kernel 3.0 I wonder how do we guarantee chan->conn is valid if other thread release chan->lock just after exit l2cap_chan_del. It seem l2cap_chan_del is well protected with various mutex (eg, sk, conn, chan) but that may not enough to prevent lock waiters from accessing object. Regards, Minho Ban -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists