lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <131B7D29-1085-4DDC-8DC9-A2ABE533BEC4@holtmann.org>
Date:   Mon, 4 Feb 2019 15:53:16 +0100
From:   Marcel Holtmann <marcel@...tmann.org>
To:     Myungho Jung <mhjungk@...il.com>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        linux-bluetooth@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Bluetooth: Fix decrementing reference count twice in
 releasing socket

Hi Myungho,

> When releasing socket, it is possible to enter hci_sock_release() and
> hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
> The reference count of hdev should be decremented only once from one of
> them but if storing hdev to local variable in hci_sock_release() before
> detached from socket and setting to NULL in hci_sock_dev_event(),
> hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
> referencing hdev from socket after bt_sock_unlink() in
> hci_sock_release().
> 
> Reported-by: syzbot+fdc00003f4efff43bc5b@...kaller.appspotmail.com
> Signed-off-by: Myungho Jung <mhjungk@...il.com>
> ---
> net/bluetooth/hci_sock.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ