| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <0E9D2620-A821-410F-9DED-4465568F6701@holtmann.org>
Date: Tue, 13 Apr 2021 20:40:45 +0200
From: Marcel Holtmann <marcel@...tmann.org>
To: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
Cc: "open list:BLUETOOTH DRIVERS" <linux-bluetooth@...r.kernel.org>,
netdev <netdev@...r.kernel.org>,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>, isdn@...ux-pingi.de,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>
Subject: Re: [PATCH] net: bluetooth: cmtp: fix file refcount when
cmtp_attach_device fails
Hi Thadeu,
> When cmtp_attach_device fails, cmtp_add_connection returns the error value
> which leads to the caller to doing fput through sockfd_put. But
> cmtp_session kthread, which is stopped in this path will also call fput,
> leading to a potential refcount underflow or a use-after-free.
>
> Add a refcount before we signal the kthread to stop. The kthread will try
> to grab the cmtp_session_sem mutex before doing the fput, which is held
> when get_file is called, so there should be no races there.
>
> Reported-by: Ryota Shiga
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
> ---
> net/bluetooth/cmtp/core.c | 5 +++++
> 1 file changed, 5 insertions(+)
Patch has been applied to bluetooth-next tree.
Regards
Marcel
Powered by blists - more mailing lists