Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v3.14.48 2014-09-17T16:19:23+00:00 2014-09-17T16:19:23+00:00 Vignesh Raman Vignesh_Raman@mentor.com 2014-07-22T13:54:25+00:00 urn:sha1:37fada67e1a24ae31c4a2717d81b5c311385d288 commit 32333edb82fb2009980eefc5518100068147ab82 upstream. The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905 "Bluetooth: Return RFCOMM session ptrs to avoid freed session" allow rfcomm_recv_ua and rfcomm_session_close to delete the session (and free the corresponding socket) and propagate NULL session pointer to the upper callers. Additional fix is required to terminate the loop in rfcomm_process_rx function to avoid use of freed 'sk' memory. The issue is only reproducible with kernel option CONFIG_PAGE_POISONING enabled making freed memory being changed and filled up with fixed char value used to unmask use-after-free issues. Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com> Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com> Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-11-15T19:18:45+00:00 John W. Linville linville@tuxdriver.com 2013-11-15T19:18:45+00:00 urn:sha1:32019c739c95d056575e0bb2381f2846c0c49944 2013-11-13T13:36:53+00:00 Seung-Woo Kim sw0312.kim@samsung.com 2013-11-05T08:15:42+00:00 urn:sha1:8992da099332db896144465a01ad636f58bdebd9 L2CAP socket validates proper bdaddr_type for connect, so this patch fixes to set explictly bdaddr_type for RFCOMM connect. Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2013-11-13T13:36:53+00:00 Seung-Woo Kim sw0312.kim@samsung.com 2013-11-05T07:02:24+00:00 urn:sha1:c507f138fc7c2025d75b65018810dc0561d0bdb9 L2CAP socket bind checks its bdaddr type but RFCOMM kernel thread does not assign proper bdaddr type for L2CAP sock. This can cause that RFCOMM failure. Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2013-10-18T07:45:19+00:00 Marcel Holtmann marcel@holtmann.org 2013-10-18T00:24:16+00:00 urn:sha1:1120e4bfa5f9c28cb55d815ab3c6bed81dfc595c Make sure to use IS_ERR_OR_NULL for checking the existing of the root debugfs dentry bt_debugfs. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> 2013-10-13T17:00:28+00:00 Marcel Holtmann marcel@holtmann.org 2013-10-13T16:49:54+00:00 urn:sha1:24bc10cad3a76a4fc0f96a7220d4fe02379826d2 The L2CAP socket structure does not contain the address information anymore. They need to be accessed through the L2CAP channel. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> 2013-03-20T17:17:52+00:00 Wei Yongjun yongjun_wei@trendmicro.com.cn 2013-03-20T12:23:37+00:00 urn:sha1:0227c7b56959cd8f5edd20b6a47db86fa553e91a Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> 2013-03-08T13:40:25+00:00 Dean Jenkins Dean_Jenkins@mentor.com 2013-02-28T14:21:58+00:00 urn:sha1:24fd642ccb24c8b5732d7d7b5e98277507860b2a rfcomm_session_close() sets the RFCOMM session state to BT_CLOSED. However, in multiple places immediately before the function is called, the RFCOMM session is set to BT_CLOSED. Therefore, remove these unnecessary state settings. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> 2013-03-08T13:40:25+00:00 Dean Jenkins Dean_Jenkins@mentor.com 2013-02-28T14:21:57+00:00 urn:sha1:8e888f2783384ec097bc0c88d9949776f3584ed3 In rfcomm_session_del() remove the redundant call to rfcomm_send_disc() because it is not possible for the session to be in BT_CONNECTED state during deletion of the session. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> 2013-03-08T13:40:24+00:00 Dean Jenkins Dean_Jenkins@mentor.com 2013-02-28T14:21:56+00:00 urn:sha1:08c30aca9e698faddebd34f81e1196295f9dc063 Previous commits have improved the handling of the RFCOMM session timer and the RFCOMM session pointers such that freed RFCOMM session structures should no longer be erroneously accessed. The RFCOMM session refcnt now has no purpose and will be deleted by this commit. Note that the RFCOMM session is now deleted as soon as the RFCOMM control channel link is no longer required. This makes the lifetime of the RFCOMM session deterministic and absolute. Previously with the refcnt, there was uncertainty about when the session structure would be deleted because the relative refcnt prevented the session structure from being deleted at will. It was noted that the refcnt could malfunction under very heavy real-time processor loading in embedded SMP environments. This could cause premature RFCOMM session deletion or double session deletion that could result in kernel crashes. Removal of the refcnt prevents this issue. There are 4 connection / disconnection RFCOMM session scenarios: host initiated control link ---> host disconnected control link host initiated ctrl link ---> remote device disconnected ctrl link remote device initiated ctrl link ---> host disconnected ctrl link remote device initiated ctrl link ---> remote device disc'ed ctrl link The control channel connection procedures are independent of the disconnection procedures. Strangely, the RFCOMM session refcnt was applying special treatment so erroneously combining connection and disconnection events. This commit fixes this issue by removing some session code that used the "initiator" member of the session structure that was intended for use with the data channels. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>