q3k/linux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux/net/bluetooth
History
Andrei Emeltchenko 3c4e0df028 Bluetooth: Use list _safe deleting from conn_hash_list 
Use list_for_each_entry_safe which is safe version against removal
of list entry. Otherwise we remove hci_conn element and reference
next element which result in accessing LIST_POISON.

[   95.571834] Bluetooth: unknown link type 127
[   95.578349] BUG: unable to handle kernel paging request at 20002000
[   95.580236] IP: [<20002000>] 0x20001fff
[   95.580763] *pde = 00000000
[   95.581196] Oops: 0000 [#1] SMP
...
[   95.582298] Pid: 3355, comm: hciconfig Tainted: G   O 3.2.0-VirttualBox
[   95.582298] EIP: 0060:[<20002000>] EFLAGS: 00210206 CPU: 0
[   95.582298] EIP is at 0x20002000
...
[   95.582298] Call Trace:
[   95.582298]  [<f8231ab6>] ? hci_conn_hash_flush+0x76/0xf0 [bluetooth]
[   95.582298]  [<f822bcb1>] hci_dev_do_close+0xc1/0x2e0 [bluetooth]
[   95.582298]  [<f822d679>] ? hci_dev_get+0x69/0xb0 [bluetooth]
[   95.582298]  [<f822e1da>] hci_dev_close+0x2a/0x50 [bluetooth]
[   95.582298]  [<f824102f>] hci_sock_ioctl+0x1af/0x3f0 [bluetooth]
[   95.582298]  [<c11153ea>] ? handle_pte_fault+0x8a/0x8f0
[   95.582298]  [<c146becf>] sock_ioctl+0x5f/0x260
[   95.582298]  [<c146be70>] ? sock_fasync+0x90/0x90
[   95.582298]  [<c1152b33>] do_vfs_ioctl+0x83/0x5b0
[   95.582298]  [<c1563f87>] ? do_page_fault+0x297/0x500
[   95.582298]  [<c1563cf0>] ? spurious_fault+0xd0/0xd0
[   95.582298]  [<c107165b>] ? up_read+0x1b/0x30
[   95.582298]  [<c1563f87>] ? do_page_fault+0x297/0x500
[   95.582298]  [<c100aa9f>] ? init_fpu+0xef/0x160
[   95.582298]  [<c15617c0>] ? do_debug+0x180/0x180
[   95.582298]  [<c100a958>] ? fpu_finit+0x28/0x80
[   95.582298]  [<c11530e7>] sys_ioctl+0x87/0x90
[   95.582298]  [<c156795f>] sysenter_do_call+0x12/0x38
...

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2012-02-13 17:01:32 +02:00
..
bnep Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2012-01-03 15:16:34 -05:00
cmtp Bluetooth: Always compile SCO and L2CAP in Bluetooth Core 2011-12-21 02:21:08 -02:00
hidp Bluetooth: Always compile SCO and L2CAP in Bluetooth Core 2011-12-21 02:21:08 -02:00
rfcomm Bluetooth: Fix RFCOMM session reference counting issue 2012-02-13 17:01:31 +02:00
af_bluetooth.c Bluetooth: silence lockdep warning 2012-02-13 17:01:29 +02:00
hci_conn.c Bluetooth: Use list _safe deleting from conn_hash_list 2012-02-13 17:01:32 +02:00
hci_core.c Bluetooth: Use GFP_KERNEL in hci_add_adv_entry() 2012-02-13 17:01:31 +02:00
hci_event.c Bluetooth: Fix clearing of debug and linkkey flags 2012-02-13 17:01:32 +02:00
hci_sock.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-next 2012-01-10 15:44:17 -05:00
hci_sysfs.c Bluetooth: Correctly acquire module ref 2012-02-13 17:01:24 +02:00
Kconfig Bluetooth: Always compile SCO and L2CAP in Bluetooth Core 2011-12-21 02:21:08 -02:00
l2cap_core.c Bluetooth: Fix possible use after free in delete path 2012-02-13 17:01:30 +02:00
l2cap_sock.c Bluetooth: Add alloc_skb chan operator 2012-02-13 17:01:29 +02:00
lib.c Bluetooth: Add bt_printk 2011-06-30 19:17:12 -03:00
Makefile Bluetooth: Always compile SCO and L2CAP in Bluetooth Core 2011-12-21 02:21:08 -02:00
mgmt.c Bluetooth: mgmt: Implement Cancel Pair Device command 2012-02-13 17:01:32 +02:00
sco.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-next 2012-01-10 15:44:17 -05:00
smp.c Bluetooth: Fix invalid memory access when there's no SMP channel 2012-02-13 17:01:31 +02:00