netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch] Bluetooth: 6lowpan: use after free in disconnect_devices()
@ 2014-10-29 16:10 Dan Carpenter
  2014-10-30  7:54 ` Jukka Rissanen
  2014-10-30 16:24 ` Marcel Holtmann
  0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2014-10-29 16:10 UTC (permalink / raw)
  To: Marcel Holtmann
  Cc: Gustavo Padovan, Johan Hedberg, David S. Miller, linux-bluetooth,
	netdev, linux-kernel, kernel-janitors

This was accidentally changed from list_for_each_entry_safe() to
list_for_each_entry() so now it has a use after free bug.  I've changed
it back.

Fixes: 90305829635d ('Bluetooth: 6lowpan: Converting rwlocks to use RCU')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 7254bdd..eef298d 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -1383,7 +1383,7 @@ static const struct file_operations lowpan_control_fops = {
 
 static void disconnect_devices(void)
 {
-	struct lowpan_dev *entry, *new_dev;
+	struct lowpan_dev *entry, *tmp, *new_dev;
 	struct list_head devices;
 
 	INIT_LIST_HEAD(&devices);
@@ -1408,7 +1408,7 @@ static void disconnect_devices(void)
 
 	rcu_read_unlock();
 
-	list_for_each_entry(entry, &devices, list) {
+	list_for_each_entry_safe(entry, tmp, &devices, list) {
 		ifdown(entry->netdev);
 		BT_DBG("Unregistering netdev %s %p",
 		       entry->netdev->name, entry->netdev);

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [patch] Bluetooth: 6lowpan: use after free in disconnect_devices()
  2014-10-29 16:10 [patch] Bluetooth: 6lowpan: use after free in disconnect_devices() Dan Carpenter
@ 2014-10-30  7:54 ` Jukka Rissanen
  2014-10-30 16:24 ` Marcel Holtmann
  1 sibling, 0 replies; 3+ messages in thread
From: Jukka Rissanen @ 2014-10-30  7:54 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Marcel Holtmann, Gustavo Padovan, Johan Hedberg, David S. Miller,
	linux-bluetooth, netdev, linux-kernel, kernel-janitors

Hi Dan,

On ke, 2014-10-29 at 19:10 +0300, Dan Carpenter wrote:
> This was accidentally changed from list_for_each_entry_safe() to
> list_for_each_entry() so now it has a use after free bug.  I've changed
> it back.

Good catch! Thanks for the patch.

Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>

> 
> Fixes: 90305829635d ('Bluetooth: 6lowpan: Converting rwlocks to use RCU')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index 7254bdd..eef298d 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -1383,7 +1383,7 @@ static const struct file_operations lowpan_control_fops = {
>  
>  static void disconnect_devices(void)
>  {
> -	struct lowpan_dev *entry, *new_dev;
> +	struct lowpan_dev *entry, *tmp, *new_dev;
>  	struct list_head devices;
>  
>  	INIT_LIST_HEAD(&devices);
> @@ -1408,7 +1408,7 @@ static void disconnect_devices(void)
>  
>  	rcu_read_unlock();
>  
> -	list_for_each_entry(entry, &devices, list) {
> +	list_for_each_entry_safe(entry, tmp, &devices, list) {
>  		ifdown(entry->netdev);
>  		BT_DBG("Unregistering netdev %s %p",
>  		       entry->netdev->name, entry->netdev);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Cheers,
Jukka

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [patch] Bluetooth: 6lowpan: use after free in disconnect_devices()
  2014-10-29 16:10 [patch] Bluetooth: 6lowpan: use after free in disconnect_devices() Dan Carpenter
  2014-10-30  7:54 ` Jukka Rissanen
@ 2014-10-30 16:24 ` Marcel Holtmann
  1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2014-10-30 16:24 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Gustavo F. Padovan, Johan Hedberg, David S. Miller,
	BlueZ development, Network Development, linux-kernel,
	kernel-janitors

Hi Dan,

> This was accidentally changed from list_for_each_entry_safe() to
> list_for_each_entry() so now it has a use after free bug.  I've changed
> it back.
> 
> Fixes: 90305829635d ('Bluetooth: 6lowpan: Converting rwlocks to use RCU')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

patch has been applied to bluetooth-next tree.

Regards

Marcel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-10-30 16:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-29 16:10 [patch] Bluetooth: 6lowpan: use after free in disconnect_devices() Dan Carpenter
2014-10-30  7:54 ` Jukka Rissanen
2014-10-30 16:24 ` Marcel Holtmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).