linux-stable

mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-10-16 00:03:34 +10:00

Go to file

Kuniyuki Iwashima c4f16f6b07 Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() [ Upstream commit `a0075accbf` ] syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit `1bff51ea59` ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access to the killed socket in l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 Fixes: `d97c899bde` ("Bluetooth: Introduce L2CAP channel callback for resuming") Reported-by: syzbot+e4d73b165c3892852d22@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/686c12bd.a70a0220.29fe6c.0b13.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2025-07-24 08:53:18 +02:00
arch	s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again	2025-07-24 08:53:14 +02:00
block	block: fix kobject leak in blk_unregister_queue	2025-07-24 08:53:17 +02:00
certs	sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3	2025-04-25 10:45:58 +02:00
crypto	crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()	2025-07-17 18:35:22 +02:00
Documentation	bpf: Adjust free target to avoid global starvation of LRU map	2025-07-17 18:35:21 +02:00
drivers	usb: net: sierra: check for no status endpoint	2025-07-24 08:53:18 +02:00
fs	smb: client: fix use-after-free in cifs_oplock_break	2025-07-24 08:53:17 +02:00
include	wifi: cfg80211: remove scan request n_channels counted_by	2025-07-24 08:53:17 +02:00
init	sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP	2025-05-02 07:50:57 +02:00
io_uring	io_uring/poll: fix POLLERR handling	2025-07-24 08:53:12 +02:00
ipc	ipc: fix to protect IPCS lookups using RCU	2025-06-27 11:08:49 +01:00
kernel	bpf: Reject %p% format string in bprintf-like helpers	2025-07-24 08:53:16 +02:00
lib	maple_tree: fix mt_destroy_walk() on root leaf node	2025-07-17 18:35:14 +02:00
LICENSES
mm	kasan: remove kasan_find_vm_area() to prevent possible deadlock	2025-07-17 18:35:22 +02:00
net	Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()	2025-07-24 08:53:18 +02:00
rust	rust: module: place cleanup_module() in .exit.text section	2025-07-06 11:00:06 +02:00
samples	samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora	2025-06-04 14:41:53 +02:00
scripts	scripts/gdb: fix interrupts.py after maple tree conversion	2025-07-17 18:35:15 +02:00
security	selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len	2025-06-27 11:08:59 +01:00
sound	ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS	2025-07-24 08:53:12 +02:00
tools	selftests: net: increase inter-packet timeout in udpgro.sh	2025-07-24 08:53:18 +02:00
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
.rustfmt.toml
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	sign-file,extract-cert: move common SSL helper functions to a header	2025-04-25 10:45:57 +02:00
Makefile	Linux 6.6.99	2025-07-17 18:35:23 +02:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.