Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-4.14.y 2022-08-25T09:11:08Z 2022-08-25T09:11:08Z Luiz Augusto von Dentz luiz.von.dentz@intel.com 2022-07-21T16:10:50Z urn:sha1:5bb395334392891dffae5a0e8f37dbe1d70496c9 commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream. This fixes the following trace which is caused by hci_rx_work starting up *after* the final channel reference has been put() during sock_close() but *before* the references to the channel have been destroyed, so instead the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. refcount_t: increment on 0; use-after-free. BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W 4.14.234-00003-g1fb6d0bd49a4-dirty #28 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame DVT (DT) Workqueue: hci0 hci_rx_work Call trace: dump_backtrace+0x0/0x378 show_stack+0x20/0x2c dump_stack+0x124/0x148 print_address_description+0x80/0x2e8 __kasan_report+0x168/0x188 kasan_report+0x10/0x18 __asan_load4+0x84/0x8c refcount_dec_and_test+0x20/0xd0 l2cap_chan_put+0x48/0x12c l2cap_recv_frame+0x4770/0x6550 l2cap_recv_acldata+0x44c/0x7a4 hci_acldata_packet+0x100/0x188 hci_rx_work+0x178/0x23c process_one_work+0x35c/0x95c worker_thread+0x4cc/0x960 kthread+0x1a8/0x1c4 ret_from_fork+0x10/0x18 Cc: stable@kernel.org Reported-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-10-17T08:29:53Z Luiz Augusto von Dentz luiz.von.dentz@intel.com 2020-08-06T18:17:12Z urn:sha1:2acf87436517894275a804210caa33b9a08cf93c commit f19425641cb2572a33cb074d5e30283720bd4d22 upstream. Only sockets will have the chan->data set to an actual sk, channels like A2MP would have its own data which would likely cause a crash when calling sk_filter, in order to fix this a new callback has been introduced so channels can implement their own filtering if necessary. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-04-12T20:02:37Z Marcin Kraglak marcin.kraglak@tieto.com 2017-03-08T13:09:41Z urn:sha1:d8edd9ed156a1a840f1b1c2dbbf458684d6eea6e Fix issue found during L2CAP qualification test TP/LE/CFC/BV-20-C. Signed-off-by: Marcin Kraglak <marcin.kraglak@tieto.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2016-01-29T10:47:24Z Johan Hedberg johan.hedberg@intel.com 2016-01-26T22:19:09Z urn:sha1:114f9f1e038eb23935c20fb54f49f07caaa0546d Having proper defines makes the code a bit readable, it also avoids duplicating hard-coded values since these are also needed when auto-allocating PSM values (in a subsequent patch). Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2015-11-05T03:04:00Z Johan Hedberg johan.hedberg@intel.com 2015-11-02T12:39:15Z urn:sha1:8a7889cc6e2dbbace114130f4efd9b77452069cd The core spec defines specific response codes for situations when the received CID is incorrect. Add the defines for these and return them as appropriate from the LE Connect Request handler function. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2015-07-23T15:10:51Z Dean Jenkins Dean_Jenkins@mentor.com 2015-06-23T16:59:39Z urn:sha1:e432c72c464d2deb6c66d1e2a5f548dc1f0ef4dc Add a timeout to prevent the do while loop running in an infinite loop. This ensures that the channel will be instructed to close within 10 seconds so prevents l2cap_sock_shutdown() getting stuck forever. Returns -ENOLINK when the timeout is reached. The channel will be subequently closed and not all data will be ACK'ed. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2015-07-23T15:10:51Z Dean Jenkins Dean_Jenkins@mentor.com 2015-06-23T16:59:38Z urn:sha1:cb02a25583b59ce48267472cd092485d754964f9 Use msecs_to_jiffies() instead of using HZ so that it is easier to specify the time in milliseconds. Also add a #define L2CAP_WAIT_ACK_POLL_PERIOD to specify the 200ms polling period so that it is defined in a single place. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2014-12-19T10:12:05Z Jukka Rissanen jukka.rissanen@linux.intel.com 2014-12-19T08:39:08Z urn:sha1:cab9e3a0559c039b4e13b569fcf393618c661902 The Internet Protocol Support Profile a.k.a BT 6LoWPAN specification is ready so PSM value for it is now known. Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> 2014-12-10T18:17:23Z David S. Miller davem@davemloft.net 2014-12-10T18:17:23Z urn:sha1:6e5f59aacbf9527dfe425541c78cb8c56623e7eb More iov_iter work for the networking from Al Viro. Signed-off-by: David S. Miller <davem@davemloft.net> 2014-12-09T21:29:10Z Al Viro viro@zeniv.linux.org.uk 2014-11-24T22:07:38Z urn:sha1:17836394e578b8d6475ecdb309ad1356bbcf37a2 Just use copy_from_iter(). That's what this method is trying to do in all cases, in a very convoluted fashion. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>