Hi Vignesh, > The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove > RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905 > "Bluetooth: Return RFCOMM session ptrs to avoid freed session" > allow rfcomm_recv_ua and rfcomm_session_close to delete the session > (and free the corresponding socket) and propagate NULL session pointer > to the upper callers. > > Additional fix is required to terminate the loop in rfcomm_process_rx > function to avoid use of freed 'sk' memory. > > The issue is only reproducible with kernel option CONFIG_PAGE_POISONING > enabled making freed memory being changed and filled up with fixed char > value used to unmask use-after-free issues. > > Signed-off-by: Vignesh Raman <Vignesh_Raman@xxxxxxxxxx> > Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@xxxxxxxxxx> > Acked-by: Dean Jenkins <Dean_Jenkins@xxxxxxxxxx> > --- > net/bluetooth/rfcomm/core.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) patch has been applied to bluetooth-next tree and I also tagged it for stable. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
