diff options
| author | Mat Martineau <mathewm@codeaurora.org> | 2012-05-18 00:14:09 -0400 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2012-06-04 23:34:02 -0400 |
| commit | 2827011f666e157f3307d55070a75e1d1110b194 (patch) | |
| tree | 5f1fc5b4d102a641cd1c84183440a841540fb6eb | |
| parent | 9dc9affcb776b75f6d3e5d69d6e2a679407854f1 (diff) | |
Bluetooth: Fix early return from l2cap_chan_del
This fixes a regression from commit
2ead70b8390d199ca04cd35311b51f5f3676079e that is present in all
kernels starting at v3.0.
When L2CAP information was moved to struct l2cap_chan, a check was
added to l2cap_chan_del to avoid certain cleanup operations when ERTM
or streaming mode had not yet been initialized. The logic in the
check did not take in to account that chan->conf_state is set to 0 in
l2cap_chan_ready, so l2cap_chan_del failed to cancel timers and leaked
memory any time the ERTM queues or lists were not empty.
This change makes sure that l2cap_chan_del only returns early if
ERTM initialization was not performed.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| -rw-r--r-- | include/net/bluetooth/l2cap.h | 1 | ||||
| -rw-r--r-- | net/bluetooth/l2cap_core.c | 7 |
2 files changed, 6 insertions, 2 deletions
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h index 1c7d1cd5e679..452fcc4c0fff 100644 --- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h | |||
| @@ -597,6 +597,7 @@ enum { | |||
| 597 | CONF_EWS_RECV, | 597 | CONF_EWS_RECV, |
| 598 | CONF_LOC_CONF_PEND, | 598 | CONF_LOC_CONF_PEND, |
| 599 | CONF_REM_CONF_PEND, | 599 | CONF_REM_CONF_PEND, |
| 600 | CONF_NOT_COMPLETE, | ||
| 600 | }; | 601 | }; |
| 601 | 602 | ||
| 602 | #define L2CAP_CONF_MAX_CONF_REQ 2 | 603 | #define L2CAP_CONF_MAX_CONF_REQ 2 |
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 078bf805cd97..d9f215f3f8e9 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c | |||
| @@ -392,6 +392,9 @@ struct l2cap_chan *l2cap_chan_create(void) | |||
| 392 | 392 | ||
| 393 | atomic_set(&chan->refcnt, 1); | 393 | atomic_set(&chan->refcnt, 1); |
| 394 | 394 | ||
| 395 | /* This flag is cleared in l2cap_chan_ready() */ | ||
| 396 | set_bit(CONF_NOT_COMPLETE, &chan->conf_state); | ||
| 397 | |||
| 395 | BT_DBG("chan %p", chan); | 398 | BT_DBG("chan %p", chan); |
| 396 | 399 | ||
| 397 | return chan; | 400 | return chan; |
| @@ -509,8 +512,7 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err) | |||
| 509 | 512 | ||
| 510 | release_sock(sk); | 513 | release_sock(sk); |
| 511 | 514 | ||
| 512 | if (!(test_bit(CONF_OUTPUT_DONE, &chan->conf_state) && | 515 | if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state)) |
| 513 | test_bit(CONF_INPUT_DONE, &chan->conf_state))) | ||
| 514 | return; | 516 | return; |
| 515 | 517 | ||
| 516 | skb_queue_purge(&chan->tx_q); | 518 | skb_queue_purge(&chan->tx_q); |
| @@ -923,6 +925,7 @@ static void l2cap_chan_ready(struct l2cap_chan *chan) | |||
| 923 | 925 | ||
| 924 | BT_DBG("sk %p, parent %p", sk, parent); | 926 | BT_DBG("sk %p, parent %p", sk, parent); |
| 925 | 927 | ||
| 928 | /* This clears all conf flags, including CONF_NOT_COMPLETE */ | ||
| 926 | chan->conf_state = 0; | 929 | chan->conf_state = 0; |
| 927 | __clear_chan_timer(chan); | 930 | __clear_chan_timer(chan); |
| 928 | 931 | ||