aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth/rfcomm
diff options
context:
space:
mode:
authorLukáš Turek <8an@praha12.net>2011-01-04 20:43:59 -0500
committerGustavo F. Padovan <padovan@profusion.mobi>2011-01-19 11:40:42 -0500
commit683d949a7fbf33c244670e34d35c460e0d6558cb (patch)
treefafa2f5c18d72466e859e7ade3f6a84d84bb7224 /net/bluetooth/rfcomm
parente2e0cacbd4b0c7c69c7591d37c243f2363aeaa71 (diff)
Bluetooth: Never deallocate a session when some DLC points to it
Fix a bug introduced in commit 9cf5b0ea3a7f1432c61029f7aaf4b8b338628884: function rfcomm_recv_ua calls rfcomm_session_put without checking that the session is not referenced by some DLC. If the session is freed, that DLC would refer to deallocated memory, causing an oops later, as shown in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994 Signed-off-by: Lukas Turek <8an@praha12.net> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Diffstat (limited to 'net/bluetooth/rfcomm')
-rw-r--r--net/bluetooth/rfcomm/core.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index ff8aaa736650..6b83776534fb 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1164 * initiator rfcomm_process_rx already calls 1164 * initiator rfcomm_process_rx already calls
1165 * rfcomm_session_put() */ 1165 * rfcomm_session_put() */
1166 if (s->sock->sk->sk_state != BT_CLOSED) 1166 if (s->sock->sk->sk_state != BT_CLOSED)
1167 rfcomm_session_put(s); 1167 if (list_empty(&s->dlcs))
1168 rfcomm_session_put(s);
1168 break; 1169 break;
1169 } 1170 }
1170 } 1171 }