Bluetooth: Make better use of l2cap_chan reference counting

L2CAP sockets contain a pointer to l2cap_chan that needs to be reference counted in order to prevent a possible dangling pointer when the channel is freed. There were a few other cases where an l2cap_chan pointer on the stack was dereferenced after a call to l2cap_chan_del. Those pointers are also now reference counted. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
author: Mat Martineau <mathewm@codeaurora.org> 2012-04-27 19:50:50 -0400
committer: Gustavo Padovan <gustavo@padovan.org> 2012-05-09 00:40:49 -0400
commit: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 (patch)
tree: b8a711d6cb948ec81749aa8b06a53a8e2dac0b37 /net/bluetooth
parent: dbd89fddc1f1fc96085deb164b7b9b2361241dd3 (diff)
2 files changed, 9 insertions, 0 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 1192c943bf8e..b854d284d42a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1256,6 +1256,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
        /* Kill channels */
        list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
+                l2cap_chan_hold(chan);
                l2cap_chan_lock(chan);
                l2cap_chan_del(chan, err);
@@ -1263,6 +1264,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
                l2cap_chan_unlock(chan);
                chan->ops->close(chan->data);
+                l2cap_chan_put(chan);
        }
        mutex_unlock(&conn->chan_lock);
@@ -3375,11 +3377,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
        sk->sk_shutdown = SHUTDOWN_MASK;
        release_sock(sk);
+        l2cap_chan_hold(chan);
        l2cap_chan_del(chan, ECONNRESET);
        l2cap_chan_unlock(chan);
        chan->ops->close(chan->data);
+        l2cap_chan_put(chan);
        mutex_unlock(&conn->chan_lock);
@@ -3407,11 +3411,13 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
        l2cap_chan_lock(chan);
+        l2cap_chan_hold(chan);
        l2cap_chan_del(chan, 0);
        l2cap_chan_unlock(chan);
        chan->ops->close(chan->data);
+        l2cap_chan_put(chan);
        mutex_unlock(&conn->chan_lock);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 2b5e7e81c3c0..6bf8ff75d95f 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk)
 {
        BT_DBG("sk %p", sk);
+        l2cap_chan_put(l2cap_pi(sk)->chan);
        if (l2cap_pi(sk)->rx_busy_skb) {
                kfree_skb(l2cap_pi(sk)->rx_busy_skb);
                l2cap_pi(sk)->rx_busy_skb = NULL;
@@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
                return NULL;
        }
+        l2cap_chan_hold(chan);
        chan->sk = sk;
        l2cap_pi(sk)->chan = chan;
author	Mat Martineau <mathewm@codeaurora.org>	2012-04-27 19:50:50 -0400
committer	Gustavo Padovan <gustavo@padovan.org>	2012-05-09 00:40:49 -0400
commit	61d6ef3e3408cdf7e622646fb90a9f7f9560b943 (patch)
tree	b8a711d6cb948ec81749aa8b06a53a8e2dac0b37 /net/bluetooth
parent	dbd89fddc1f1fc96085deb164b7b9b2361241dd3 (diff)