diff options
author | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-01-03 16:59:28 -0500 |
---|---|---|
committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-01-10 00:53:32 -0500 |
commit | b7e98b5100aad9290d7f06fcb9d1e80f7f62f05f (patch) | |
tree | 63b16b62fb99d649e5ec205a2f02c849a4386b30 /net | |
parent | 7b064edae38d62d8587a8c574f93b53ce75ae749 (diff) |
Bluetooth: Check if the hci connection exists in SCO shutdown
Checking only for sco_conn seems to not be enough and lead to NULL
dereferences in the code, check for hcon instead.
<1>[11340.226404] BUG: unable to handle kernel NULL pointer dereference at
0000000
8
<4>[11340.226619] EIP is at __sco_sock_close+0xe8/0x1a0
<4>[11340.226629] EAX: f063a740 EBX: 00000000 ECX: f58f4544 EDX: 00000000
<4>[11340.226640] ESI: dec83e00 EDI: 5f9a081f EBP: e0fdff38 ESP: e0fdff1c
<0>[11340.226674] Stack:
<4>[11340.226682] c184db87 c1251028 dec83e00 e0fdff38 c1754aef dec83e00
00000000
e0fdff5c
<4>[11340.226718] c184f587 e0fdff64 e0fdff68 5f9a081f e0fdff5c c1751852
d7813800
62262f10
<4>[11340.226752] e0fdff70 c1753c00 00000000 00000001 0000000d e0fdffac
c175425c
00000041
<0>[11340.226793] Call Trace:
<4>[11340.226813] [<c184db87>] ? sco_sock_clear_timer+0x27/0x60
<4>[11340.226831] [<c1251028>] ? local_bh_enable+0x68/0xd0
<4>[11340.226846] [<c1754aef>] ? lock_sock_nested+0x4f/0x60
<4>[11340.226862] [<c184f587>] sco_sock_shutdown+0x67/0xb0
<4>[11340.226879] [<c1751852>] ? sockfd_lookup_light+0x22/0x80
<4>[11340.226897] [<c1753c00>] sys_shutdown+0x30/0x60
<4>[11340.226912] [<c175425c>] sys_socketcall+0x1dc/0x2a0
<4>[11340.226929] [<c149ba78>] ? trace_hardirqs_on_thunk+0xc/0x10
<4>[11340.226944] [<c18860f1>] syscall_call+0x7/0xb
<4>[11340.226960] [<c1880000>] ? restore_cur+0x5e/0xd7
<0>[11340.226969] Code: <f0> ff 4b 08 0f 94 c0 84 c0 74 20 80 7b 19 01 74
2f b8 0a 00 00
Reported-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/sco.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 531a93d613d4..57f250c20e39 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c | |||
@@ -352,7 +352,7 @@ static void __sco_sock_close(struct sock *sk) | |||
352 | 352 | ||
353 | case BT_CONNECTED: | 353 | case BT_CONNECTED: |
354 | case BT_CONFIG: | 354 | case BT_CONFIG: |
355 | if (sco_pi(sk)->conn) { | 355 | if (sco_pi(sk)->conn->hcon) { |
356 | sk->sk_state = BT_DISCONN; | 356 | sk->sk_state = BT_DISCONN; |
357 | sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); | 357 | sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); |
358 | hci_conn_put(sco_pi(sk)->conn->hcon); | 358 | hci_conn_put(sco_pi(sk)->conn->hcon); |