Commit 61d6ef3e authored by Mat Martineau's avatar Mat Martineau Committed by Gustavo Padovan

Bluetooth: Make better use of l2cap_chan reference counting

L2CAP sockets contain a pointer to l2cap_chan that needs to be
reference counted in order to prevent a possible dangling pointer when
the channel is freed.

There were a few other cases where an l2cap_chan pointer on the stack
was dereferenced after a call to l2cap_chan_del. Those pointers are
also now reference counted.
Signed-off-by: default avatarMat Martineau <mathewm@codeaurora.org>
Signed-off-by: default avatarGustavo Padovan <gustavo@padovan.org>
parent dbd89fdd
...@@ -1256,6 +1256,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) ...@@ -1256,6 +1256,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
/* Kill channels */ /* Kill channels */
list_for_each_entry_safe(chan, l, &conn->chan_l, list) { list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
l2cap_chan_hold(chan);
l2cap_chan_lock(chan); l2cap_chan_lock(chan);
l2cap_chan_del(chan, err); l2cap_chan_del(chan, err);
...@@ -1263,6 +1264,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) ...@@ -1263,6 +1264,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
l2cap_chan_unlock(chan); l2cap_chan_unlock(chan);
chan->ops->close(chan->data); chan->ops->close(chan->data);
l2cap_chan_put(chan);
} }
mutex_unlock(&conn->chan_lock); mutex_unlock(&conn->chan_lock);
...@@ -3375,11 +3377,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd ...@@ -3375,11 +3377,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
sk->sk_shutdown = SHUTDOWN_MASK; sk->sk_shutdown = SHUTDOWN_MASK;
release_sock(sk); release_sock(sk);
l2cap_chan_hold(chan);
l2cap_chan_del(chan, ECONNRESET); l2cap_chan_del(chan, ECONNRESET);
l2cap_chan_unlock(chan); l2cap_chan_unlock(chan);
chan->ops->close(chan->data); chan->ops->close(chan->data);
l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock); mutex_unlock(&conn->chan_lock);
...@@ -3407,11 +3411,13 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd ...@@ -3407,11 +3411,13 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
l2cap_chan_lock(chan); l2cap_chan_lock(chan);
l2cap_chan_hold(chan);
l2cap_chan_del(chan, 0); l2cap_chan_del(chan, 0);
l2cap_chan_unlock(chan); l2cap_chan_unlock(chan);
chan->ops->close(chan->data); chan->ops->close(chan->data);
l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock); mutex_unlock(&conn->chan_lock);
......
...@@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk) ...@@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk)
{ {
BT_DBG("sk %p", sk); BT_DBG("sk %p", sk);
l2cap_chan_put(l2cap_pi(sk)->chan);
if (l2cap_pi(sk)->rx_busy_skb) { if (l2cap_pi(sk)->rx_busy_skb) {
kfree_skb(l2cap_pi(sk)->rx_busy_skb); kfree_skb(l2cap_pi(sk)->rx_busy_skb);
l2cap_pi(sk)->rx_busy_skb = NULL; l2cap_pi(sk)->rx_busy_skb = NULL;
...@@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p ...@@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
return NULL; return NULL;
} }
l2cap_chan_hold(chan);
chan->sk = sk; chan->sk = sk;
l2cap_pi(sk)->chan = chan; l2cap_pi(sk)->chan = chan;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment