Commit 683d949a authored by Lukáš Turek's avatar Lukáš Turek Committed by Gustavo F. Padovan

Bluetooth: Never deallocate a session when some DLC points to it

Fix a bug introduced in commit 9cf5b0ea:
function rfcomm_recv_ua calls rfcomm_session_put without checking that
the session is not referenced by some DLC. If the session is freed, that
DLC would refer to deallocated memory, causing an oops later, as shown
in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994Signed-off-by: default avatarLukas Turek <8an@praha12.net>
Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
parent e2e0cacb
...@@ -1164,6 +1164,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) ...@@ -1164,6 +1164,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
* initiator rfcomm_process_rx already calls * initiator rfcomm_process_rx already calls
* rfcomm_session_put() */ * rfcomm_session_put() */
if (s->sock->sk->sk_state != BT_CLOSED) if (s->sock->sk->sk_state != BT_CLOSED)
if (list_empty(&s->dlcs))
rfcomm_session_put(s); rfcomm_session_put(s);
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment