Skip to content

Commit

Permalink
Bluetooth: Never deallocate a session when some DLC points to it
Browse files Browse the repository at this point in the history
Fix a bug introduced in commit 9cf5b0e:
function rfcomm_recv_ua calls rfcomm_session_put without checking that
the session is not referenced by some DLC. If the session is freed, that
DLC would refer to deallocated memory, causing an oops later, as shown
in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994

Signed-off-by: Lukas Turek <8an@praha12.net>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
  • Loading branch information
Lukáš Turek authored and Gustavo F. Padovan committed Jan 19, 2011
1 parent e2e0cac commit 683d949
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion net/bluetooth/rfcomm/core.c
Original file line number Diff line number Diff line change
Expand Up @@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
* initiator rfcomm_process_rx already calls
* rfcomm_session_put() */
if (s->sock->sk->sk_state != BT_CLOSED)
rfcomm_session_put(s);
if (list_empty(&s->dlcs))
rfcomm_session_put(s);
break;
}
}
Expand Down

0 comments on commit 683d949

Please sign in to comment.