Bluetooth: Make better use of l2cap_chan reference counting
L2CAP sockets contain a pointer to l2cap_chan that needs to be reference counted in order to prevent a possible dangling pointer when the channel is freed. There were a few other cases where an l2cap_chan pointer on the stack was dereferenced after a call to l2cap_chan_del. Those pointers are also now reference counted. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
This commit is contained in:
Mat Martineau
Gustavo Padovan
parent
dbd89fddc1
commit
61d6ef3e34
2 changed files with 9 additions and 0 deletions
|
|
@ -1256,6 +1256,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
|
||||||
|
|
||||||
/* Kill channels */
|
/* Kill channels */
|
||||||
list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
|
list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
|
||||||
|
l2cap_chan_hold(chan);
|
||||||
l2cap_chan_lock(chan);
|
l2cap_chan_lock(chan);
|
||||||
|
|
||||||
l2cap_chan_del(chan, err);
|
l2cap_chan_del(chan, err);
|
||||||
|
|
@ -1263,6 +1264,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
|
||||||
l2cap_chan_unlock(chan);
|
l2cap_chan_unlock(chan);
|
||||||
|
|
||||||
chan->ops->close(chan->data);
|
chan->ops->close(chan->data);
|
||||||
|
l2cap_chan_put(chan);
|
||||||
}
|
}
|
||||||
|
|
||||||
mutex_unlock(&conn->chan_lock);
|
mutex_unlock(&conn->chan_lock);
|
||||||
|
|
@ -3375,11 +3377,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
|
||||||
sk->sk_shutdown = SHUTDOWN_MASK;
|
sk->sk_shutdown = SHUTDOWN_MASK;
|
||||||
release_sock(sk);
|
release_sock(sk);
|
||||||
|
|
||||||
|
l2cap_chan_hold(chan);
|
||||||
l2cap_chan_del(chan, ECONNRESET);
|
l2cap_chan_del(chan, ECONNRESET);
|
||||||
|
|
||||||
l2cap_chan_unlock(chan);
|
l2cap_chan_unlock(chan);
|
||||||
|
|
||||||
chan->ops->close(chan->data);
|
chan->ops->close(chan->data);
|
||||||
|
l2cap_chan_put(chan);
|
||||||
|
|
||||||
mutex_unlock(&conn->chan_lock);
|
mutex_unlock(&conn->chan_lock);
|
||||||
|
|
||||||
|
|
@ -3407,11 +3411,13 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
|
||||||
|
|
||||||
l2cap_chan_lock(chan);
|
l2cap_chan_lock(chan);
|
||||||
|
|
||||||
|
l2cap_chan_hold(chan);
|
||||||
l2cap_chan_del(chan, 0);
|
l2cap_chan_del(chan, 0);
|
||||||
|
|
||||||
l2cap_chan_unlock(chan);
|
l2cap_chan_unlock(chan);
|
||||||
|
|
||||||
chan->ops->close(chan->data);
|
chan->ops->close(chan->data);
|
||||||
|
l2cap_chan_put(chan);
|
||||||
|
|
||||||
mutex_unlock(&conn->chan_lock);
|
mutex_unlock(&conn->chan_lock);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk)
|
||||||
{
|
{
|
||||||
BT_DBG("sk %p", sk);
|
BT_DBG("sk %p", sk);
|
||||||
|
|
||||||
|
l2cap_chan_put(l2cap_pi(sk)->chan);
|
||||||
if (l2cap_pi(sk)->rx_busy_skb) {
|
if (l2cap_pi(sk)->rx_busy_skb) {
|
||||||
kfree_skb(l2cap_pi(sk)->rx_busy_skb);
|
kfree_skb(l2cap_pi(sk)->rx_busy_skb);
|
||||||
l2cap_pi(sk)->rx_busy_skb = NULL;
|
l2cap_pi(sk)->rx_busy_skb = NULL;
|
||||||
|
|
@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
l2cap_chan_hold(chan);
|
||||||
|
|
||||||
chan->sk = sk;
|
chan->sk = sk;
|
||||||
|
|
||||||
l2cap_pi(sk)->chan = chan;
|
l2cap_pi(sk)->chan = chan;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue