Bluetooth: Never deallocate a session when some DLC points to it
Fix a bug introduced in commit 9cf5b0ea3a:
function rfcomm_recv_ua calls rfcomm_session_put without checking that
the session is not referenced by some DLC. If the session is freed, that
DLC would refer to deallocated memory, causing an oops later, as shown
in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994
Signed-off-by: Lukas Turek <8an@praha12.net>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
This commit is contained in:
Lukáš Turek
Gustavo F. Padovan
parent
e2e0cacbd4
commit
683d949a7f
1 changed files with 2 additions and 1 deletions
|
|
@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
|
||||||
* initiator rfcomm_process_rx already calls
|
* initiator rfcomm_process_rx already calls
|
||||||
* rfcomm_session_put() */
|
* rfcomm_session_put() */
|
||||||
if (s->sock->sk->sk_state != BT_CLOSED)
|
if (s->sock->sk->sk_state != BT_CLOSED)
|
||||||
rfcomm_session_put(s);
|
if (list_empty(&s->dlcs))
|
||||||
|
rfcomm_session_put(s);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue