Bluetooth: Never deallocate a session when some DLC points to it

Lukáš Turek · Gustavo F. Padovan · commit 683d949a7fbf · 2011-01-19T14:40:42.000-02:00
Fix a bug introduced in commit 9cf5b0e: function rfcomm_recv_ua calls rfcomm_session_put without checking that the session is not referenced by some DLC. If the session is freed, that DLC would refer to deallocated memory, causing an oops later, as shown in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994 Signed-off-by: Lukas Turek <8an@praha12.net> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
@@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
 			 * initiator rfcomm_process_rx already calls
 			 * rfcomm_session_put() */
 			if (s->sock->sk->sk_state != BT_CLOSED)
-				rfcomm_session_put(s);
+				if (list_empty(&s->dlcs))
+					rfcomm_session_put(s);
 			break;
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)`
`1164`	`1164`	`* initiator rfcomm_process_rx already calls`
`1165`	`1165`	`* rfcomm_session_put() */`
`1166`	`1166`	`if (s->sock->sk->sk_state != BT_CLOSED)`
`1167`		`- rfcomm_session_put(s);`
	`1167`	`+ if (list_empty(&s->dlcs))`
	`1168`	`+ rfcomm_session_put(s);`
`1168`	`1169`	`break;`
`1169`	`1170`	`}`
`1170`	`1171`	`}`