Bluetooth: Never deallocate a session when some DLC points to it

Fix a bug introduced in commit 9cf5b0ea: function rfcomm_recv_ua calls rfcomm_session_put without checking that the session is not referenced by some DLC. If the session is freed, that DLC would refer to deallocated memory, causing an oops later, as shown in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994Signed-off-by: N Lukas Turek <8an@praha12.net> Signed-off-by: N Gustavo F. Padovan <padovan@profusion.mobi>

Bluetooth: Never deallocate a session when some DLC points to it
Fix a bug introduced in commit 9cf5b0ea: function rfcomm_recv_ua calls rfcomm_session_put without checking that the session is not referenced by some DLC. If the session is freed, that DLC would refer to deallocated memory, causing an oops later, as shown in this bug report: https://bugzilla.kernel.org/show_bug.cgi?id=15994Signed-off-by: N Lukas Turek <8an@praha12.net> Signed-off-by: N Gustavo F. Padovan <padovan@profusion.mobi>
683d949a · Lukáš Turek · Gustavo F. Padovan · e2e0cacb · 683d949a
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/bluetooth/rfcomm/core.c net/bluetooth/rfcomm/core.c +2 -1

未找到文件。
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
 			 * initiator rfcomm_process_rx already calls
 			 * rfcomm_session_put() */
 			if (s->sock->sk->sk_state != BT_CLOSED)
-				rfcomm_session_put(s);
+				if (list_empty(&s->dlcs))
+					rfcomm_session_put(s);
 			break;
 		}
 	}