1. 03 10月, 2013 2 次提交
  2. 12 6月, 2013 1 次提交
  3. 12 4月, 2013 1 次提交
    • D
      Bluetooth: rename hci_conn_put to hci_conn_drop · 76a68ba0
      David Herrmann 提交于
      We use _get() and _put() for device ref-counting in the kernel. However,
      hci_conn_put() is _not_ used for ref-counting, hence, rename it to
      hci_conn_drop() so we can later fix ref-counting and introduce
      hci_conn_put().
      
      hci_conn_hold() and hci_conn_put() are currently used to manage how long a
      connection should be held alive. When the last user drops the connection,
      we spawn a delayed work that performs the disconnect. Obviously, this has
      nothing to do with ref-counting for the _object_ but rather for the
      keep-alive of the connection.
      
      But we really _need_ proper ref-counting for the _object_ to allow
      connection-users like rfcomm-tty, HIDP or others.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      76a68ba0
  4. 01 2月, 2013 1 次提交
  5. 09 11月, 2012 1 次提交
  6. 12 10月, 2012 1 次提交
  7. 11 10月, 2012 1 次提交
  8. 27 8月, 2012 1 次提交
  9. 15 8月, 2012 1 次提交
    • A
      Bluetooth: Fix use-after-free bug in SMP · 61a0cfb0
      Andre Guedes 提交于
      If SMP fails, we should always cancel security_timer delayed work.
      Otherwise, security_timer function may run after l2cap_conn object
      has been freed.
      
      This patch fixes the following warning reported by ODEBUG:
      
      WARNING: at lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
      Hardware name: Bochs
      ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x27
      Modules linked in: btusb bluetooth
      Pid: 440, comm: kworker/u:2 Not tainted 3.5.0-rc1+ #4
      Call Trace:
       [<ffffffff81174600>] ? free_obj_work+0x4a/0x7f
       [<ffffffff81023eb8>] warn_slowpath_common+0x7e/0x97
       [<ffffffff81023f65>] warn_slowpath_fmt+0x41/0x43
       [<ffffffff811746b1>] debug_print_object+0x7c/0x8d
       [<ffffffff810394f0>] ? __queue_work+0x241/0x241
       [<ffffffff81174fdd>] debug_check_no_obj_freed+0x92/0x159
       [<ffffffff810ac08e>] slab_free_hook+0x6f/0x77
       [<ffffffffa0019145>] ? l2cap_conn_del+0x148/0x157 [bluetooth]
       [<ffffffff810ae408>] kfree+0x59/0xac
       [<ffffffffa0019145>] l2cap_conn_del+0x148/0x157 [bluetooth]
       [<ffffffffa001b9a2>] l2cap_recv_frame+0xa77/0xfa4 [bluetooth]
       [<ffffffff810592f9>] ? trace_hardirqs_on_caller+0x112/0x1ad
       [<ffffffffa001c86c>] l2cap_recv_acldata+0xe2/0x264 [bluetooth]
       [<ffffffffa0002b2f>] hci_rx_work+0x235/0x33c [bluetooth]
       [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
       [<ffffffff81038e22>] process_one_work+0x185/0x2fe
       [<ffffffff81038dc3>] ? process_one_work+0x126/0x2fe
       [<ffffffff81059f2e>] ? lock_acquired+0x1b5/0x1cf
       [<ffffffffa00028fa>] ? le_scan_work+0x11d/0x11d [bluetooth]
       [<ffffffff81036fb6>] ? spin_lock_irq+0x9/0xb
       [<ffffffff81039209>] worker_thread+0xcf/0x175
       [<ffffffff8103913a>] ? rescuer_thread+0x175/0x175
       [<ffffffff8103cfe0>] kthread+0x95/0x9d
       [<ffffffff812c5054>] kernel_threadi_helper+0x4/0x10
       [<ffffffff812c36b0>] ? retint_restore_args+0x13/0x13
       [<ffffffff8103cf4b>] ? flush_kthread_worker+0xdb/0xdb
       [<ffffffff812c5050>] ? gs_change+0x13/0x13
      
      This bug can be reproduced using hctool lecc or l2test tools and
      bluetoothd not running.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      61a0cfb0
  10. 07 8月, 2012 1 次提交
  11. 08 6月, 2012 2 次提交
  12. 05 6月, 2012 1 次提交
  13. 09 5月, 2012 1 次提交
  14. 08 3月, 2012 3 次提交
  15. 02 3月, 2012 1 次提交
  16. 13 2月, 2012 7 次提交
  17. 24 12月, 2011 1 次提交
  18. 23 12月, 2011 1 次提交
  19. 21 12月, 2011 1 次提交
  20. 01 12月, 2011 2 次提交
  21. 08 11月, 2011 1 次提交
  22. 21 9月, 2011 8 次提交