summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMat Martineau <mathewm@codeaurora.org>2011-12-07 01:23:26 +0100
committerGustavo F. Padovan <padovan@profusion.mobi>2011-12-19 01:29:35 +0100
commit79e654787c67f6b05f73366ff8ccac72ba7249e6 (patch)
treec1a498c2af15b6df2387898ac260c84f4a4dbbd1
parentBluetooth: Prevent uninitialized data access in L2CAP configuration (diff)
downloadlinux-79e654787c67f6b05f73366ff8ccac72ba7249e6.tar.xz
linux-79e654787c67f6b05f73366ff8ccac72ba7249e6.zip
Bluetooth: Clear RFCOMM session timer when disconnecting last channel
When the last RFCOMM data channel is closed, a timer is normally set up to disconnect the control channel at a later time. If the control channel disconnect command is sent with the timer pending, the timer needs to be cancelled. If the timer is not cancelled in this situation, the reference counting logic for the RFCOMM session does not work correctly when the remote device closes the L2CAP connection. The session is freed at the wrong time, leading to a kernel panic. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
-rw-r--r--net/bluetooth/rfcomm/core.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 4e32e18211f9..2d28dfe98389 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1146,6 +1146,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
if (list_empty(&s->dlcs)) {
s->state = BT_DISCONN;
rfcomm_send_disc(s, 0);
+ rfcomm_session_clear_timer(s);
}
break;