summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorDean Jenkins <Dean_Jenkins@mentor.com>2013-02-28 15:21:55 +0100
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>2013-03-08 14:40:24 +0100
commit8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905 (patch)
tree681a2468209aff5c83cd7c3bafe1eb6c38123c63 /include
parentBluetooth: Check rfcomm session and DLC exists on socket close (diff)
downloadlinux-8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905.tar.xz
linux-8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905.zip
Bluetooth: Return RFCOMM session ptrs to avoid freed session
Unfortunately, the design retains local copies of the s RFCOMM session pointer in various code blocks and this invites the erroneous access to a freed RFCOMM session structure. Therefore, return the RFCOMM session pointer back up the call stack to avoid accessing a freed RFCOMM session structure. When the RFCOMM session is deleted, NULL is passed up the call stack. If active DLCs exist when the rfcomm session is terminating, avoid a memory leak of rfcomm_dlc structures by ensuring that rfcomm_session_close() is used instead of rfcomm_session_del(). Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'include')
-rw-r--r--include/net/bluetooth/rfcomm.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index e2e3ecad1008..a4e38ead2282 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -278,7 +278,8 @@ void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src,
static inline void rfcomm_session_hold(struct rfcomm_session *s)
{
- atomic_inc(&s->refcnt);
+ if (s)
+ atomic_inc(&s->refcnt);
}
/* ---- RFCOMM sockets ---- */