From: Marcel Holtmann <marcel@holtmann.org>
To: Mat Martineau <mathewm@codeaurora.org>
Cc: linux-bluetooth@vger.kernel.org, padovan@profusion.mobi,
pkrystad@codeaurora.org
Subject: Re: [PATCH 1/2] Bluetooth: Clear RFCOMM session timer when disconnecting last channel
Date: Thu, 08 Dec 2011 10:25:41 +0200 [thread overview]
Message-ID: <1323332741.1965.17.camel@aeonflux> (raw)
In-Reply-To: <1323217407-2490-2-git-send-email-mathewm@codeaurora.org>
Hi Mat,
> When the last RFCOMM data channel is closed, a timer is normally set
> up to disconnect the control channel at a later time. If the control
> channel disconnect command is sent with the timer pending, the timer
> needs to be cancelled.
>
> If the timer is not cancelled in this situation, the reference
> counting logic for the RFCOMM session does not work correctly when the
> remote device closes the L2CAP connection. The session is freed at
> the wrong time, leading to a kernel panic.
>
> Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
> ---
> net/bluetooth/rfcomm/core.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index 4e32e18..2d28dfe 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1146,6 +1146,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
> if (list_empty(&s->dlcs)) {
> s->state = BT_DISCONN;
> rfcomm_send_disc(s, 0);
> + rfcomm_session_clear_timer(s);
> }
I am not 100% convinced that this is correct, but going through the code
for over an hour I could not come up with a case where this would cause
problems. It is just a feeling and with RFCOMM that could be just a
bogus feeling ;)
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
next prev parent reply other threads:[~2011-12-08 8:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-07 0:23 [PATCH 0/2] Bug fixes for RFCOMM and L2CAP Mat Martineau
2011-12-07 0:23 ` [PATCH 1/2] Bluetooth: Clear RFCOMM session timer when disconnecting last channel Mat Martineau
2011-12-08 8:25 ` Marcel Holtmann [this message]
2011-12-08 16:57 ` Mat Martineau
2011-12-08 22:13 ` Marcel Holtmann
2011-12-07 0:23 ` [PATCH 2/2] Bluetooth: Prevent uninitialized data access in L2CAP configuration Mat Martineau
2011-12-08 8:29 ` Marcel Holtmann
2011-12-08 21:32 ` Mat Martineau
2011-12-16 23:58 ` [PATCH 0/2] Bug fixes for RFCOMM and L2CAP Mat Martineau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1323332741.1965.17.camel@aeonflux \
--to=marcel@holtmann.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=mathewm@codeaurora.org \
--cc=padovan@profusion.mobi \
--cc=pkrystad@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.