From: Mat Martineau <mathewm@codeaurora.org>
To: linux-bluetooth@vger.kernel.org, gustavo@padovan.org,
marcel@holtmann.org
Cc: pkrystad@codeaurora.org, andrei.emeltchenko.news@gmail.com
Subject: [RFCv2 3/8] Bluetooth: Make better use of l2cap_chan reference counting
Date: Fri, 27 Apr 2012 16:50:50 -0700 [thread overview]
Message-ID: <1335570655-30878-4-git-send-email-mathewm@codeaurora.org> (raw)
In-Reply-To: <1335570655-30878-1-git-send-email-mathewm@codeaurora.org>
L2CAP sockets contain a pointer to l2cap_chan that needs to be
reference counted in order to prevent a possible dangling pointer when
the channel is freed.
There were a few other cases where an l2cap_chan pointer on the stack
was dereferenced after a call to l2cap_chan_del. Those pointers are
also now reference counted.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
---
net/bluetooth/l2cap_core.c | 6 ++++++
net/bluetooth/l2cap_sock.c | 3 +++
2 files changed, 9 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c3d3cfc..5963cd2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1257,6 +1257,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
/* Kill channels */
list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
+ l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
l2cap_chan_del(chan, err);
@@ -1264,6 +1265,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
l2cap_chan_unlock(chan);
chan->ops->close(chan->data);
+ l2cap_chan_put(chan);
}
mutex_unlock(&conn->chan_lock);
@@ -3376,11 +3378,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
sk->sk_shutdown = SHUTDOWN_MASK;
release_sock(sk);
+ l2cap_chan_hold(chan);
l2cap_chan_del(chan, ECONNRESET);
l2cap_chan_unlock(chan);
chan->ops->close(chan->data);
+ l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
@@ -3408,11 +3412,13 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
l2cap_chan_lock(chan);
+ l2cap_chan_hold(chan);
l2cap_chan_del(chan, 0);
l2cap_chan_unlock(chan);
chan->ops->close(chan->data);
+ l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 0f30785..82b6368 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ l2cap_chan_put(l2cap_pi(sk)->chan);
if (l2cap_pi(sk)->rx_busy_skb) {
kfree_skb(l2cap_pi(sk)->rx_busy_skb);
l2cap_pi(sk)->rx_busy_skb = NULL;
@@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
return NULL;
}
+ l2cap_chan_hold(chan);
+
chan->sk = sk;
l2cap_pi(sk)->chan = chan;
--
1.7.10
--
Mat Martineau
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum
next prev parent reply other threads:[~2012-04-27 23:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-27 23:50 [RFCv2 0/8] ERTM state machine changes, part 2 Mat Martineau
2012-04-27 23:50 ` [RFCv2 1/8] Bluetooth: Initialize new l2cap_chan structure members Mat Martineau
2012-04-27 23:50 ` [RFCv2 2/8] Bluetooth: Remove unused function Mat Martineau
2012-04-27 23:50 ` Mat Martineau [this message]
2012-04-29 20:25 ` [RFCv2 3/8] Bluetooth: Make better use of l2cap_chan reference counting Gustavo Padovan
2012-04-27 23:50 ` [RFCv2 4/8] Bluetooth: Fix a redundant and problematic incoming MTU check Mat Martineau
2012-04-28 0:18 ` Gustavo Padovan
2012-04-30 21:04 ` Mat Martineau
2012-04-30 21:31 ` Ulisses Furquim
2012-04-27 23:50 ` [RFCv2 5/8] Bluetooth: Restore locking semantics when looking up L2CAP channels Mat Martineau
2012-04-29 20:25 ` Gustavo Padovan
2012-04-30 15:02 ` Mat Martineau
2012-04-27 23:50 ` [RFCv2 6/8] Bluetooth: Lock the L2CAP channel when sending Mat Martineau
2012-04-28 0:30 ` Gustavo Padovan
2012-04-30 15:27 ` Mat Martineau
2012-04-27 23:50 ` [RFCv2 7/8] Bluetooth: Refactor L2CAP ERTM and streaming transmit segmentation Mat Martineau
2012-04-27 23:50 ` [RFCv2 8/8] Bluetooth: Add Code Aurora Forum copyright Mat Martineau
2012-04-29 20:26 ` Gustavo Padovan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1335570655-30878-4-git-send-email-mathewm@codeaurora.org \
--to=mathewm@codeaurora.org \
--cc=andrei.emeltchenko.news@gmail.com \
--cc=gustavo@padovan.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=pkrystad@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.