From: Marcel Holtmann <marcel@holtmann.org>
To: Mat Martineau <mathewm@codeaurora.org>
Cc: linux-bluetooth@vger.kernel.org, padovan@profusion.mobi,
pkrystad@codeaurora.org
Subject: Re: [PATCH 1/2] Bluetooth: Clear RFCOMM session timer when disconnecting last channel
Date: Fri, 09 Dec 2011 00:13:07 +0200 [thread overview]
Message-ID: <1323382387.1965.48.camel@aeonflux> (raw)
In-Reply-To: <alpine.DEB.2.02.1112080840370.3944@mathewm-linux>
Hi Mat,
> >> When the last RFCOMM data channel is closed, a timer is normally set
> >> up to disconnect the control channel at a later time. If the control
> >> channel disconnect command is sent with the timer pending, the timer
> >> needs to be cancelled.
> >>
> >> If the timer is not cancelled in this situation, the reference
> >> counting logic for the RFCOMM session does not work correctly when the
> >> remote device closes the L2CAP connection. The session is freed at
> >> the wrong time, leading to a kernel panic.
> >>
> >> Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
> >> ---
> >> net/bluetooth/rfcomm/core.c | 1 +
> >> 1 files changed, 1 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> >> index 4e32e18..2d28dfe 100644
> >> --- a/net/bluetooth/rfcomm/core.c
> >> +++ b/net/bluetooth/rfcomm/core.c
> >> @@ -1146,6 +1146,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
> >> if (list_empty(&s->dlcs)) {
> >> s->state = BT_DISCONN;
> >> rfcomm_send_disc(s, 0);
> >> + rfcomm_session_clear_timer(s);
> >> }
> >
> > I am not 100% convinced that this is correct, but going through the code
> > for over an hour I could not come up with a case where this would cause
> > problems. It is just a feeling and with RFCOMM that could be just a
> > bogus feeling ;)
> >
> > Acked-by: Marcel Holtmann <marcel@holtmann.org>
>
> The purpose of the timer is to set s->state to BT_DISCONN and call
> rfcomm_send_disc(s, 0) - if those actions have already happened here,
> it doesn't make sense to do so again after a timeout! 100% convinced
> yet?
I just close my eyes and believe you ;)
But on a serious note, can you get the BITE tester run the RFCOMM suite
against this change. Just to make sure it did not accidentally mess up
the qualification.
Regards
Marcel
next prev parent reply other threads:[~2011-12-08 22:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-07 0:23 [PATCH 0/2] Bug fixes for RFCOMM and L2CAP Mat Martineau
2011-12-07 0:23 ` [PATCH 1/2] Bluetooth: Clear RFCOMM session timer when disconnecting last channel Mat Martineau
2011-12-08 8:25 ` Marcel Holtmann
2011-12-08 16:57 ` Mat Martineau
2011-12-08 22:13 ` Marcel Holtmann [this message]
2011-12-07 0:23 ` [PATCH 2/2] Bluetooth: Prevent uninitialized data access in L2CAP configuration Mat Martineau
2011-12-08 8:29 ` Marcel Holtmann
2011-12-08 21:32 ` Mat Martineau
2011-12-16 23:58 ` [PATCH 0/2] Bug fixes for RFCOMM and L2CAP Mat Martineau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1323382387.1965.48.camel@aeonflux \
--to=marcel@holtmann.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=mathewm@codeaurora.org \
--cc=padovan@profusion.mobi \
--cc=pkrystad@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).