From: Mat Martineau <mathewm@codeaurora.org>
To: linux-bluetooth@vger.kernel.org, gustavo@padovan.org,
marcel@holtmann.org
Cc: pkrystad@codeaurora.org, andrei.emeltchenko.news@gmail.com
Subject: [RFCv2 3/8] Bluetooth: Make better use of l2cap_chan reference counting
Date: Fri, 27 Apr 2012 16:50:50 -0700 [thread overview]
Message-ID: <1335570655-30878-4-git-send-email-mathewm@codeaurora.org> (raw)
In-Reply-To: <1335570655-30878-1-git-send-email-mathewm@codeaurora.org>
L2CAP sockets contain a pointer to l2cap_chan that needs to be
reference counted in order to prevent a possible dangling pointer when
the channel is freed.
There were a few other cases where an l2cap_chan pointer on the stack
was dereferenced after a call to l2cap_chan_del. Those pointers are
also now reference counted.
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
---
net/bluetooth/l2cap_core.c | 6 ++++++
net/bluetooth/l2cap_sock.c | 3 +++
2 files changed, 9 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c3d3cfc..5963cd2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1257,6 +1257,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
/* Kill channels */
list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
+ l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
l2cap_chan_del(chan, err);
@@ -1264,6 +1265,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
l2cap_chan_unlock(chan);
chan->ops->close(chan->data);
+ l2cap_chan_put(chan);
}
mutex_unlock(&conn->chan_lock);
@@ -3376,11 +3378,13 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
sk->sk_shutdown = SHUTDOWN_MASK;
release_sock(sk);
+ l2cap_chan_hold(chan);
l2cap_chan_del(chan, ECONNRESET);
l2cap_chan_unlock(chan);
chan->ops->close(chan->data);
+ l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
@@ -3408,11 +3412,13 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
l2cap_chan_lock(chan);
+ l2cap_chan_hold(chan);
l2cap_chan_del(chan, 0);
l2cap_chan_unlock(chan);
chan->ops->close(chan->data);
+ l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 0f30785..82b6368 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk)
{
BT_DBG("sk %p", sk);
+ l2cap_chan_put(l2cap_pi(sk)->chan);
if (l2cap_pi(sk)->rx_busy_skb) {
kfree_skb(l2cap_pi(sk)->rx_busy_skb);
l2cap_pi(sk)->rx_busy_skb = NULL;
@@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
return NULL;
}
+ l2cap_chan_hold(chan);
+
chan->sk = sk;
l2cap_pi(sk)->chan = chan;
--
1.7.10
--
Mat Martineau
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum
next prev parent reply other threads:[~2012-04-27 23:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-27 23:50 [RFCv2 0/8] ERTM state machine changes, part 2 Mat Martineau
2012-04-27 23:50 ` [RFCv2 1/8] Bluetooth: Initialize new l2cap_chan structure members Mat Martineau
2012-04-27 23:50 ` [RFCv2 2/8] Bluetooth: Remove unused function Mat Martineau
2012-04-27 23:50 ` Mat Martineau [this message]
2012-04-29 20:25 ` [RFCv2 3/8] Bluetooth: Make better use of l2cap_chan reference counting Gustavo Padovan
2012-04-27 23:50 ` [RFCv2 4/8] Bluetooth: Fix a redundant and problematic incoming MTU check Mat Martineau
2012-04-28 0:18 ` Gustavo Padovan
2012-04-30 21:04 ` Mat Martineau
2012-04-30 21:31 ` Ulisses Furquim
2012-04-27 23:50 ` [RFCv2 5/8] Bluetooth: Restore locking semantics when looking up L2CAP channels Mat Martineau
2012-04-29 20:25 ` Gustavo Padovan
2012-04-30 15:02 ` Mat Martineau
2012-04-27 23:50 ` [RFCv2 6/8] Bluetooth: Lock the L2CAP channel when sending Mat Martineau
2012-04-28 0:30 ` Gustavo Padovan
2012-04-30 15:27 ` Mat Martineau
2012-04-27 23:50 ` [RFCv2 7/8] Bluetooth: Refactor L2CAP ERTM and streaming transmit segmentation Mat Martineau
2012-04-27 23:50 ` [RFCv2 8/8] Bluetooth: Add Code Aurora Forum copyright Mat Martineau
2012-04-29 20:26 ` Gustavo Padovan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1335570655-30878-4-git-send-email-mathewm@codeaurora.org \
--to=mathewm@codeaurora.org \
--cc=andrei.emeltchenko.news@gmail.com \
--cc=gustavo@padovan.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=pkrystad@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).