* Possible bluetooth HCI socket bug
@ 2003-11-25 2:58 David S. Miller
0 siblings, 0 replies; only message in thread
From: David S. Miller @ 2003-11-25 2:58 UTC (permalink / raw)
To: maxk; +Cc: netdev
Hello Maxim.
I was auditing something independantly (sock_queue_rcv_skb() usage, some
protocols were racy) when I ran into some issues that might be bugs
we need to fix in the bluetooth stack.
In hci_send_frame(), I'm highly doubtful of the skb_orphan() call you
make there.
Socket ownership of the buffer should be sustained until the transmission
by the device is complete and it frees up the buffer via dev_kfree_skb()
or similar.
Even in the cases where hci_send_to_sock() is called, that code clones
a new SKB for those purposes so it does not change the situation as far
as hci_send_frame() is concerned.
If socket ownership of an SKB buffer is liberated too early, this gives
the socket a window in which to over-commit it's socket buffer queue
limits.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-11-25 2:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-25 2:58 Possible bluetooth HCI socket bug David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).