linux/net/bluetooth
Nick Pelly 6c2718da59 Bluetooth: Do not call rfcomm_session_put() for RFCOMM UA on closed socket
When processing a RFCOMM UA frame when the socket is closed and we were
not the RFCOMM initiator would cause rfcomm_session_put() to be called
twice during rfcomm_process_rx(). This would cause a kernel panic in
rfcomm_session_close() then.

This could be easily reproduced during disconnect with devices such as
Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect
request. This trace for this looks like:

2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0041 len 4 [psm 3]
     RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets (0x13) plen 5
   handle 1 packets 1
2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0040 len 4 [psm 3]
     RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0041 len 4 [psm 3]
     RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets (0x13) plen 5
   handle 1 packets 1
2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8
   L2CAP(d): cid 0x0040 len 4 [psm 3]
     RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12
   L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041

Avoid calling rfcomm_session_put() twice by skipping this call
in rfcomm_recv_ua() if the socket is closed.

Signed-off-by: Nick Pelly <npelly@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2010-02-03 16:28:44 -08:00
..
bnep Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
cmtp net: pass kern to net_proto_family create function 2009-11-05 22:18:14 -08:00
hidp Bluetooth: Use the control channel for raw HID reports 2010-01-30 05:57:39 -08:00
rfcomm Bluetooth: Do not call rfcomm_session_put() for RFCOMM UA on closed socket 2010-02-03 16:28:44 -08:00
af_bluetooth.c net: pass kern to net_proto_family create function 2009-11-05 22:18:14 -08:00
hci_conn.c Bluetooth: Set general bonding security for ACL by default 2009-11-16 01:30:28 +01:00
hci_core.c Bluetooth: Unobfuscate tasklet_schedule usage 2009-12-03 19:34:21 +01:00
hci_event.c Bluetooth: Fallback eSCO to SCO on error 0x1a (Unsupported Remote Feature) 2010-02-03 12:05:01 -08:00
hci_sock.c Bluetooth: Unobfuscate tasklet_schedule usage 2009-12-03 19:34:21 +01:00
hci_sysfs.c bluetooth: scheduling while atomic bug fix 2009-10-19 19:36:45 -07:00
Kconfig Bluetooth: Add missing selection of CONFIG_CRC16 for L2CAP layer 2009-08-24 16:34:35 -07:00
l2cap.c Bluetooth: Fix memory leak in L2CAP 2010-01-30 05:57:20 -08:00
lib.c [NET] BLUETOOTH: Fix whitespace errors. 2007-02-10 23:19:20 -08:00
Makefile
sco.c net: pass kern to net_proto_family create function 2009-11-05 22:18:14 -08:00