diff options
author | Dean Jenkins <Dean_Jenkins@mentor.com> | 2013-02-28 18:21:55 +0400 |
---|---|---|
committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-03-08 17:40:24 +0400 |
commit | 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905 (patch) | |
tree | 681a2468209aff5c83cd7c3bafe1eb6c38123c63 /include/net/bluetooth/rfcomm.h | |
parent | c06f7d532aa6f78b2847e3b651c0da27fc3296c0 (diff) | |
download | linux-8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905.tar.xz |
Bluetooth: Return RFCOMM session ptrs to avoid freed session
Unfortunately, the design retains local copies of the s RFCOMM
session pointer in various code blocks and this invites the erroneous
access to a freed RFCOMM session structure.
Therefore, return the RFCOMM session pointer back up the call stack
to avoid accessing a freed RFCOMM session structure. When the RFCOMM
session is deleted, NULL is passed up the call stack.
If active DLCs exist when the rfcomm session is terminating,
avoid a memory leak of rfcomm_dlc structures by ensuring that
rfcomm_session_close() is used instead of rfcomm_session_del().
Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'include/net/bluetooth/rfcomm.h')
-rw-r--r-- | include/net/bluetooth/rfcomm.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h index e2e3ecad1008..a4e38ead2282 100644 --- a/include/net/bluetooth/rfcomm.h +++ b/include/net/bluetooth/rfcomm.h @@ -278,7 +278,8 @@ void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, static inline void rfcomm_session_hold(struct rfcomm_session *s) { - atomic_inc(&s->refcnt); + if (s) + atomic_inc(&s->refcnt); } /* ---- RFCOMM sockets ---- */ |