From: Doron Keren <doronkeren@xxxxxx> When receiving rfcomm-disconnect-request, and right after receiving l2cap-disconnect-request. The rfcomm disconnect function calls rfcomm_session_close() function. The l2cap-disconnect-request closed the socket. The rfcomm_process_rx funcion at the end, checks if the socket is closed and calls again to rfcomm_session_close() function, that lead to kernel crash, because the rfcomm session list is already deleted on the first call. The bug is fixed by adding to the socket state check, test that the session state is not already closed. The bug can be reproduced by turning on the Bluetooth and push some file from another Bluetooth device (PC/Phone). The kernel crash log- rfcomm_process_rx: session c5d37340 state 1 qlen 1 rfcomm_recv_disc: session c5d37340 state 1 dlci 0 rfcomm_session_close: session c5d37340 state 9 err 104 l2cap_disconnect_req: scid 0x0041 dcid 0x0040 __l2cap_state_change: chan c6703000 BT_CONNECTED -> BT_CLOSED rfcomm_l2state_change: c675f800 state 9 rfcomm_session_del: session c5d37340 state 9 list next=c7321a80, prev=bf05b838 rfcomm_session_close: session c5d37340 state 9 err 104 rfcomm_session_del: session c5d37340 state 9 list next=c5d376c0, prev=00200200 Unable to handle kernel paging request at virtual address 00200200 PC is at rfcomm_session_del+0x58/0x94 [rfcomm] --- net/bluetooth/rfcomm/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index c75107e..077890f 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -1861,7 +1861,7 @@ static void rfcomm_process_rx(struct rfcomm_session *s) kfree_skb(skb); } - if (sk->sk_state == BT_CLOSED) { + if ((sk->sk_state == BT_CLOSED) && (s->state != BT_CLOSED)) { if (!s->initiator) rfcomm_session_put(s); -- 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html