Hi Johan, > The l2cap_recv_frame function is expected to take ownership and > eventually free the skb passed to it. We need to ensure that the > conn->rx_skb pointer is no longer reachable when calling > l2cap_recv_frame so that no other function, such as l2cap_conn_del, may > think that it can free conn->rx_skb. > > An actual situation when this can happen is when smp_sig_channel (called > from l2cap_recv_frame) fails and l2cap_conn_del gets called as a > consequence. The l2cap_conn_del function would then try to free > conn->rx_skb, but as the same skb was just passed to smp_sig_channel and > freed we get a double-free. > > Signed-off-by: Johan Hedberg <johan.hedberg@xxxxxxxxx> > --- > net/bluetooth/l2cap_core.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) patch has been applied to bluetooth-next tree. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
