Hi Johan, > When disconnecting it is possible that the l2cap_conn pointer is already > NULL when bt_6lowpan_del_conn() is entered. Looking at l2cap_conn_del > also verifies this as there's a NULL check there too. This patch adds > the missing NULL check without which the following bug may occur: > > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: [<c131e9c7>] bt_6lowpan_del_conn+0x19/0x12a > *pde = 00000000 > Oops: 0000 [#1] SMP > CPU: 1 PID: 52 Comm: kworker/u5:1 Not tainted 3.12.0+ #196 > Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > Workqueue: hci0 hci_rx_work > task: f6259b00 ti: f48c0000 task.ti: f48c0000 > EIP: 0060:[<c131e9c7>] EFLAGS: 00010282 CPU: 1 > EIP is at bt_6lowpan_del_conn+0x19/0x12a > EAX: 00000000 EBX: ef094e10 ECX: 00000000 EDX: 00000016 > ESI: 00000000 EDI: f48c1e60 EBP: f48c1e50 ESP: f48c1e34 > DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 > CR0: 8005003b CR2: 00000000 CR3: 30c65000 CR4: 00000690 > Stack: > f4d38000 00000000 f4d38000 00000002 ef094e10 00000016 f48c1e60 f48c1e70 > c1316bed f48c1e84 c1316bed 00000000 00000001 ef094e10 f48c1e84 f48c1ed0 > c1303cc6 c1303c7b f31f331a c1303cc6 f6e7d1c0 f3f8ea16 f3f8f380 f4d38008 > Call Trace: > [<c1316bed>] l2cap_disconn_cfm+0x3f/0x5b > [<c1316bed>] ? l2cap_disconn_cfm+0x3f/0x5b > [<c1303cc6>] hci_event_packet+0x645/0x2117 > [<c1303c7b>] ? hci_event_packet+0x5fa/0x2117 > [<c1303cc6>] ? hci_event_packet+0x645/0x2117 > [<c12681bd>] ? __kfree_skb+0x65/0x68 > [<c12681eb>] ? kfree_skb+0x2b/0x2e > [<c130d3fb>] ? hci_send_to_sock+0x18d/0x199 > [<c12fa327>] hci_rx_work+0xf9/0x295 > [<c12fa327>] ? hci_rx_work+0xf9/0x295 > [<c1036d25>] process_one_work+0x128/0x1df > [<c1346a39>] ? _raw_spin_unlock_irq+0x8/0x12 > [<c1036d25>] ? process_one_work+0x128/0x1df > [<c103713a>] worker_thread+0x127/0x1c4 > [<c1037013>] ? rescuer_thread+0x216/0x216 > [<c103aec6>] kthread+0x88/0x8d > [<c1040000>] ? task_rq_lock+0x37/0x6e > [<c13474b7>] ret_from_kernel_thread+0x1b/0x28 > [<c103ae3e>] ? __kthread_parkme+0x50/0x50 > Code: 05 b8 f4 ff ff ff 8d 65 f4 5b 5e 5f 5d 8d 67 f8 5f c3 57 8d 7c 24 08 83 e4 f8 ff 77 fc 55 89 e5 57 56f > EIP: [<c131e9c7>] bt_6lowpan_del_conn+0x19/0x12a SS:ESP 0068:f48c1e34 > CR2: 0000000000000000 > > Signed-off-by: Johan Hedberg <johan.hedberg@xxxxxxxxx> > --- > net/bluetooth/6lowpan.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) patch has been applied to bluetooth-next tree. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
