On 02/14/2014 12:35 PM, Kirill Tkhai wrote:
Function del_timer() does not guarantee that timer was really deleted. If the timer handler is beeing executed at the moment, the function just returns. So, it's possible to use already freed memory in the handler:
This is not enough. The timer must be deleted in bcsp_close() before hu->priv is set to NULL as the timer code dereferences hu->priv. There is a similar issue in hci_h5.c where the timer must be stopped before purging h5->unack. -m. -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
