В Птн, 14/02/2014 в 13:01 +0100, Michael Knudsen пишет: > On 02/14/2014 12:35 PM, Kirill Tkhai wrote: > > Function del_timer() does not guarantee that timer was really deleted. > > If the timer handler is beeing executed at the moment, the function > > just returns. So, it's possible to use already freed memory in the handler: > > This is not enough. The timer must be deleted in bcsp_close() before > hu->priv is set to NULL as the timer code dereferences hu->priv. > > There is a similar issue in hci_h5.c where the timer must be stopped > before purging h5->unack. > > -m. Good, consider my email as reported-by. Please, fix that if you get on well with bluetooth stack. I am far from it. Kirill -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
