The patch titled rfcomm/core.c: avoid dangling pointer, check session exists has been removed from the -mm tree. Its filename was rfcomm-corec-avoid-dangling-pointer-check-session-exists.patch This patch was dropped because it was withdrawn The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: rfcomm/core.c: avoid dangling pointer, check session exists From: David Fries <david@xxxxxxxxx> rfcomm_process_sessions is calling rfcomm_process_rx, but in this case the session is closed and freed leaving a dangling pointer that blows up when rfcomm_process_rx returns and rfcomm_process_dlcs is called with the now dangling session pointer. Check to see if the entry is still in the list. Signed-off-by: David Fries <David@xxxxxxxxx> Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx> Cc: "Gustavo F. Padovan" <padovan@xxxxxxxxxxxxxx> Cc: "John W. Linville" <linville@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- net/bluetooth/rfcomm/core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff -puN net/bluetooth/rfcomm/core.c~rfcomm-corec-avoid-dangling-pointer-check-session-exists net/bluetooth/rfcomm/core.c --- a/net/bluetooth/rfcomm/core.c~rfcomm-corec-avoid-dangling-pointer-check-session-exists +++ a/net/bluetooth/rfcomm/core.c @@ -1955,6 +1955,12 @@ static inline void rfcomm_process_sessio default: rfcomm_process_rx(s); + /* The current session can be closed as part of rx + * in which case s is now dangling. Check if it + * has been removed. + */ + if(n->prev != p) + continue; break; } _ Patches currently in -mm which might be from david@xxxxxxxxx are -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html