The patch titled
rfcomm/core.c: avoid dangling pointer, check session exists
has been removed from the -mm tree. Its filename was
rfcomm-corec-avoid-dangling-pointer-check-session-exists.patch
This patch was dropped because it was withdrawn
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: rfcomm/core.c: avoid dangling pointer, check session exists
From: David Fries <david@xxxxxxxxx>
rfcomm_process_sessions is calling rfcomm_process_rx, but in this case the
session is closed and freed leaving a dangling pointer that blows up when
rfcomm_process_rx returns and rfcomm_process_dlcs is called with the now
dangling session pointer. Check to see if the entry is still in the list.
Signed-off-by: David Fries <David@xxxxxxxxx>
Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Cc: "Gustavo F. Padovan" <padovan@xxxxxxxxxxxxxx>
Cc: "John W. Linville" <linville@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
net/bluetooth/rfcomm/core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff -puN net/bluetooth/rfcomm/core.c~rfcomm-corec-avoid-dangling-pointer-check-session-exists net/bluetooth/rfcomm/core.c
--- a/net/bluetooth/rfcomm/core.c~rfcomm-corec-avoid-dangling-pointer-check-session-exists
+++ a/net/bluetooth/rfcomm/core.c
@@ -1955,6 +1955,12 @@ static inline void rfcomm_process_sessio
default:
rfcomm_process_rx(s);
+ /* The current session can be closed as part of rx
+ * in which case s is now dangling. Check if it
+ * has been removed.
+ */
+ if(n->prev != p)
+ continue;
break;
}
_
Patches currently in -mm which might be from david@xxxxxxxxx are
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
