Bluetooth: Avoid use of session socket after the session gets freed

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / rfcomm / core.c

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index ca957d34b0c89fa29341a179ee16e325ac226e55..19ba192e9dbf011e56acd4c00fa07f6458a94714 100644 (file)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1857,10 +1857,13 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
        /* Get data directly from socket receive queue without copying it. */
        while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
                skb_orphan(skb);
-               if (!skb_linearize(skb))
+               if (!skb_linearize(skb)) {
                        s = rfcomm_recv_frame(s, skb);
-               else
+                       if (!s)
+                               break;
+               } else {
                        kfree_skb(skb);
+               }
        }
 
        if (s && (sk->sk_state == BT_CLOSED))