Bluetooth: Fix possible use after free in delete path
authorUlisses Furquim <ulisses@profusion.mobi>
Mon, 30 Jan 2012 20:26:29 +0000 (18:26 -0200)
committerJohan Hedberg <johan.hedberg@intel.com>
Wed, 15 Feb 2012 11:09:26 +0000 (13:09 +0200)
We need to use the _sync() version for cancelling the info and security
timer in the L2CAP connection delete path. Otherwise the delayed work
handler might run after the connection object is freed.

Signed-off-by: Ulisses Furquim <ulisses@profusion.mobi>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
net/bluetooth/l2cap_core.c

index ec10c698b891f3b712b7ba2872638614a20ca910..32d338c30e65a034460652579112fb6c9b61f806 100644 (file)
@@ -1018,10 +1018,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
        hci_chan_del(conn->hchan);
 
        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
-               __cancel_delayed_work(&conn->info_timer);
+               cancel_delayed_work_sync(&conn->info_timer);
 
        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
-               __cancel_delayed_work(&conn->security_timer);
+               cancel_delayed_work_sync(&conn->security_timer);
                smp_chan_destroy(conn);
        }