Bluetooth: Zero bredr pointer when chan is deleted
authorAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Mon, 15 Oct 2012 08:58:44 +0000 (11:58 +0300)
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>
Mon, 15 Oct 2012 12:49:58 +0000 (09:49 -0300)
If BREDR L2CAP chan is deleted and this chan is the channel through
which High Speed traffic is routed to AMP then zero pointer to
the chan in amp_mgr to prevent accessing it.

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
net/bluetooth/l2cap_core.c

index 603742fc17a7ca650bd11303c2599394fda979ed..f873619fdcfd154308627ef10d57a30a0ad96dd7 100644 (file)
@@ -531,6 +531,7 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
        BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
 
        if (conn) {
+               struct amp_mgr *mgr = conn->hcon->amp_mgr;
                /* Delete from channel list */
                list_del(&chan->list);
 
@@ -540,6 +541,9 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
 
                if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
                        hci_conn_put(conn->hcon);
+
+               if (mgr && mgr->bredr_chan == chan)
+                       mgr->bredr_chan = NULL;
        }
 
        chan->ops->teardown(chan, err);