Bluetooth: Clear RFCOMM session timer when disconnecting last channel
authorMat Martineau <mathewm@codeaurora.org>
Wed, 7 Dec 2011 00:23:26 +0000 (16:23 -0800)
committerGustavo F. Padovan <padovan@profusion.mobi>
Mon, 19 Dec 2011 00:29:35 +0000 (22:29 -0200)
When the last RFCOMM data channel is closed, a timer is normally set
up to disconnect the control channel at a later time.  If the control
channel disconnect command is sent with the timer pending, the timer
needs to be cancelled.

If the timer is not cancelled in this situation, the reference
counting logic for the RFCOMM session does not work correctly when the
remote device closes the L2CAP connection.  The session is freed at
the wrong time, leading to a kernel panic.

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
net/bluetooth/rfcomm/core.c

index 4e32e18211f9187d8a98a27772a9ba97f5cf7112..2d28dfe983890fc74a2a8ebf5bc5f7e5716058c5 100644 (file)
@@ -1146,6 +1146,7 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
                        if (list_empty(&s->dlcs)) {
                                s->state = BT_DISCONN;
                                rfcomm_send_disc(s, 0);
+                               rfcomm_session_clear_timer(s);
                        }
 
                        break;