Bluetooth: Fix error handling for l2cap_init()

create_singlethread_workqueue() may fail with errors such as -ENOMEM. If
this happens, the return value is not set to a negative value and the
module load will succeed. It will then crash on module unload because of
a destroy_workqueue() call on a NULL pointer.

Additionally, the _busy_wq workqueue is not being destroyed if any
errors happen on l2cap_init().

Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 12b4aa2f8fc97caf0f109c5a200c472317e948eb..a1c7ae88dd1ff98b4d453a6ef40a1d12cbdc1155 100644 (file)
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -4871,8 +4871,10 @@ static int __init l2cap_init(void)
                return err;
 
        _busy_wq = create_singlethread_workqueue("l2cap");
-       if (!_busy_wq)
-               goto error;
+       if (!_busy_wq) {
+               proto_unregister(&l2cap_proto);
+               return -ENOMEM;
+       }
 
        err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
        if (err < 0) {
@@ -4900,6 +4902,7 @@ static int __init l2cap_init(void)
        return 0;
 
 error:
+       destroy_workqueue(_busy_wq);
        proto_unregister(&l2cap_proto);
        return err;
 }