Bluetooth: Fix possible use after free in delete path We need to use the _sync() version for cancelling the info and security timer in the L2CAP connection delete path. Otherwise the delayed work handler might run after the connection object is freed. Signed-off-by: Ulisses Furquim <ulisses@profusion.mobi> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

commit: 127074bfa3c11c12e0160437e31b08c6b27412a4 [log] [tgz]
author: Ulisses Furquim <ulisses@profusion.mobi> Mon Jan 30 18:26:29 2012 -0200
committer: Johan Hedberg <johan.hedberg@intel.com> Mon Feb 13 17:01:30 2012 +0200
tree: a70a9ecb8673139263c6f4a631660d15753d9891
parent: 17cd3f374be6648bd46c86ff8f2a2511d3f416ee [diff]
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ae7fb27..09cd860 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c

@@ -1016,10 +1016,10 @@
 	hci_chan_del(conn->hchan);
 
 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
-		__cancel_delayed_work(&conn->info_timer);
+		cancel_delayed_work_sync(&conn->info_timer);
 
 	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
-		__cancel_delayed_work(&conn->security_timer);
+		cancel_delayed_work_sync(&conn->security_timer);
 		smp_chan_destroy(conn);
 	}
commit	127074bfa3c11c12e0160437e31b08c6b27412a4	[log] [tgz]
author	Ulisses Furquim <ulisses@profusion.mobi>	Mon Jan 30 18:26:29 2012 -0200
committer	Johan Hedberg <johan.hedberg@intel.com>	Mon Feb 13 17:01:30 2012 +0200
tree	a70a9ecb8673139263c6f4a631660d15753d9891
parent	17cd3f374be6648bd46c86ff8f2a2511d3f416ee [diff]