Bluetooth: Make better use of l2cap_chan reference counting L2CAP sockets contain a pointer to l2cap_chan that needs to be reference counted in order to prevent a possible dangling pointer when the channel is freed. There were a few other cases where an l2cap_chan pointer on the stack was dereferenced after a call to l2cap_chan_del. Those pointers are also now reference counted. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>

commit: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 [log] [tgz]
author: Mat Martineau <mathewm@codeaurora.org> Fri Apr 27 16:50:50 2012 -0700
committer: Gustavo Padovan <gustavo@padovan.org> Wed May 09 01:40:49 2012 -0300
tree: b8a711d6cb948ec81749aa8b06a53a8e2dac0b37
parent: dbd89fddc1f1fc96085deb164b7b9b2361241dd3 [diff] [blame]
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 2b5e7e8..6bf8ff7 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c

@@ -956,6 +956,7 @@
 {
 	BT_DBG("sk %p", sk);
 
+	l2cap_chan_put(l2cap_pi(sk)->chan);
 	if (l2cap_pi(sk)->rx_busy_skb) {
 		kfree_skb(l2cap_pi(sk)->rx_busy_skb);
 		l2cap_pi(sk)->rx_busy_skb = NULL;
@@ -1057,6 +1058,8 @@
 		return NULL;
 	}
 
+	l2cap_chan_hold(chan);
+
 	chan->sk = sk;
 
 	l2cap_pi(sk)->chan = chan;
commit	61d6ef3e3408cdf7e622646fb90a9f7f9560b943	[log] [tgz]
author	Mat Martineau <mathewm@codeaurora.org>	Fri Apr 27 16:50:50 2012 -0700
committer	Gustavo Padovan <gustavo@padovan.org>	Wed May 09 01:40:49 2012 -0300
tree	b8a711d6cb948ec81749aa8b06a53a8e2dac0b37
parent	dbd89fddc1f1fc96085deb164b7b9b2361241dd3 [diff] [blame]