Bluetooth: Fix deadlock and crash when SMP pairing times out
The l2cap_conn_del function tries to cancel_sync the security timer, but when it's called from the timeout function itself a deadlock occurs. Subsequently the "hcon->l2cap_data = NULL" that's supposed to protect multiple calls to l2cap_conn_del never gets cleared and when the connection finally drops we double free's etc which will crash the kernel. This patch fixes the issue by using the HCI_CONN_LE_SMP_PEND for protecting against this. The same flag is also used for the same purpose in other places in the SMP code. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
This commit is contained in:
parent
4c47d73964
commit
d06cc416f5
|
@ -1295,7 +1295,12 @@ static void security_timeout(struct work_struct *work)
|
||||||
struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
|
struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
|
||||||
security_timer.work);
|
security_timer.work);
|
||||||
|
|
||||||
l2cap_conn_del(conn->hcon, ETIMEDOUT);
|
BT_DBG("conn %p", conn);
|
||||||
|
|
||||||
|
if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
|
||||||
|
smp_chan_destroy(conn);
|
||||||
|
l2cap_conn_del(conn->hcon, ETIMEDOUT);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
|
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
|
||||||
|
|
Loading…
Reference in a new issue