[4.2.y-ckt stable] Patch "Bluetooth: Fix l2cap_chan leak in SMP" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Jan 15 18:29:36 UTC 2016 

This is a note to let you know that I have just added a patch titled

    Bluetooth: Fix l2cap_chan leak in SMP

to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue

This patch is scheduled to be released in version 4.2.8-ckt2.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 4.2.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

---8<------------------------------------------------------------

>From c0960c6f3e05e2e541be1d23021964df9f6076ea Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg at intel.com>
Date: Wed, 11 Nov 2015 21:47:12 +0200
Subject: Bluetooth: Fix l2cap_chan leak in SMP

commit 7883746bc663150e8acd7a57397fc889698b0b33 upstream.

The L2CAP core expects channel implementations to manage the reference
returned by the new_connection callback. With sockets this is already
handled with each channel being tied to the corresponding socket. With
SMP however there's no context to tie the pointer to in the
smp_new_conn_cb function. The function can also not just drop the
reference since it's the only one at that point.

For fixed channels (like SMP) the code path inside the L2CAP core from
new_connection() to ready() is short and straight-forwards. The
crucial difference is that in ready() the implementation has access to
the l2cap_conn that SMP needs associate its l2cap_chan. Instead of
taking a new reference in smp_ready_cb() we can simply assume to
already own the reference created in smp_new_conn_cb(), i.e. there is
no need to call l2cap_chan_hold().

Signed-off-by: Johan Hedberg <johan.hedberg at intel.com>
Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/bluetooth/smp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 0510a57..d29fda2 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -3001,8 +3001,13 @@ static void smp_ready_cb(struct l2cap_chan *chan)

 	BT_DBG("chan %p", chan);

+	/* No need to call l2cap_chan_hold() here since we already own
+	 * the reference taken in smp_new_conn_cb(). This is just the
+	 * first time that we tie it to a specific pointer. The code in
+	 * l2cap_core.c ensures that there's no risk this function wont
+	 * get called if smp_new_conn_cb was previously called.
+	 */
 	conn->smp = chan;
-	l2cap_chan_hold(chan);

 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
 		bredr_pairing(chan);
--
1.9.1

More information about the kernel-team mailing list