This series of commits fixes a problem with closing l2cap connection if socket has unACKed frames. Due an to an infinite loop in l2cap_wait_ack the userspace process gets stuck in close() and then the kernel crashes with the following report:
Call trace: [<ffffffc000ace0b4>] l2cap_do_send+0x2c/0xec [<ffffffc000acf5f8>] l2cap_send_sframe+0x178/0x260 [<ffffffc000acf740>] l2cap_send_rr_or_rnr+0x60/0x84 [<ffffffc000acf980>] l2cap_ack_timeout+0x60/0xac [<ffffffc0000b35b8>] process_one_work+0x140/0x384 [<ffffffc0000b393c>] worker_thread+0x140/0x4e4 [<ffffffc0000b8c48>] kthread+0xdc/0xf0
All kernels below v4.3 are affected.
-------------------------
Commit log:
Alexey Dobriyan (1): Bluetooth: Stop sabotaging list poisoning
Dean Jenkins (8): Bluetooth: L2CAP ERTM shutdown protect sk and chan Bluetooth: Make __l2cap_wait_ack more efficient Bluetooth: Add BT_DBG to l2cap_sock_shutdown() Bluetooth: __l2cap_wait_ack() use msecs_to_jiffies() Bluetooth: __l2cap_wait_ack() add defensive timeout Bluetooth: Unwind l2cap_sock_shutdown() Bluetooth: Reorganize mutex lock in l2cap_sock_shutdown() Bluetooth: l2cap_disconnection_req priority over shutdown
Tedd Ho-Jeong An (1): Bluetooth: Reinitialize the list after deletion for session user list
include/net/bluetooth/l2cap.h | 2 + net/bluetooth/l2cap_core.c | 12 ++--- net/bluetooth/l2cap_sock.c | 94 +++++++++++++++++++++++++++-------- 3 files changed, 78 insertions(+), 30 deletions(-)