Hi!
From: Lihong Kou koulihong@huawei.com
[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug.
For this to be safe, bt_6lowpan_exit() needs same handling, no?
Signed-off-by: Pavel Machek (CIP) pavel@denx.de
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index 9a75f9b00b51..2402ef5ac072 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -1304,10 +1304,12 @@ static void __exit bt_6lowpan_exit(void) debugfs_remove(lowpan_enable_debugfs); debugfs_remove(lowpan_control_debugfs);
+ mutex_lock(&set_lock); if (listen_chan) { l2cap_chan_close(listen_chan, 0); l2cap_chan_put(listen_chan); } + mutex_unlock(&set_lock);
disconnect_devices();