On Mon, Apr 16, 2012 at 12:40:16PM -0700, [email protected] wrote:
>
> This is a note to let you know that I've just added the patch titled
>
> Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
>
> to the 3.3-stable tree which can be found at:
>
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
This patch (which was also added to the 3.2 and 3.0 stable queues) has a
dependency on commit 797fe796c4335b35d ("Bluetooth: uart-ldisc: Fix
memory leak"). Unfortunately, the memory leak fix depends on another
patch which changes internal interfaces. The fix also went in through
bluetooth-next along with my fix so I couldn't refer to that commit.
Neither was the memory leak fix marked for stable.
The original discussion on how to best handle this can be found in these
threads:
http://marc.info/?l=linux-bluetooth&m=133130788128668&w=2
http://marc.info/?l=linux-bluetooth&m=133113631130418&w=2
Below is a minimal backport of the memory leak fix which the NULL-deref
patch depends on. This one is needed in 3.0 and 3.2 as well.
Thanks,
Johan
>From 501dac2851c5bf1edf158adc4deb15e10c59bb04 Mon Sep 17 00:00:00 2001
From: Johan Hovold <[email protected]>
Date: Wed, 11 Apr 2012 11:24:35 +0200
Subject: [PATCH] Bluetooth: uart-ldisc: Fix memory leak
This is a partial, self-contained, minimal backport of commit
797fe796c4335b35d95d5326824513befdb5d1e9 upstream which fixes the memory
leak:
Bluetooth: uart-ldisc: Fix memory leak and remove destruct cb
We currently leak the hci_uart object if HCI_UART_PROTO_SET is never set
because the hci-destruct callback will then never be called. This fix
removes the hci-destruct callback and frees the driver internal private
hci_uart object directly on tty-close. We call hci_unregister_dev() here
so the hci-core will never call our callbacks again (except destruct).
Therefore, we can safely free the driver internal data right away and
set the destruct callback to NULL.
Signed-off-by: David Herrmann <[email protected]>
Acked-by: Marcel Holtmann <[email protected]>
Signed-off-by: Johan Hedberg <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/bluetooth/hci_ldisc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 48ad2a7..36dafef 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -237,7 +237,6 @@ static void hci_uart_destruct(struct hci_dev *hdev)
return;
BT_DBG("%s", hdev->name);
- kfree(hdev->driver_data);
}
/* ------ LDISC part ------ */
@@ -316,6 +315,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
hci_free_dev(hdev);
}
}
+ kfree(hu);
}
}
--
1.7.8.5
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
