Bluetooth: Fix possible use after free in delete path

We need to use the _sync() version for cancelling the info and security timer in the L2CAP connection delete path. Otherwise the delayed work handler might run after the connection object is freed. Signed-off-by: Ulisses Furquim <ulisses@profusion.mobi> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

Bluetooth: Fix possible use after free in delete path
We need to use the _sync() version for cancelling the info and security timer in the L2CAP connection delete path. Otherwise the delayed work handler might run after the connection object is freed. Signed-off-by: Ulisses Furquim <ulisses@profusion.mobi> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Ulisses Furquim · Johan Hedberg
1 parent 6de3275082
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
net/bluetooth/l2cap_core.c
@@ -1018,10 +1018,10 @@
 	hci_chan_del(conn->hchan);
  
 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
-		__cancel_delayed_work(&conn->info_timer);
+		cancel_delayed_work_sync(&conn->info_timer);
  
 	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
-		__cancel_delayed_work(&conn->security_timer);
+		cancel_delayed_work_sync(&conn->security_timer);
 		smp_chan_destroy(conn);
 	}
...	...	@@ -1018,10 +1018,10 @@
1018	1018	hci_chan_del(conn->hchan);
1019	1019
1020	1020	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1021		- __cancel_delayed_work(&conn->info_timer);
	1021	+ cancel_delayed_work_sync(&conn->info_timer);
1022	1022
1023	1023	if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
1024		- __cancel_delayed_work(&conn->security_timer);
	1024	+ cancel_delayed_work_sync(&conn->security_timer);
1025	1025	smp_chan_destroy(conn);
1026	1026	}
1027	1027