From 380dcd40cd7fb87d7c7eeeb6efde32efc65d4d3c Mon Sep 17 00:00:00 2001 From: Mat Martineau Date: Mon, 19 Dec 2011 10:11:30 -0800 Subject: [PATCH] Bluetooth: Clear sk_send_head when purging ERTM transmit queue In ERTM, the outgoing data queue contains both unsent data and unacked data, and sk_send_head points to the first unsent packet. When disconnecting a socket, it's possible for a process to attempt a socket send while a disconnection is in progress and the outgoing data queue has been purged. When this purge happens, sk_send_head must also be set to NULL because the packet it was pointing to has been freed. Change-Id: I87b37a13583fac705241549dfc492950c7c0ec0b CRs-fixed: 326238 Signed-off-by: Mat Martineau --- net/bluetooth/l2cap_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index a3f35636040..31a726aea92 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -569,6 +569,7 @@ void l2cap_chan_del(struct sock *sk, int err) } else sk->sk_state_change(sk); + sk->sk_send_head = NULL; skb_queue_purge(TX_QUEUE(sk)); if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) { @@ -782,6 +783,7 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err) if (!conn) return; + sk->sk_send_head = NULL; skb_queue_purge(TX_QUEUE(sk)); if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) { @@ -4515,6 +4517,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd if (sk->sk_state != BT_DISCONN) { sk->sk_shutdown = SHUTDOWN_MASK; + sk->sk_send_head = NULL; skb_queue_purge(TX_QUEUE(sk)); if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {