diff mbox series

[2/2] Bluetooth: L2CAP: Fix invalid access on ECRED Connection response

Message ID 20210519204151.1087613-2-luiz.dentz@gmail.com (mailing list archive)
State New, archived
Headers show
Series [1/2] Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails | expand

Commit Message

Luiz Augusto von Dentz May 19, 2021, 8:41 p.m. UTC 
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The use of l2cap_chan_del is not safe under a loop using
list_for_each_entry.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/l2cap_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Marcel Holtmann May 20, 2021, 3:19 p.m. UTC | #1 
Hi Luiz,

> The use of l2cap_chan_del is not safe under a loop using
> list_for_each_entry.
> 
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/l2cap_core.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel
diff mbox series

Patch

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f3b70fa348ab..9ebb85df4db4 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6066,7 +6066,7 @@  static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
 	struct l2cap_ecred_conn_rsp *rsp = (void *) data;
 	struct hci_conn *hcon = conn->hcon;
 	u16 mtu, mps, credits, result;
-	struct l2cap_chan *chan;
+	struct l2cap_chan *chan, *tmp;
 	int err = 0, sec_level;
 	int i = 0;
 
@@ -6085,7 +6085,7 @@  static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
 
 	cmd_len -= sizeof(*rsp);
 
-	list_for_each_entry(chan, &conn->chan_l, list) {
+	list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
 		u16 dcid;
 
 		if (chan->ident != cmd->ident ||