[IRDA]: Fix rfcomm use-after-free

[pandora-kernel.git] / net / bluetooth / af_bluetooth.c

diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 305a099..d942b94 100644 (file)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -1,4 +1,4 @@
-/* 
+/*

    BlueZ - Bluetooth protocol stack for Linux
    Copyright (C) 2000-2001 Qualcomm Incorporated
 
    BlueZ - Bluetooth protocol stack for Linux
    Copyright (C) 2000-2001 Qualcomm Incorporated
 


@@ -12,13 +12,13 @@
    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY

-   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 
-   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 
-   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 
+   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
+   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 

-   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 
-   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 
+   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
+   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS

    SOFTWARE IS DISCLAIMED.
 */
 
    SOFTWARE IS DISCLAIMED.
 */
 


@@ -48,41 +48,56 @@
 #define BT_DBG(D...)
 #endif
 
 #define BT_DBG(D...)
 #endif
 

-#define VERSION "2.10"
+#define VERSION "2.11"

 
 /* Bluetooth sockets */
 #define BT_MAX_PROTO   8
 static struct net_proto_family *bt_proto[BT_MAX_PROTO];
 
 /* Bluetooth sockets */
 #define BT_MAX_PROTO   8
 static struct net_proto_family *bt_proto[BT_MAX_PROTO];

+static DEFINE_RWLOCK(bt_proto_lock);

 
 int bt_sock_register(int proto, struct net_proto_family *ops)
 {
 
 int bt_sock_register(int proto, struct net_proto_family *ops)
 {

+       int err = 0;
+

        if (proto < 0 || proto >= BT_MAX_PROTO)
                return -EINVAL;
 
        if (proto < 0 || proto >= BT_MAX_PROTO)
                return -EINVAL;
 

+       write_lock(&bt_proto_lock);
+

        if (bt_proto[proto])
        if (bt_proto[proto])

-               return -EEXIST;
+               err = -EEXIST;
+       else
+               bt_proto[proto] = ops;

 
 

-       bt_proto[proto] = ops;
-       return 0;
+       write_unlock(&bt_proto_lock);
+
+       return err;

 }
 EXPORT_SYMBOL(bt_sock_register);
 
 int bt_sock_unregister(int proto)
 {
 }
 EXPORT_SYMBOL(bt_sock_register);
 
 int bt_sock_unregister(int proto)
 {

+       int err = 0;
+

        if (proto < 0 || proto >= BT_MAX_PROTO)
                return -EINVAL;
 
        if (proto < 0 || proto >= BT_MAX_PROTO)
                return -EINVAL;
 

+       write_lock(&bt_proto_lock);
+

        if (!bt_proto[proto])
        if (!bt_proto[proto])

-               return -ENOENT;
+               err = -ENOENT;
+       else
+               bt_proto[proto] = NULL;

 
 

-       bt_proto[proto] = NULL;
-       return 0;
+       write_unlock(&bt_proto_lock);
+
+       return err;

 }
 EXPORT_SYMBOL(bt_sock_unregister);
 
 static int bt_sock_create(struct socket *sock, int proto)
 {
 }
 EXPORT_SYMBOL(bt_sock_unregister);
 
 static int bt_sock_create(struct socket *sock, int proto)
 {

-       int err = 0;
+       int err;

 
        if (proto < 0 || proto >= BT_MAX_PROTO)
                return -EINVAL;
 
        if (proto < 0 || proto >= BT_MAX_PROTO)
                return -EINVAL;


@@ -92,12 +107,19 @@ static int bt_sock_create(struct socket *sock, int proto)
                request_module("bt-proto-%d", proto);
        }
 #endif
                request_module("bt-proto-%d", proto);
        }
 #endif

+

        err = -EPROTONOSUPPORT;
        err = -EPROTONOSUPPORT;

+
+       read_lock(&bt_proto_lock);
+

        if (bt_proto[proto] && try_module_get(bt_proto[proto]->owner)) {
                err = bt_proto[proto]->create(sock, proto);
                module_put(bt_proto[proto]->owner);
        }
        if (bt_proto[proto] && try_module_get(bt_proto[proto]->owner)) {
                err = bt_proto[proto]->create(sock, proto);
                module_put(bt_proto[proto]->owner);
        }

-       return err; 
+
+       read_unlock(&bt_proto_lock);
+
+       return err;

 }
 
 void bt_sock_link(struct bt_sock_list *l, struct sock *sk)
 }
 
 void bt_sock_link(struct bt_sock_list *l, struct sock *sk)


@@ -199,7 +221,7 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                copied = len;
        }
 
                copied = len;
        }
 

-       skb->h.raw = skb->data;
+       skb_reset_transport_header(skb);

        err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 
        skb_free_datagram(sk, skb);
        err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
 
        skb_free_datagram(sk, skb);


@@ -243,7 +265,7 @@ unsigned int bt_sock_poll(struct file * file, struct socket *sock, poll_table *w
        if (sk->sk_shutdown == SHUTDOWN_MASK)
                mask |= POLLHUP;
 
        if (sk->sk_shutdown == SHUTDOWN_MASK)
                mask |= POLLHUP;
 

-       if (!skb_queue_empty(&sk->sk_receive_queue) || 
+       if (!skb_queue_empty(&sk->sk_receive_queue) ||

                        (sk->sk_shutdown & RCV_SHUTDOWN))
                mask |= POLLIN | POLLRDNORM;
 
                        (sk->sk_shutdown & RCV_SHUTDOWN))
                mask |= POLLIN | POLLRDNORM;