Bluetooth: Linearize skbs for use in BNEP, CMTP, HIDP, and RFCOMM

Fragmented skbs are only encountered when receiving ERTM or streaming
mode L2CAP data.  BNEP, CMTP, HIDP, and RFCOMM generally use basic
mode, but they need to handle fragments without crashing.

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index ca39fcf010ce3353e73312f4172f32c9ce12cb1f..dfadb65012d2e19a81adef9a89618419bdacaa52 100644 (file)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -490,7 +490,10 @@ static int bnep_session(void *arg)
                /* RX */
                while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
                        skb_orphan(skb);
-                       bnep_rx_frame(s, skb);
+                       if (!skb_linearize(skb))
+                               bnep_rx_frame(s, skb);
+                       else
+                               kfree_skb(skb);
                }
 
                if (sk->sk_state != BT_CONNECTED)

diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index c5b11af908be4fc3ab6c7a0cebb9639900feb162..2487b84e815fe06ef947512ff41420c374a14fd3 100644 (file)
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -300,7 +300,10 @@ static int cmtp_session(void *arg)
 
                while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
                        skb_orphan(skb);
-                       cmtp_recv_frame(session, skb);
+                       if (!skb_linearize(skb))
+                               cmtp_recv_frame(session, skb);
+                       else
+                               kfree_skb(skb);
                }
 
                cmtp_process_transmit(session);

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 43b4c2deb7cc05bdc875e3f7b23a999468f5c1a4..b046061fa4f6f3b441f3bca34c1c8523e520f3be 100644 (file)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -716,12 +716,18 @@ static int hidp_session(void *arg)
 
                while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
                        skb_orphan(skb);
-                       hidp_recv_ctrl_frame(session, skb);
+                       if (!skb_linearize(skb))
+                               hidp_recv_ctrl_frame(session, skb);
+                       else
+                               kfree_skb(skb);
                }
 
                while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
                        skb_orphan(skb);
-                       hidp_recv_intr_frame(session, skb);
+                       if (!skb_linearize(skb))
+                               hidp_recv_intr_frame(session, skb);
+                       else
+                               kfree_skb(skb);
                }
 
                hidp_process_transmit(session);

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 5759bb7054f7f4aca8822271b7de4da8997af915..6bbd3172c029d53b51c29c624612956cd2633b02 100644 (file)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1855,7 +1855,10 @@ static inline void rfcomm_process_rx(struct rfcomm_session *s)
        /* Get data directly from socket receive queue without copying it. */
        while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
                skb_orphan(skb);
-               rfcomm_recv_frame(s, skb);
+               if (!skb_linearize(skb))
+                       rfcomm_recv_frame(s, skb);
+               else
+                       kfree_skb(skb);
        }
 
        if (sk->sk_state == BT_CLOSED) {