summaryrefslogtreecommitdiffstats
path: root/net/bluetooth/rfcomm
diff options
context:
space:
mode:
authorPeter Hurley <peter@hurleysoftware.com>2014-02-09 20:59:09 -0500
committerMarcel Holtmann <marcel@holtmann.org>2014-02-14 13:39:30 -0800
commitc949c224cfd7d5445ef947e8b93c0657323d5be5 (patch)
tree99a229dec8e8b61a37ee0469aa45be3d38bfc397 /net/bluetooth/rfcomm
parent80ea73378af46b0023eb2f400d26c2a60248ffaa (diff)
downloadop-kernel-dev-c949c224cfd7d5445ef947e8b93c0657323d5be5.zip
op-kernel-dev-c949c224cfd7d5445ef947e8b93c0657323d5be5.tar.gz
Bluetooth: Fix RFCOMM tty teardown race
RFCOMM tty device teardown can race with new tty device registration for the same device id: CPU 0 | CPU 1 rfcomm_dev_add | rfcomm_dev_destruct | spin_lock | list_del <== dev_id no longer used | spin_unlock spin_lock | . [search rfcomm_dev_list] | . [dev_id not in use] | . [initialize new rfcomm_dev] | . spin_unlock | . | . tty_port_register_device | tty_unregister_device Don't remove rfcomm_dev from the device list until after tty device unregistration has completed. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-By: Alexander Holler <holler@ahsoftware.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/rfcomm')
-rw-r--r--net/bluetooth/rfcomm/tty.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index bb570d9..6ea08b0 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -84,10 +84,6 @@ static void rfcomm_dev_destruct(struct tty_port *port)
BT_DBG("dev %p dlc %p", dev, dlc);
- spin_lock(&rfcomm_dev_lock);
- list_del(&dev->list);
- spin_unlock(&rfcomm_dev_lock);
-
rfcomm_dlc_lock(dlc);
/* Detach DLC if it's owned by this dev */
if (dlc->owner == dev)
@@ -98,6 +94,10 @@ static void rfcomm_dev_destruct(struct tty_port *port)
tty_unregister_device(rfcomm_tty_driver, dev->id);
+ spin_lock(&rfcomm_dev_lock);
+ list_del(&dev->list);
+ spin_unlock(&rfcomm_dev_lock);
+
kfree(dev);
/* It's safe to call module_put() here because socket still
OpenPOWER on IntegriCloud