From c6bf514c6e0171c5b731beffaa0c4463e2335f3d Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Sun, 30 Nov 2008 12:17:19 +0100 Subject: Bluetooth: Fix leak of uninitialized data to userspace struct hci_dev_list_req { __u16 dev_num; struct hci_dev_req dev_req[0]; /* hci_dev_req structures */ }; sizeof(struct hci_dev_list_req) == 4, so the two bytes immediately following "dev_num" will never be initialized. When this structure is copied to userspace, these uninitialized bytes are leaked. Fix by using kzalloc() instead of kmalloc(). Found using kmemcheck. Signed-off-by: Vegard Nossum Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 278a3ac..7bb0f1c 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -756,7 +756,7 @@ int hci_get_dev_list(void __user *arg) size = sizeof(*dl) + dev_num * sizeof(*dr); - if (!(dl = kmalloc(size, GFP_KERNEL))) + if (!(dl = kzalloc(size, GFP_KERNEL))) return -ENOMEM; dr = dl->dev_req; -- cgit v1.1 From db7aa1c203d477351ed1b8f394b40d9df06ddfc4 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sun, 30 Nov 2008 12:17:19 +0100 Subject: Bluetooth: Fix warnings for bt_key_strings and bt_slock_key_strings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After adding proper lockdep annotations for Bluetooth protocols the case when lockdep is disabled produced two compiler warnings: net/bluetooth/af_bluetooth.c:60: warning: ‘bt_key_strings’ defined but not used net/bluetooth/af_bluetooth.c:71: warning: ‘bt_slock_key_strings’ defined but not used Fix both of them by adding a CONFIG_DEBUG_LOCK_ALLOC conditional around them and re-arranging the code a little bit. Signed-off-by: Marcel Holtmann --- net/bluetooth/af_bluetooth.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) (limited to 'net') diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index 8f9431a..41f07f5 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -51,8 +51,9 @@ /* Bluetooth sockets */ #define BT_MAX_PROTO 8 static struct net_proto_family *bt_proto[BT_MAX_PROTO]; +static DEFINE_RWLOCK(bt_proto_lock); -static struct lock_class_key bt_slock_key[BT_MAX_PROTO]; +#ifdef CONFIG_DEBUG_LOCK_ALLOC static struct lock_class_key bt_lock_key[BT_MAX_PROTO]; static const char *bt_key_strings[BT_MAX_PROTO] = { "sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP", @@ -65,6 +66,7 @@ static const char *bt_key_strings[BT_MAX_PROTO] = { "sk_lock-AF_BLUETOOTH-BTPROTO_AVDTP", }; +static struct lock_class_key bt_slock_key[BT_MAX_PROTO]; static const char *bt_slock_key_strings[BT_MAX_PROTO] = { "slock-AF_BLUETOOTH-BTPROTO_L2CAP", "slock-AF_BLUETOOTH-BTPROTO_HCI", @@ -75,7 +77,25 @@ static const char *bt_slock_key_strings[BT_MAX_PROTO] = { "slock-AF_BLUETOOTH-BTPROTO_HIDP", "slock-AF_BLUETOOTH-BTPROTO_AVDTP", }; -static DEFINE_RWLOCK(bt_proto_lock); + +static inline void bt_sock_reclassify_lock(struct socket *sock, int proto) +{ + struct sock *sk = sock->sk; + + if (!sk) + return; + + BUG_ON(sock_owned_by_user(sk)); + + sock_lock_init_class_and_name(sk, + bt_slock_key_strings[proto], &bt_slock_key[proto], + bt_key_strings[proto], &bt_lock_key[proto]); +} +#else +static inline void bt_sock_reclassify_lock(struct socket *sock, int proto) +{ +} +#endif int bt_sock_register(int proto, struct net_proto_family *ops) { @@ -117,21 +137,6 @@ int bt_sock_unregister(int proto) } EXPORT_SYMBOL(bt_sock_unregister); -static void bt_reclassify_sock_lock(struct socket *sock, int proto) -{ - struct sock *sk = sock->sk; - - if (!sk) - return; - BUG_ON(sock_owned_by_user(sk)); - - sock_lock_init_class_and_name(sk, - bt_slock_key_strings[proto], - &bt_slock_key[proto], - bt_key_strings[proto], - &bt_lock_key[proto]); -} - static int bt_sock_create(struct net *net, struct socket *sock, int proto) { int err; @@ -151,7 +156,7 @@ static int bt_sock_create(struct net *net, struct socket *sock, int proto) if (bt_proto[proto] && try_module_get(bt_proto[proto]->owner)) { err = bt_proto[proto]->create(net, sock, proto); - bt_reclassify_sock_lock(sock, proto); + bt_sock_reclassify_lock(sock, proto); module_put(bt_proto[proto]->owner); } -- cgit v1.1 From 7a9d4020533b5c0c615b6de3be154c9ff30b8cc9 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sun, 30 Nov 2008 12:17:26 +0100 Subject: Bluetooth: Send HCI Reset command by default on device initialization The Bluetooth subsystem was not using the HCI Reset command when doing device initialization. The Bluetooth 1.0b specification was ambiguous on how the device firmware was suppose to handle it. Almost every device was triggering a transport reset at the same time. In case of USB this ended up in disconnects from the bus. All modern Bluetooth dongles handle this perfectly fine and a lot of them actually require that HCI Reset is sent. If not then they are either stuck in their HID Proxy mode or their internal structures for inquiry and paging are not correctly setup. To handle old and new devices smoothly the Bluetooth subsystem contains a quirk to force the HCI Reset on initialization. However maintaining such a quirk becomes more and more complicated. This patch turns the logic around and lets the old devices disable the HCI Reset command. The only device where the HCI_QUIRK_NO_RESET is still needed are the original Digianswer devices and dongles with an early CSR firmware. CSR reported that they fixed this for version 12 firmware. The last official release of version 11 firmware is build ID 115. The first version 12 candidate was build ID 117. Signed-off-by: Marcel Holtmann --- net/bluetooth/af_bluetooth.c | 2 +- net/bluetooth/hci_core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index 41f07f5..f6f216e 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -46,7 +46,7 @@ #define BT_DBG(D...) #endif -#define VERSION "2.13" +#define VERSION "2.14" /* Bluetooth sockets */ #define BT_MAX_PROTO 8 diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 7bb0f1c..fa7c537 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -205,7 +205,7 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt) /* Mandatory initialization */ /* Reset */ - if (test_bit(HCI_QUIRK_RESET_ON_INIT, &hdev->quirks)) + if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); /* Read Local Supported Features */ -- cgit v1.1 From a418b893a6af11ae73c762ed5b76c1bad6dc19d8 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sun, 30 Nov 2008 12:17:28 +0100 Subject: Bluetooth: Enable per-module dynamic debug messages With the introduction of CONFIG_DYNAMIC_PRINTK_DEBUG it is possible to allow debugging without having to recompile the kernel. This patch turns all BT_DBG() calls into pr_debug() to support dynamic debug messages. As a side effect all CONFIG_BT_*_DEBUG statements are now removed and some broken debug entries have been fixed. Signed-off-by: Marcel Holtmann --- net/bluetooth/af_bluetooth.c | 7 +------ net/bluetooth/bnep/bnep.h | 2 +- net/bluetooth/bnep/core.c | 5 ----- net/bluetooth/bnep/netdev.c | 5 ----- net/bluetooth/bnep/sock.c | 5 ----- net/bluetooth/cmtp/capi.c | 5 ----- net/bluetooth/cmtp/core.c | 5 ----- net/bluetooth/cmtp/sock.c | 5 ----- net/bluetooth/hci_conn.c | 5 ----- net/bluetooth/hci_core.c | 7 +------ net/bluetooth/hci_event.c | 5 ----- net/bluetooth/hci_sock.c | 5 ----- net/bluetooth/hci_sysfs.c | 5 ----- net/bluetooth/hidp/core.c | 5 ----- net/bluetooth/hidp/sock.c | 5 ----- net/bluetooth/l2cap.c | 5 ----- net/bluetooth/rfcomm/core.c | 5 ----- net/bluetooth/rfcomm/sock.c | 7 +------ net/bluetooth/rfcomm/tty.c | 5 ----- net/bluetooth/sco.c | 5 ----- 20 files changed, 4 insertions(+), 99 deletions(-) (limited to 'net') diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index f6f216e..744ed3f 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -41,11 +41,6 @@ #include -#ifndef CONFIG_BT_SOCK_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "2.14" /* Bluetooth sockets */ @@ -245,7 +240,7 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, size_t copied; int err; - BT_DBG("sock %p sk %p len %d", sock, sk, len); + BT_DBG("sock %p sk %p len %zu", sock, sk, len); if (flags & (MSG_OOB)) return -EOPNOTSUPP; diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h index b69bf4e..d20f8a4 100644 --- a/net/bluetooth/bnep/bnep.h +++ b/net/bluetooth/bnep/bnep.h @@ -161,7 +161,7 @@ struct bnep_session { struct msghdr msg; struct bnep_proto_filter proto_filter[BNEP_MAX_PROTO_FILTERS]; - u64 mc_filter; + unsigned long long mc_filter; struct socket *sock; struct net_device *dev; diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c index f8efaf3..70fea8b 100644 --- a/net/bluetooth/bnep/core.c +++ b/net/bluetooth/bnep/core.c @@ -52,11 +52,6 @@ #include "bnep.h" -#ifndef CONFIG_BT_BNEP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "1.3" static int compress_src = 1; diff --git a/net/bluetooth/bnep/netdev.c b/net/bluetooth/bnep/netdev.c index 47e179f..f897da6 100644 --- a/net/bluetooth/bnep/netdev.c +++ b/net/bluetooth/bnep/netdev.c @@ -41,11 +41,6 @@ #include "bnep.h" -#ifndef CONFIG_BT_BNEP_DEBUG -#undef BT_DBG -#define BT_DBG( A... ) -#endif - #define BNEP_TX_QUEUE_LEN 20 static int bnep_net_open(struct net_device *dev) diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c index 8ffb57f..e857628 100644 --- a/net/bluetooth/bnep/sock.c +++ b/net/bluetooth/bnep/sock.c @@ -46,11 +46,6 @@ #include "bnep.h" -#ifndef CONFIG_BT_BNEP_DEBUG -#undef BT_DBG -#define BT_DBG( A... ) -#endif - static int bnep_sock_release(struct socket *sock) { struct sock *sk = sock->sk; diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c index 3e9d5bb..78958c0 100644 --- a/net/bluetooth/cmtp/capi.c +++ b/net/bluetooth/cmtp/capi.c @@ -42,11 +42,6 @@ #include "cmtp.h" -#ifndef CONFIG_BT_CMTP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define CAPI_INTEROPERABILITY 0x20 #define CAPI_INTEROPERABILITY_REQ CAPICMD(CAPI_INTEROPERABILITY, CAPI_REQ) diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c index ca60a451..c9cac77 100644 --- a/net/bluetooth/cmtp/core.c +++ b/net/bluetooth/cmtp/core.c @@ -44,11 +44,6 @@ #include "cmtp.h" -#ifndef CONFIG_BT_CMTP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "1.0" static DECLARE_RWSEM(cmtp_session_sem); diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c index 8c7f7bc..16b0fad 100644 --- a/net/bluetooth/cmtp/sock.c +++ b/net/bluetooth/cmtp/sock.c @@ -43,11 +43,6 @@ #include "cmtp.h" -#ifndef CONFIG_BT_CMTP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - static int cmtp_sock_release(struct socket *sock) { struct sock *sk = sock->sk; diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index b700242..a4a789f 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -45,11 +45,6 @@ #include #include -#ifndef CONFIG_BT_HCI_CORE_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - void hci_acl_connect(struct hci_conn *conn) { struct hci_dev *hdev = conn->hdev; diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index fa7c537..ba78cc1 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -48,11 +48,6 @@ #include #include -#ifndef CONFIG_BT_HCI_CORE_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - static void hci_cmd_task(unsigned long arg); static void hci_rx_task(unsigned long arg); static void hci_tx_task(unsigned long arg); @@ -290,7 +285,7 @@ static void hci_linkpol_req(struct hci_dev *hdev, unsigned long opt) { __le16 policy = cpu_to_le16(opt); - BT_DBG("%s %x", hdev->name, opt); + BT_DBG("%s %x", hdev->name, policy); /* Default link policy */ hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy); diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index ad7a553..f91ba69 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -45,11 +45,6 @@ #include #include -#ifndef CONFIG_BT_HCI_CORE_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - /* Handle HCI Event packets */ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index d62579b..4f9621f 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -49,11 +49,6 @@ #include #include -#ifndef CONFIG_BT_HCI_SOCK_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - /* ----- HCI socket interface ----- */ static inline int hci_test_bit(int nr, void *addr) diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index f2bbb2f..6490bf8 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c @@ -6,11 +6,6 @@ #include #include -#ifndef CONFIG_BT_HCI_CORE_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - struct class *bt_class = NULL; EXPORT_SYMBOL_GPL(bt_class); diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index acdeab3..b186768 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -47,11 +47,6 @@ #include "hidp.h" -#ifndef CONFIG_BT_HIDP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "1.2" static DECLARE_RWSEM(hidp_session_sem); diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c index f4dd02c..37c9d7d 100644 --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c @@ -39,11 +39,6 @@ #include "hidp.h" -#ifndef CONFIG_BT_HIDP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - static int hidp_sock_release(struct socket *sock) { struct sock *sk = sock->sk; diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 9610a9c..b93748e 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -50,11 +50,6 @@ #include #include -#ifndef CONFIG_BT_L2CAP_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "2.11" static u32 l2cap_feat_mask = 0x0000; diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index ba537fa..37c640d 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -46,11 +46,6 @@ #include #include -#ifndef CONFIG_BT_RFCOMM_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "1.10" static int disable_cfc = 0; diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index bc0d4a7..ad00cbf 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -50,11 +50,6 @@ #include #include -#ifndef CONFIG_BT_RFCOMM_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - static const struct proto_ops rfcomm_sock_ops; static struct bt_sock_list rfcomm_sk_list = { @@ -644,7 +639,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, msg->msg_namelen = 0; - BT_DBG("sk %p size %d", sk, size); + BT_DBG("sk %p size %zu", sk, size); lock_sock(sk); diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index d3340dd..1e4100b 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -39,11 +39,6 @@ #include #include -#ifndef CONFIG_BT_RFCOMM_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */ #define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */ #define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */ diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 0cc91e6..46fd8bf 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -48,11 +48,6 @@ #include #include -#ifndef CONFIG_BT_SCO_DEBUG -#undef BT_DBG -#define BT_DBG(D...) -#endif - #define VERSION "0.6" static int disable_esco = 0; -- cgit v1.1 From 2e792995e4cb425422dc379c3618447c462756a8 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sun, 30 Nov 2008 12:17:29 +0100 Subject: Bluetooth: Fix format arguments warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Newer GCC versions are a little bit picky about how to deal with format arguments: net/bluetooth/hci_sysfs.c: In function ‘hci_register_sysfs’: net/bluetooth/hci_sysfs.c:418: warning: format not a string literal and no format arguments It is simple enough to fix and makes the compiler happy. Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index 6490bf8..1a1f916 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c @@ -415,7 +415,7 @@ int hci_register_sysfs(struct hci_dev *hdev) dev->class = bt_class; dev->parent = hdev->parent; - dev_set_name(dev, hdev->name); + dev_set_name(dev, "%s", hdev->name); dev_set_drvdata(dev, hdev); -- cgit v1.1 From 9a5df92374d65e2886b92e98dd7d873c533a83ff Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sun, 30 Nov 2008 12:17:29 +0100 Subject: Bluetooth: Fix RFCOMM release oops when device is still in use It turns out that the following sequence of actions will reproduce the oops: 1. Create a new RFCOMM device (using RFCOMMCREATEDEV ioctl) 2. (Try to) open the device 3. Release the RFCOMM device (using RFCOMMRELEASEDEV ioctl) At this point, the "/dev/rfcomm*" device is still in use, but it is gone from the internal list, so the device id can be reused. 4. Create a new RFCOMM device with the same device id as before And now kobject will complain that the TTY already exists. (See http://lkml.org/lkml/2008/7/13/89 for a reproducible test-case.) This patch attempts to correct this by only removing the device from the internal list of devices at the final unregister stage, so that the id won't get reused until the device has been completely destructed. This should be safe as the RFCOMM_TTY_RELEASED bit will be set for the device and prevent the device from being reopened after it has been released. Based on a report from Vegard Nossum Signed-off-by: Marcel Holtmann --- net/bluetooth/rfcomm/tty.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) (limited to 'net') diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index 1e4100b..111c6c8 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -53,7 +53,7 @@ struct rfcomm_dev { char name[12]; int id; unsigned long flags; - int opened; + atomic_t opened; int err; bdaddr_t src; @@ -256,6 +256,8 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc) dev->flags = req->flags & ((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC)); + atomic_set(&dev->opened, 0); + init_waitqueue_head(&dev->wait); tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev); @@ -325,10 +327,10 @@ static void rfcomm_dev_del(struct rfcomm_dev *dev) { BT_DBG("dev %p", dev); - if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) - BUG_ON(1); - else - set_bit(RFCOMM_TTY_RELEASED, &dev->flags); + BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags)); + + if (atomic_read(&dev->opened) > 0) + return; write_lock_bh(&rfcomm_dev_lock); list_del_init(&dev->list); @@ -684,9 +686,10 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp) if (!dev) return -ENODEV; - BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst), dev->channel, dev->opened); + BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst), + dev->channel, atomic_read(&dev->opened)); - if (dev->opened++ != 0) + if (atomic_inc_return(&dev->opened) > 1) return 0; dlc = dev->dlc; @@ -742,9 +745,10 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp) if (!dev) return; - BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc, dev->opened); + BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc, + atomic_read(&dev->opened)); - if (--dev->opened == 0) { + if (atomic_dec_and_test(&dev->opened)) { if (dev->tty_dev->parent) device_move(dev->tty_dev, NULL); @@ -758,6 +762,14 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp) tty->driver_data = NULL; dev->tty = NULL; rfcomm_dlc_unlock(dev->dlc); + + if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) { + write_lock_bh(&rfcomm_dev_lock); + list_del_init(&dev->list); + write_unlock_bh(&rfcomm_dev_lock); + + rfcomm_dev_put(dev); + } } rfcomm_dev_put(dev); -- cgit v1.1