summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDean Jenkins <Dean_Jenkins@mentor.com>2013-02-28 15:21:54 +0100
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>2013-03-08 14:40:24 +0100
commitc06f7d532aa6f78b2847e3b651c0da27fc3296c0 (patch)
tree902e64424ee35ba3a415ebb45b75f06b4cb161d2
parentBluetooth: Avoid rfcomm_session_timeout using freed session (diff)
downloadlinux-c06f7d532aa6f78b2847e3b651c0da27fc3296c0.tar.xz
linux-c06f7d532aa6f78b2847e3b651c0da27fc3296c0.zip
Bluetooth: Check rfcomm session and DLC exists on socket close
A race condition exists between near simultaneous asynchronous DLC data channel disconnection requests from the host and remote device. This causes the socket layer to request a socket shutdown at the same time the rfcomm core is processing the disconnect request from the remote device. The socket layer retains a copy of a struct rfcomm_dlc d pointer. The d pointer refers to a copy of a struct rfcomm_session. When the socket layer thread performs a socket shutdown, the thread may wait on a rfcomm lock in rfcomm_dlc_close(). This means that whilst the thread waits, the rfcomm_session and/or rfcomm_dlc structures pointed to by d maybe freed due to rfcomm core handling. Consequently, when the rfcomm lock becomes available and the thread runs, a malfunction could occur as a freed rfcomm_session structure and/or a freed rfcomm_dlc structure will be erroneously accessed. Therefore, after the rfcomm lock is acquired, check that the struct rfcomm_session is still valid by searching the rfcomm session list. If the session is valid then validate the d pointer by searching the rfcomm session list of active DLCs for the rfcomm_dlc structure pointed by d. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
-rw-r--r--net/bluetooth/rfcomm/core.c26
1 files changed, 24 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index d301fbbe2098..d9e97cf1792b 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -493,12 +493,34 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
{
- int r;
+ int r = 0;
+ struct rfcomm_dlc *d_list;
+ struct rfcomm_session *s, *s_list;
+
+ BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
rfcomm_lock();
- r = __rfcomm_dlc_close(d, err);
+ s = d->session;
+ if (!s)
+ goto no_session;
+
+ /* after waiting on the mutex check the session still exists
+ * then check the dlc still exists
+ */
+ list_for_each_entry(s_list, &session_list, list) {
+ if (s_list == s) {
+ list_for_each_entry(d_list, &s->dlcs, list) {
+ if (d_list == d) {
+ r = __rfcomm_dlc_close(d, err);
+ break;
+ }
+ }
+ break;
+ }
+ }
+no_session:
rfcomm_unlock();
return r;
}