summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDean Jenkins <Dean_Jenkins@mentor.com>2013-02-28 15:21:53 +0100
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>2013-03-08 14:40:24 +0100
commitfea7b02fbf73adb2e746f00ed279a782de7e74e4 (patch)
treeb5f944e911d7e9db66d503b45a8473a85948740e
parentBluetooth: change bt_sock_unregister() to return void (diff)
downloadlinux-fea7b02fbf73adb2e746f00ed279a782de7e74e4.tar.xz
linux-fea7b02fbf73adb2e746f00ed279a782de7e74e4.zip
Bluetooth: Avoid rfcomm_session_timeout using freed session
Use del_timer_sync() instead of del_timer() as this ensures that rfcomm_session_timeout() is not running on a different CPU when rfcomm_session_put() is called. This avoids a race condition on SMP systems because potentially rfcomm_session_timeout() could reuse the freed RFCOMM session structure caused by the execution of rfcomm_session_put(). Note that this modification makes the reason for the RFCOMM session refcnt mechanism redundant. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
-rw-r--r--net/bluetooth/rfcomm/core.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index b23e2713fea8..d301fbbe2098 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -257,7 +257,7 @@ static void rfcomm_session_clear_timer(struct rfcomm_session *s)
{
BT_DBG("session %p state %ld", s, s->state);
- if (del_timer(&s->timer))
+ if (del_timer_sync(&s->timer))
rfcomm_session_put(s);
}