diff options
author | Michael Knudsen <m.knudsen@samsung.com> | 2014-02-18 09:48:08 +0100 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2014-03-04 10:03:14 +0100 |
commit | c327cddd184059d018b12d7ef818ba0961200079 (patch) | |
tree | 61434dce7c8a233fbdf0f2c6103c27321202cb1f /drivers/bluetooth/hci_bcsp.c | |
parent | Bluetooth: Remove unnecessary stop_scan_complete function (diff) | |
download | linux-c327cddd184059d018b12d7ef818ba0961200079.tar.xz linux-c327cddd184059d018b12d7ef818ba0961200079.zip |
Bluetooth: Stop BCSP/H5 timer before cleaning up
When stopping BCSP/H5, stop the retransmission timer before proceeding
to clean up packet queues. The previous code had a race condition where
the timer could trigger after the packet lists and protocol structure
had been removed which led to dereferencing NULL or use-after-free bugs.
Signed-off-by: Michael Knudsen <m.knudsen@samsung.com>
Reported-by: Kirill Tkhai <ktkhai@parallels.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'drivers/bluetooth/hci_bcsp.c')
-rw-r--r-- | drivers/bluetooth/hci_bcsp.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 0bc87f7abd95..eee2fb23b3bf 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu) static int bcsp_close(struct hci_uart *hu) { struct bcsp_struct *bcsp = hu->priv; + + del_timer_sync(&bcsp->tbcsp); + hu->priv = NULL; BT_DBG("hu %p", hu); @@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu) skb_queue_purge(&bcsp->unack); skb_queue_purge(&bcsp->rel); skb_queue_purge(&bcsp->unrel); - del_timer(&bcsp->tbcsp); kfree(bcsp); return 0; |