summaryrefslogtreecommitdiffstats
path: root/drivers/bluetooth/hci_h5.c
diff options
context:
space:
mode:
authorMichael Knudsen <m.knudsen@samsung.com>2014-02-18 09:48:08 +0100
committerJohan Hedberg <johan.hedberg@intel.com>2014-03-04 10:03:14 +0100
commitc327cddd184059d018b12d7ef818ba0961200079 (patch)
tree61434dce7c8a233fbdf0f2c6103c27321202cb1f /drivers/bluetooth/hci_h5.c
parentBluetooth: Remove unnecessary stop_scan_complete function (diff)
downloadlinux-c327cddd184059d018b12d7ef818ba0961200079.tar.xz
linux-c327cddd184059d018b12d7ef818ba0961200079.zip
Bluetooth: Stop BCSP/H5 timer before cleaning up
When stopping BCSP/H5, stop the retransmission timer before proceeding to clean up packet queues. The previous code had a race condition where the timer could trigger after the packet lists and protocol structure had been removed which led to dereferencing NULL or use-after-free bugs. Signed-off-by: Michael Knudsen <m.knudsen@samsung.com> Reported-by: Kirill Tkhai <ktkhai@parallels.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'drivers/bluetooth/hci_h5.c')
-rw-r--r--drivers/bluetooth/hci_h5.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index f6f497450560..afd759eaa704 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu)
{
struct h5 *h5 = hu->priv;
+ del_timer_sync(&h5->timer);
+
skb_queue_purge(&h5->unack);
skb_queue_purge(&h5->rel);
skb_queue_purge(&h5->unrel);
- del_timer(&h5->timer);
-
kfree(h5);
return 0;