summaryrefslogtreecommitdiffstats
path: root/net/bluetooth/rfcomm
diff options
context:
space:
mode:
authorPeter Hurley <peter@hurleysoftware.com>2014-02-10 02:59:09 +0100
committerMarcel Holtmann <marcel@holtmann.org>2014-02-14 22:39:30 +0100
commitc949c224cfd7d5445ef947e8b93c0657323d5be5 (patch)
tree99a229dec8e8b61a37ee0469aa45be3d38bfc397 /net/bluetooth/rfcomm
parentBluetooth: Fix unreleased rfcomm_dev reference (diff)
downloadlinux-c949c224cfd7d5445ef947e8b93c0657323d5be5.tar.xz
linux-c949c224cfd7d5445ef947e8b93c0657323d5be5.zip
Bluetooth: Fix RFCOMM tty teardown race
RFCOMM tty device teardown can race with new tty device registration for the same device id: CPU 0 | CPU 1 rfcomm_dev_add | rfcomm_dev_destruct | spin_lock | list_del <== dev_id no longer used | spin_unlock spin_lock | . [search rfcomm_dev_list] | . [dev_id not in use] | . [initialize new rfcomm_dev] | . spin_unlock | . | . tty_port_register_device | tty_unregister_device Don't remove rfcomm_dev from the device list until after tty device unregistration has completed. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-By: Alexander Holler <holler@ahsoftware.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/rfcomm')
-rw-r--r--net/bluetooth/rfcomm/tty.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index bb570d95adca..6ea08b05b53a 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -84,10 +84,6 @@ static void rfcomm_dev_destruct(struct tty_port *port)
BT_DBG("dev %p dlc %p", dev, dlc);
- spin_lock(&rfcomm_dev_lock);
- list_del(&dev->list);
- spin_unlock(&rfcomm_dev_lock);
-
rfcomm_dlc_lock(dlc);
/* Detach DLC if it's owned by this dev */
if (dlc->owner == dev)
@@ -98,6 +94,10 @@ static void rfcomm_dev_destruct(struct tty_port *port)
tty_unregister_device(rfcomm_tty_driver, dev->id);
+ spin_lock(&rfcomm_dev_lock);
+ list_del(&dev->list);
+ spin_unlock(&rfcomm_dev_lock);
+
kfree(dev);
/* It's safe to call module_put() here because socket still