diff options
author | Peter Hurley <peter@hurleysoftware.com> | 2014-02-09 20:59:09 -0500 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2014-02-14 13:39:30 -0800 |
commit | c949c224cfd7d5445ef947e8b93c0657323d5be5 (patch) | |
tree | 99a229dec8e8b61a37ee0469aa45be3d38bfc397 | |
parent | 80ea73378af46b0023eb2f400d26c2a60248ffaa (diff) |
Bluetooth: Fix RFCOMM tty teardown race
RFCOMM tty device teardown can race with new tty device registration
for the same device id:
CPU 0 | CPU 1
rfcomm_dev_add | rfcomm_dev_destruct
| spin_lock
| list_del <== dev_id no longer used
| spin_unlock
spin_lock | .
[search rfcomm_dev_list] | .
[dev_id not in use] | .
[initialize new rfcomm_dev] | .
spin_unlock | .
| .
tty_port_register_device | tty_unregister_device
Don't remove rfcomm_dev from the device list until after tty device
unregistration has completed.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/rfcomm/tty.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index bb570d95adca..6ea08b05b53a 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -84,10 +84,6 @@ static void rfcomm_dev_destruct(struct tty_port *port) BT_DBG("dev %p dlc %p", dev, dlc); - spin_lock(&rfcomm_dev_lock); - list_del(&dev->list); - spin_unlock(&rfcomm_dev_lock); - rfcomm_dlc_lock(dlc); /* Detach DLC if it's owned by this dev */ if (dlc->owner == dev) @@ -98,6 +94,10 @@ static void rfcomm_dev_destruct(struct tty_port *port) tty_unregister_device(rfcomm_tty_driver, dev->id); + spin_lock(&rfcomm_dev_lock); + list_del(&dev->list); + spin_unlock(&rfcomm_dev_lock); + kfree(dev); /* It's safe to call module_put() here because socket still |