Bluetooth: Stop BCSP/H5 timer before cleaning up
When stopping BCSP/H5, stop the retransmission timer before proceeding to clean up packet queues. The previous code had a race condition where the timer could trigger after the packet lists and protocol structure had been removed which led to dereferencing NULL or use-after-free bugs. Signed-off-by: Michael Knudsen <m.knudsen@samsung.com> Reported-by: Kirill Tkhai <ktkhai@parallels.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
parent
81ad6fd969
commit
c327cddd18
|
@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu)
|
|||
static int bcsp_close(struct hci_uart *hu)
|
||||
{
|
||||
struct bcsp_struct *bcsp = hu->priv;
|
||||
|
||||
del_timer_sync(&bcsp->tbcsp);
|
||||
|
||||
hu->priv = NULL;
|
||||
|
||||
BT_DBG("hu %p", hu);
|
||||
|
@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu)
|
|||
skb_queue_purge(&bcsp->unack);
|
||||
skb_queue_purge(&bcsp->rel);
|
||||
skb_queue_purge(&bcsp->unrel);
|
||||
del_timer(&bcsp->tbcsp);
|
||||
|
||||
kfree(bcsp);
|
||||
return 0;
|
||||
|
|
|
@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu)
|
|||
{
|
||||
struct h5 *h5 = hu->priv;
|
||||
|
||||
del_timer_sync(&h5->timer);
|
||||
|
||||
skb_queue_purge(&h5->unack);
|
||||
skb_queue_purge(&h5->rel);
|
||||
skb_queue_purge(&h5->unrel);
|
||||
|
||||
del_timer(&h5->timer);
|
||||
|
||||
kfree(h5);
|
||||
|
||||
return 0;
|
||||
|
|
Loading…
Reference in New Issue