hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bluetooth: Stop BCSP/H5 timer before cleaning up 

When stopping BCSP/H5, stop the retransmission timer before proceeding
to clean up packet queues.  The previous code had a race condition where
the timer could trigger after the packet lists and protocol structure
had been removed which led to dereferencing NULL or use-after-free bugs.

Signed-off-by: Michael Knudsen <m.knudsen@samsung.com>
Reported-by: Kirill Tkhai <ktkhai@parallels.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
Michael Knudsen 2014-02-18 09:48:08 +01:00 committed by Johan Hedberg
parent 81ad6fd969
commit c327cddd18
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/bluetooth/hci_bcsp.c
View File

@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu)
static int bcsp_close(struct hci_uart *hu) static int bcsp_close(struct hci_uart *hu)
{ {
struct bcsp_struct *bcsp = hu->priv; struct bcsp_struct *bcsp = hu->priv;
del_timer_sync(&bcsp->tbcsp);
hu->priv = NULL; hu->priv = NULL;
BT_DBG("hu %p", hu); BT_DBG("hu %p", hu);
@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu)
skb_queue_purge(&bcsp->unack); skb_queue_purge(&bcsp->unack);
skb_queue_purge(&bcsp->rel); skb_queue_purge(&bcsp->rel);
skb_queue_purge(&bcsp->unrel); skb_queue_purge(&bcsp->unrel);
del_timer(&bcsp->tbcsp);
kfree(bcsp); kfree(bcsp);
return 0; return 0;

4
drivers/bluetooth/hci_h5.c
View File

@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu)
{ {
struct h5 *h5 = hu->priv; struct h5 *h5 = hu->priv;
del_timer_sync(&h5->timer);
skb_queue_purge(&h5->unack); skb_queue_purge(&h5->unack);
skb_queue_purge(&h5->rel); skb_queue_purge(&h5->rel);
skb_queue_purge(&h5->unrel); skb_queue_purge(&h5->unrel);
del_timer(&h5->timer);
kfree(h5); kfree(h5);
return 0; return 0;