Bluetooth: Fix RFCOMM tty teardown race
RFCOMM tty device teardown can race with new tty device registration for the same device id: CPU 0 | CPU 1 rfcomm_dev_add | rfcomm_dev_destruct | spin_lock | list_del <== dev_id no longer used | spin_unlock spin_lock | . [search rfcomm_dev_list] | . [dev_id not in use] | . [initialize new rfcomm_dev] | . spin_unlock | . | . tty_port_register_device | tty_unregister_device Don't remove rfcomm_dev from the device list until after tty device unregistration has completed. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-By: Alexander Holler <holler@ahsoftware.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
80ea73378a
commit
c949c224cf
|
@ -84,10 +84,6 @@ static void rfcomm_dev_destruct(struct tty_port *port)
|
||||||
|
|
||||||
BT_DBG("dev %p dlc %p", dev, dlc);
|
BT_DBG("dev %p dlc %p", dev, dlc);
|
||||||
|
|
||||||
spin_lock(&rfcomm_dev_lock);
|
|
||||||
list_del(&dev->list);
|
|
||||||
spin_unlock(&rfcomm_dev_lock);
|
|
||||||
|
|
||||||
rfcomm_dlc_lock(dlc);
|
rfcomm_dlc_lock(dlc);
|
||||||
/* Detach DLC if it's owned by this dev */
|
/* Detach DLC if it's owned by this dev */
|
||||||
if (dlc->owner == dev)
|
if (dlc->owner == dev)
|
||||||
|
@ -98,6 +94,10 @@ static void rfcomm_dev_destruct(struct tty_port *port)
|
||||||
|
|
||||||
tty_unregister_device(rfcomm_tty_driver, dev->id);
|
tty_unregister_device(rfcomm_tty_driver, dev->id);
|
||||||
|
|
||||||
|
spin_lock(&rfcomm_dev_lock);
|
||||||
|
list_del(&dev->list);
|
||||||
|
spin_unlock(&rfcomm_dev_lock);
|
||||||
|
|
||||||
kfree(dev);
|
kfree(dev);
|
||||||
|
|
||||||
/* It's safe to call module_put() here because socket still
|
/* It's safe to call module_put() here because socket still
|
||||||
|
|
Loading…
Reference in New Issue