diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2007-05-04 18:36:10 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2007-05-04 18:36:10 -0400 |
commit | 77f2a45fa1ba33147fd6cc8ae546188504a822cd (patch) | |
tree | c714c55fde74c5dd82b031b8ac605121a2b3f5b7 | |
parent | 48db9ca4f2ac9f39eb90ccb12ad3ca7b645a552c (diff) |
[Bluetooth] Check that device is in rfcomm_dev_list before deleting
If RFCOMM_RELEASE_ONHUP flag is on and rfcomm_release_dev is called
before connection is closed, rfcomm_dev is deleted twice from the
rfcomm_dev_list and refcount is messed up. This patch adds a check
before deleting device that the device actually is listed.
Signed-off-by: Ville Tervo <ville.tervo@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | net/bluetooth/rfcomm/tty.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index 9a7a44fc721f..b2b1cceb102a 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c | |||
@@ -517,9 +517,10 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err) | |||
517 | if (dlc->state == BT_CLOSED) { | 517 | if (dlc->state == BT_CLOSED) { |
518 | if (!dev->tty) { | 518 | if (!dev->tty) { |
519 | if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) { | 519 | if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) { |
520 | rfcomm_dev_hold(dev); | 520 | if (rfcomm_dev_get(dev->id) == NULL) |
521 | rfcomm_dev_del(dev); | 521 | return; |
522 | 522 | ||
523 | rfcomm_dev_del(dev); | ||
523 | /* We have to drop DLC lock here, otherwise | 524 | /* We have to drop DLC lock here, otherwise |
524 | rfcomm_dev_put() will dead lock if it's | 525 | rfcomm_dev_put() will dead lock if it's |
525 | the last reference. */ | 526 | the last reference. */ |
@@ -974,8 +975,12 @@ static void rfcomm_tty_hangup(struct tty_struct *tty) | |||
974 | 975 | ||
975 | rfcomm_tty_flush_buffer(tty); | 976 | rfcomm_tty_flush_buffer(tty); |
976 | 977 | ||
977 | if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) | 978 | if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) { |
979 | if (rfcomm_dev_get(dev->id) == NULL) | ||
980 | return; | ||
978 | rfcomm_dev_del(dev); | 981 | rfcomm_dev_del(dev); |
982 | rfcomm_dev_put(dev); | ||
983 | } | ||
979 | } | 984 | } |
980 | 985 | ||
981 | static int rfcomm_tty_read_proc(char *buf, char **start, off_t offset, int len, int *eof, void *unused) | 986 | static int rfcomm_tty_read_proc(char *buf, char **start, off_t offset, int len, int *eof, void *unused) |