aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGustavo F. Padovan <padovan@profusion.mobi>2010-09-21 15:31:11 -0400
committerGustavo F. Padovan <padovan@profusion.mobi>2010-09-30 11:19:35 -0400
commite454c844644683571617896ab2a4ce0109c1943e (patch)
treefd8fbcb76608bce78062c6a74ff8e8b65b3e34ae
parentb0239c80fe89d5832a68a0f3121a9d5ec9fb763e (diff)
Bluetooth: Fix deadlock in the ERTM logic
The Enhanced Retransmission Mode(ERTM) is a realiable mode of operation of the Bluetooth L2CAP layer. Think on it like a simplified version of TCP. The problem we were facing here was a deadlock. ERTM uses a backlog queue to queue incomimg packets while the user is helding the lock. At some moment the sk_sndbuf can be exceeded and we can't alloc new skbs then the code sleep with the lock to wait for memory, that stalls the ERTM connection once we can't read the acknowledgements packets in the backlog queue to free memory and make the allocation of outcoming skb successful. This patch actually affect all users of bt_skb_send_alloc(), i.e., all L2CAP modes and SCO. We are safe against socket states changes or channels deletion while the we are sleeping wait memory. Checking for the sk->sk_err and sk->sk_shutdown make the code safe, since any action that can leave the socket or the channel in a not usable state set one of the struct members at least. Then we can check both of them when getting the lock again and return with the proper error if something unexpected happens. Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Ulisses Furquim <ulisses@profusion.mobi>
-rw-r--r--include/net/bluetooth/bluetooth.h18
1 files changed, 18 insertions, 0 deletions
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index 27a902d9b3a9..30fce0128dd7 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -161,12 +161,30 @@ static inline struct sk_buff *bt_skb_send_alloc(struct sock *sk, unsigned long l
161{ 161{
162 struct sk_buff *skb; 162 struct sk_buff *skb;
163 163
164 release_sock(sk);
164 if ((skb = sock_alloc_send_skb(sk, len + BT_SKB_RESERVE, nb, err))) { 165 if ((skb = sock_alloc_send_skb(sk, len + BT_SKB_RESERVE, nb, err))) {
165 skb_reserve(skb, BT_SKB_RESERVE); 166 skb_reserve(skb, BT_SKB_RESERVE);
166 bt_cb(skb)->incoming = 0; 167 bt_cb(skb)->incoming = 0;
167 } 168 }
169 lock_sock(sk);
170
171 if (!skb && *err)
172 return NULL;
173
174 *err = sock_error(sk);
175 if (*err)
176 goto out;
177
178 if (sk->sk_shutdown) {
179 *err = -ECONNRESET;
180 goto out;
181 }
168 182
169 return skb; 183 return skb;
184
185out:
186 kfree_skb(skb);
187 return NULL;
170} 188}
171 189
172int bt_err(__u16 code); 190int bt_err(__u16 code);