[BLUETOOTH]: rfcomm tty BUG_ON() code fix

1) In tty.c the BUG_ON at line 115 will never be called, because the the before list_del_init in this same function. 115 BUG_ON(!list_empty(&dev->list)); So move the list_del_init to rfcomm_dev_del 2) The rfcomm_dev_del could be called from diffrent path (rfcomm_tty_hangup/rfcomm_dev_state_change/rfcomm_release_dev), So add another BUG_ON when the rfcomm_dev_del is called more than one time. Signed-off-by: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Dave Young <hidave.darkstar@gmail.com> 2008-01-11 01:22:52 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-11 01:22:52 -0500
commit: f951375d470c1a20d92c34377991197e6bf17990 (patch)
tree: c479a1b80c14072a9486214f034078ab6f524471
parent: ecd2ebdea350c40e73c00d400d74c8a09c072082 (diff)
1 files changed, 13 insertions, 9 deletions
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index e447651a2dbe..a6a758dd1f7d 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -95,9 +95,10 @@ static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
        BT_DBG("dev %p dlc %p", dev, dlc);
-        write_lock_bh(&rfcomm_dev_lock);
+        /* Refcount should only hit zero when called from rfcomm_dev_del()
-        list_del_init(&dev->list);
+           which will have taken us off the list. Everything else are
-        write_unlock_bh(&rfcomm_dev_lock);
+           refcounting bugs. */
+        BUG_ON(!list_empty(&dev->list));
        rfcomm_dlc_lock(dlc);
        /* Detach DLC if it's owned by this dev */
@@ -109,11 +110,6 @@ static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
        tty_unregister_device(rfcomm_tty_driver, dev->id);
-        /* Refcount should only hit zero when called from rfcomm_dev_del()
-           which will have taken us off the list. Everything else are
-           refcounting bugs. */
-        BUG_ON(!list_empty(&dev->list));
        kfree(dev);
        /* It's safe to call module_put() here because socket still
@@ -313,7 +309,15 @@ static void rfcomm_dev_del(struct rfcomm_dev *dev)
 {
        BT_DBG("dev %p", dev);
-        set_bit(RFCOMM_TTY_RELEASED, &dev->flags);
+        if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
+                BUG_ON(1);
+        else
+                set_bit(RFCOMM_TTY_RELEASED, &dev->flags);
+        write_lock_bh(&rfcomm_dev_lock);
+        list_del_init(&dev->list);
+        write_unlock_bh(&rfcomm_dev_lock);
        rfcomm_dev_put(dev);
 }
author	Dave Young <hidave.darkstar@gmail.com>	2008-01-11 01:22:52 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-11 01:22:52 -0500
commit	f951375d470c1a20d92c34377991197e6bf17990 (patch)
tree	c479a1b80c14072a9486214f034078ab6f524471
parent	ecd2ebdea350c40e73c00d400d74c8a09c072082 (diff)