diff options
| author | Michael Knudsen <m.knudsen@samsung.com> | 2014-02-18 03:48:08 -0500 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2014-03-04 04:03:14 -0500 |
| commit | c327cddd184059d018b12d7ef818ba0961200079 (patch) | |
| tree | 61434dce7c8a233fbdf0f2c6103c27321202cb1f /drivers | |
| parent | 81ad6fd9698f659dbabdc6cd3e1667a98eb2be3b (diff) | |
Bluetooth: Stop BCSP/H5 timer before cleaning up
When stopping BCSP/H5, stop the retransmission timer before proceeding
to clean up packet queues. The previous code had a race condition where
the timer could trigger after the packet lists and protocol structure
had been removed which led to dereferencing NULL or use-after-free bugs.
Signed-off-by: Michael Knudsen <m.knudsen@samsung.com>
Reported-by: Kirill Tkhai <ktkhai@parallels.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/bluetooth/hci_bcsp.c | 4 | ||||
| -rw-r--r-- | drivers/bluetooth/hci_h5.c | 4 |
2 files changed, 5 insertions, 3 deletions
diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 0bc87f7abd95..eee2fb23b3bf 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c | |||
| @@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu) | |||
| 715 | static int bcsp_close(struct hci_uart *hu) | 715 | static int bcsp_close(struct hci_uart *hu) |
| 716 | { | 716 | { |
| 717 | struct bcsp_struct *bcsp = hu->priv; | 717 | struct bcsp_struct *bcsp = hu->priv; |
| 718 | |||
| 719 | del_timer_sync(&bcsp->tbcsp); | ||
| 720 | |||
| 718 | hu->priv = NULL; | 721 | hu->priv = NULL; |
| 719 | 722 | ||
| 720 | BT_DBG("hu %p", hu); | 723 | BT_DBG("hu %p", hu); |
| @@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu) | |||
| 722 | skb_queue_purge(&bcsp->unack); | 725 | skb_queue_purge(&bcsp->unack); |
| 723 | skb_queue_purge(&bcsp->rel); | 726 | skb_queue_purge(&bcsp->rel); |
| 724 | skb_queue_purge(&bcsp->unrel); | 727 | skb_queue_purge(&bcsp->unrel); |
| 725 | del_timer(&bcsp->tbcsp); | ||
| 726 | 728 | ||
| 727 | kfree(bcsp); | 729 | kfree(bcsp); |
| 728 | return 0; | 730 | return 0; |
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c index f6f497450560..afd759eaa704 100644 --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c | |||
| @@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu) | |||
| 206 | { | 206 | { |
| 207 | struct h5 *h5 = hu->priv; | 207 | struct h5 *h5 = hu->priv; |
| 208 | 208 | ||
| 209 | del_timer_sync(&h5->timer); | ||
| 210 | |||
| 209 | skb_queue_purge(&h5->unack); | 211 | skb_queue_purge(&h5->unack); |
| 210 | skb_queue_purge(&h5->rel); | 212 | skb_queue_purge(&h5->rel); |
| 211 | skb_queue_purge(&h5->unrel); | 213 | skb_queue_purge(&h5->unrel); |
| 212 | 214 | ||
| 213 | del_timer(&h5->timer); | ||
| 214 | |||
| 215 | kfree(h5); | 215 | kfree(h5); |
| 216 | 216 | ||
| 217 | return 0; | 217 | return 0; |