diff options
author | Dean Jenkins <Dean_Jenkins@mentor.com> | 2013-02-28 09:21:54 -0500 |
---|---|---|
committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-03-08 08:40:24 -0500 |
commit | c06f7d532aa6f78b2847e3b651c0da27fc3296c0 (patch) | |
tree | 902e64424ee35ba3a415ebb45b75f06b4cb161d2 /net/bluetooth/rfcomm | |
parent | fea7b02fbf73adb2e746f00ed279a782de7e74e4 (diff) |
Bluetooth: Check rfcomm session and DLC exists on socket close
A race condition exists between near simultaneous asynchronous
DLC data channel disconnection requests from the host and remote device.
This causes the socket layer to request a socket shutdown at the same
time the rfcomm core is processing the disconnect request from the remote
device.
The socket layer retains a copy of a struct rfcomm_dlc d pointer.
The d pointer refers to a copy of a struct rfcomm_session.
When the socket layer thread performs a socket shutdown, the thread
may wait on a rfcomm lock in rfcomm_dlc_close(). This means that
whilst the thread waits, the rfcomm_session and/or rfcomm_dlc structures
pointed to by d maybe freed due to rfcomm core handling. Consequently,
when the rfcomm lock becomes available and the thread runs, a
malfunction could occur as a freed rfcomm_session structure and/or a
freed rfcomm_dlc structure will be erroneously accessed.
Therefore, after the rfcomm lock is acquired, check that the struct
rfcomm_session is still valid by searching the rfcomm session list.
If the session is valid then validate the d pointer by searching the
rfcomm session list of active DLCs for the rfcomm_dlc structure
pointed by d.
Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'net/bluetooth/rfcomm')
-rw-r--r-- | net/bluetooth/rfcomm/core.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index d301fbbe2098..d9e97cf1792b 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c | |||
@@ -493,12 +493,34 @@ static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) | |||
493 | 493 | ||
494 | int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) | 494 | int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) |
495 | { | 495 | { |
496 | int r; | 496 | int r = 0; |
497 | struct rfcomm_dlc *d_list; | ||
498 | struct rfcomm_session *s, *s_list; | ||
499 | |||
500 | BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); | ||
497 | 501 | ||
498 | rfcomm_lock(); | 502 | rfcomm_lock(); |
499 | 503 | ||
500 | r = __rfcomm_dlc_close(d, err); | 504 | s = d->session; |
505 | if (!s) | ||
506 | goto no_session; | ||
507 | |||
508 | /* after waiting on the mutex check the session still exists | ||
509 | * then check the dlc still exists | ||
510 | */ | ||
511 | list_for_each_entry(s_list, &session_list, list) { | ||
512 | if (s_list == s) { | ||
513 | list_for_each_entry(d_list, &s->dlcs, list) { | ||
514 | if (d_list == d) { | ||
515 | r = __rfcomm_dlc_close(d, err); | ||
516 | break; | ||
517 | } | ||
518 | } | ||
519 | break; | ||
520 | } | ||
521 | } | ||
501 | 522 | ||
523 | no_session: | ||
502 | rfcomm_unlock(); | 524 | rfcomm_unlock(); |
503 | return r; | 525 | return r; |
504 | } | 526 | } |