[PATCH 09/24] Bluetooth: Fix RFCOMM tty teardown race

From: Peter Hurley
Date: Sun Feb 09 2014 - 21:23:27 EST


RFCOMM tty device teardown can race with new tty device registration
for the same device id:

CPU 0 | CPU 1
rfcomm_dev_add | rfcomm_dev_destruct
| spin_lock
| list_del <== dev_id no longer used
| spin_unlock
spin_lock | .
[search rfcomm_dev_list] | .
[dev_id not in use] | .
[initialize new rfcomm_dev] | .
spin_unlock | .
| .
tty_port_register_device | tty_unregister_device

Don't remove rfcomm_dev from the device list until after tty device
unregistration has completed.

Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx>
---
net/bluetooth/rfcomm/tty.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index bb570d9..6ea08b0 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -84,10 +84,6 @@ static void rfcomm_dev_destruct(struct tty_port *port)

BT_DBG("dev %p dlc %p", dev, dlc);

- spin_lock(&rfcomm_dev_lock);
- list_del(&dev->list);
- spin_unlock(&rfcomm_dev_lock);
-
rfcomm_dlc_lock(dlc);
/* Detach DLC if it's owned by this dev */
if (dlc->owner == dev)
@@ -98,6 +94,10 @@ static void rfcomm_dev_destruct(struct tty_port *port)

tty_unregister_device(rfcomm_tty_driver, dev->id);

+ spin_lock(&rfcomm_dev_lock);
+ list_del(&dev->list);
+ spin_unlock(&rfcomm_dev_lock);
+
kfree(dev);

/* It's safe to call module_put() here because socket still
--
1.8.1.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/