Bluetooth: Stop BCSP/H5 timer before cleaning up
authorMichael Knudsen <m.knudsen@samsung.com>
Tue, 18 Feb 2014 08:48:08 +0000 (09:48 +0100)
committerJohan Hedberg <johan.hedberg@intel.com>
Tue, 4 Mar 2014 09:03:14 +0000 (11:03 +0200)
When stopping BCSP/H5, stop the retransmission timer before proceeding
to clean up packet queues.  The previous code had a race condition where
the timer could trigger after the packet lists and protocol structure
had been removed which led to dereferencing NULL or use-after-free bugs.

Signed-off-by: Michael Knudsen <m.knudsen@samsung.com>
Reported-by: Kirill Tkhai <ktkhai@parallels.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
drivers/bluetooth/hci_bcsp.c
drivers/bluetooth/hci_h5.c

index 0bc87f7abd958a262028cdd1f0cb7cb0b624c45e..eee2fb23b3bfe032343a48ae1d4fad459486799b 100644 (file)
@@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu)
 static int bcsp_close(struct hci_uart *hu)
 {
        struct bcsp_struct *bcsp = hu->priv;
+
+       del_timer_sync(&bcsp->tbcsp);
+
        hu->priv = NULL;
 
        BT_DBG("hu %p", hu);
@@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu)
        skb_queue_purge(&bcsp->unack);
        skb_queue_purge(&bcsp->rel);
        skb_queue_purge(&bcsp->unrel);
-       del_timer(&bcsp->tbcsp);
 
        kfree(bcsp);
        return 0;
index f6f4974505600a2884f56c01be22bd6a79492f04..afd759eaa704482afcea287796b782a2c442bd90 100644 (file)
@@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu)
 {
        struct h5 *h5 = hu->priv;
 
+       del_timer_sync(&h5->timer);
+
        skb_queue_purge(&h5->unack);
        skb_queue_purge(&h5->rel);
        skb_queue_purge(&h5->unrel);
 
-       del_timer(&h5->timer);
-
        kfree(h5);
 
        return 0;