From: Michael Knudsen Date: Tue, 18 Feb 2014 08:48:08 +0000 (+0100) Subject: Bluetooth: Stop BCSP/H5 timer before cleaning up X-Git-Tag: firefly_0821_release~176^2~3540^2~11^2~7^2~45^2~83 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=c327cddd184059d018b12d7ef818ba0961200079;p=firefly-linux-kernel-4.4.55.git Bluetooth: Stop BCSP/H5 timer before cleaning up When stopping BCSP/H5, stop the retransmission timer before proceeding to clean up packet queues. The previous code had a race condition where the timer could trigger after the packet lists and protocol structure had been removed which led to dereferencing NULL or use-after-free bugs. Signed-off-by: Michael Knudsen Reported-by: Kirill Tkhai Signed-off-by: Johan Hedberg --- diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 0bc87f7abd95..eee2fb23b3bf 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu) static int bcsp_close(struct hci_uart *hu) { struct bcsp_struct *bcsp = hu->priv; + + del_timer_sync(&bcsp->tbcsp); + hu->priv = NULL; BT_DBG("hu %p", hu); @@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu) skb_queue_purge(&bcsp->unack); skb_queue_purge(&bcsp->rel); skb_queue_purge(&bcsp->unrel); - del_timer(&bcsp->tbcsp); kfree(bcsp); return 0; diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c index f6f497450560..afd759eaa704 100644 --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c @@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu) { struct h5 *h5 = hu->priv; + del_timer_sync(&h5->timer); + skb_queue_purge(&h5->unack); skb_queue_purge(&h5->rel); skb_queue_purge(&h5->unrel); - del_timer(&h5->timer); - kfree(h5); return 0;