From: Dean Jenkins Date: Thu, 28 Feb 2013 14:21:53 +0000 (+0000) Subject: Bluetooth: Avoid rfcomm_session_timeout using freed session X-Git-Tag: firefly_0821_release~3680^2~478^2~21^2^2~234^2~53 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=fea7b02fbf73adb2e746f00ed279a782de7e74e4;p=firefly-linux-kernel-4.4.55.git Bluetooth: Avoid rfcomm_session_timeout using freed session Use del_timer_sync() instead of del_timer() as this ensures that rfcomm_session_timeout() is not running on a different CPU when rfcomm_session_put() is called. This avoids a race condition on SMP systems because potentially rfcomm_session_timeout() could reuse the freed RFCOMM session structure caused by the execution of rfcomm_session_put(). Note that this modification makes the reason for the RFCOMM session refcnt mechanism redundant. Signed-off-by: Dean Jenkins Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan --- diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index b23e2713fea8..d301fbbe2098 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -257,7 +257,7 @@ static void rfcomm_session_clear_timer(struct rfcomm_session *s) { BT_DBG("session %p state %ld", s, s->state); - if (del_timer(&s->timer)) + if (del_timer_sync(&s->timer)) rfcomm_session_put(s); }