diff options
| author | Dean Jenkins <Dean_Jenkins@mentor.com> | 2013-02-28 18:21:54 +0400 |
|---|---|---|
| committer | Gustavo Padovan <gustavo.padovan@collabora.co.uk> | 2013-03-08 17:40:24 +0400 |
| commit | c06f7d532aa6f78b2847e3b651c0da27fc3296c0 (patch) | |
| tree | 902e64424ee35ba3a415ebb45b75f06b4cb161d2 /include/net/bluetooth | |
| parent | fea7b02fbf73adb2e746f00ed279a782de7e74e4 (diff) | |
| download | linux-c06f7d532aa6f78b2847e3b651c0da27fc3296c0.tar.xz | |
Bluetooth: Check rfcomm session and DLC exists on socket close
A race condition exists between near simultaneous asynchronous
DLC data channel disconnection requests from the host and remote device.
This causes the socket layer to request a socket shutdown at the same
time the rfcomm core is processing the disconnect request from the remote
device.
The socket layer retains a copy of a struct rfcomm_dlc d pointer.
The d pointer refers to a copy of a struct rfcomm_session.
When the socket layer thread performs a socket shutdown, the thread
may wait on a rfcomm lock in rfcomm_dlc_close(). This means that
whilst the thread waits, the rfcomm_session and/or rfcomm_dlc structures
pointed to by d maybe freed due to rfcomm core handling. Consequently,
when the rfcomm lock becomes available and the thread runs, a
malfunction could occur as a freed rfcomm_session structure and/or a
freed rfcomm_dlc structure will be erroneously accessed.
Therefore, after the rfcomm lock is acquired, check that the struct
rfcomm_session is still valid by searching the rfcomm session list.
If the session is valid then validate the d pointer by searching the
rfcomm session list of active DLCs for the rfcomm_dlc structure
pointed by d.
Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'include/net/bluetooth')
0 files changed, 0 insertions, 0 deletions