diff options
| author | Peter Hurley <peter@hurleysoftware.com> | 2014-02-09 20:59:15 -0500 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2014-02-14 13:39:31 -0800 |
| commit | b92483d54abb4ff288accc36bf1daef44dea9fbe (patch) | |
| tree | 784f48a3535ba09ef487d580bc5a31d330ac246a /net/atm/common.h | |
| parent | c4fd318d6ebc16bd64ca7b9c06f21b7f33bb462e (diff) | |
| download | linux-b92483d54abb4ff288accc36bf1daef44dea9fbe.tar.gz | |
Bluetooth: Fix unsafe RFCOMM device parenting
Accessing the results of hci_conn_hash_lookup_ba() is unsafe without
holding the hci_dev_lock() during the lookup. For example:
CPU 0 | CPU 1
hci_conn_hash_lookup_ba | hci_conn_del
rcu_read_lock | hci_conn_hash_del
list_for_each_entry_rcu | list_del_rcu
if (.....) | synchronize_rcu
rcu_read_unlock |
| hci_conn_del_sysfs
| hci_dev_put
| hci_conn_put
| put_device (last reference)
| bt_link_release
| kfree(conn)
return p << just freed |
Even if a hci_conn reference were taken (via hci_conn_get), would
not guarantee the lifetime of the sysfs device, but only safe
access to the in-memory structure.
Ensure the hci_conn device stays valid while the rfcomm device
is reparented; rename rfcomm_get_device() to rfcomm_reparent_device()
and perform the reparenting within the function while holding the
hci_dev_lock.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/atm/common.h')
0 files changed, 0 insertions, 0 deletions