diff options
| author | Peter Hurley <[email protected]> | 2014-02-09 20:59:15 -0500 |
|---|---|---|
| committer | Marcel Holtmann <[email protected]> | 2014-02-14 13:39:31 -0800 |
| commit | b92483d54abb4ff288accc36bf1daef44dea9fbe (patch) | |
| tree | 784f48a3535ba09ef487d580bc5a31d330ac246a /tools/perf/scripts/python | |
| parent | c4fd318d6ebc16bd64ca7b9c06f21b7f33bb462e (diff) | |
Bluetooth: Fix unsafe RFCOMM device parenting
Accessing the results of hci_conn_hash_lookup_ba() is unsafe without
holding the hci_dev_lock() during the lookup. For example:
CPU 0 | CPU 1
hci_conn_hash_lookup_ba | hci_conn_del
rcu_read_lock | hci_conn_hash_del
list_for_each_entry_rcu | list_del_rcu
if (.....) | synchronize_rcu
rcu_read_unlock |
| hci_conn_del_sysfs
| hci_dev_put
| hci_conn_put
| put_device (last reference)
| bt_link_release
| kfree(conn)
return p << just freed |
Even if a hci_conn reference were taken (via hci_conn_get), would
not guarantee the lifetime of the sysfs device, but only safe
access to the in-memory structure.
Ensure the hci_conn device stays valid while the rfcomm device
is reparented; rename rfcomm_get_device() to rfcomm_reparent_device()
and perform the reparenting within the function while holding the
hci_dev_lock.
Signed-off-by: Peter Hurley <[email protected]>
Tested-By: Alexander Holler <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python')
0 files changed, 0 insertions, 0 deletions