From c327cddd184059d018b12d7ef818ba0961200079 Mon Sep 17 00:00:00 2001 From: Michael Knudsen Date: Tue, 18 Feb 2014 09:48:08 +0100 Subject: Bluetooth: Stop BCSP/H5 timer before cleaning up When stopping BCSP/H5, stop the retransmission timer before proceeding to clean up packet queues. The previous code had a race condition where the timer could trigger after the packet lists and protocol structure had been removed which led to dereferencing NULL or use-after-free bugs. Signed-off-by: Michael Knudsen Reported-by: Kirill Tkhai Signed-off-by: Johan Hedberg --- drivers/bluetooth/hci_bcsp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/bluetooth/hci_bcsp.c') diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 0bc87f7abd95..eee2fb23b3bf 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu) static int bcsp_close(struct hci_uart *hu) { struct bcsp_struct *bcsp = hu->priv; + + del_timer_sync(&bcsp->tbcsp); + hu->priv = NULL; BT_DBG("hu %p", hu); @@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu) skb_queue_purge(&bcsp->unack); skb_queue_purge(&bcsp->rel); skb_queue_purge(&bcsp->unrel); - del_timer(&bcsp->tbcsp); kfree(bcsp); return 0; -- cgit v1.2.3 From a08b15e66e8ec700992641cf8ec015032e8365c8 Mon Sep 17 00:00:00 2001 From: Valentin Ilie Date: Mon, 12 Aug 2013 18:46:00 +0300 Subject: Bluetooth: Remove assignments in if-statements Remove assignment in if-statements to be consistent with the coding style. Signed-off-by: Valentin Ilie Signed-off-by: Johan Hedberg --- drivers/bluetooth/hci_bcsp.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) (limited to 'drivers/bluetooth/hci_bcsp.c') diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index eee2fb23b3bf..21cc45b34f13 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -291,7 +291,8 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu) /* First of all, check for unreliable messages in the queue, since they have priority */ - if ((skb = skb_dequeue(&bcsp->unrel)) != NULL) { + skb = skb_dequeue(&bcsp->unrel); + if (skb != NULL) { struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len, bt_cb(skb)->pkt_type); if (nskb) { kfree_skb(skb); @@ -308,16 +309,20 @@ static struct sk_buff *bcsp_dequeue(struct hci_uart *hu) spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING); - if (bcsp->unack.qlen < BCSP_TXWINSIZE && (skb = skb_dequeue(&bcsp->rel)) != NULL) { - struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len, bt_cb(skb)->pkt_type); - if (nskb) { - __skb_queue_tail(&bcsp->unack, skb); - mod_timer(&bcsp->tbcsp, jiffies + HZ / 4); - spin_unlock_irqrestore(&bcsp->unack.lock, flags); - return nskb; - } else { - skb_queue_head(&bcsp->rel, skb); - BT_ERR("Could not dequeue pkt because alloc_skb failed"); + if (bcsp->unack.qlen < BCSP_TXWINSIZE) { + skb = skb_dequeue(&bcsp->rel); + if (skb != NULL) { + struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len, + bt_cb(skb)->pkt_type); + if (nskb) { + __skb_queue_tail(&bcsp->unack, skb); + mod_timer(&bcsp->tbcsp, jiffies + HZ / 4); + spin_unlock_irqrestore(&bcsp->unack.lock, flags); + return nskb; + } else { + skb_queue_head(&bcsp->rel, skb); + BT_ERR("Could not dequeue pkt because alloc_skb failed"); + } } } -- cgit v1.2.3