Commit 0338b1b3 authored Oct 25, 2017 by Ronald Tschalär Committed by Marcel Holtmann Oct 30, 2017

Bluetooth: hci_ldisc: Fix another race when closing the tty.



The following race condition still existed:

         P1                                P2
  cancel_work_sync()
                                     hci_uart_tx_wakeup()
                                     hci_uart_write_work()
                                     hci_uart_dequeue()
  clear_bit(HCI_UART_PROTO_READY)
  hci_unregister_dev(hdev)
  hci_free_dev(hdev)
  hu->proto->close(hu)
  kfree(hu)
                                     access to hdev and hu

Cancelling the work after clearing the HCI_UART_PROTO_READY bit avoids
this as any hci_uart_tx_wakeup() issued after the flag is cleared will
detect that and not schedule further work.

Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

parent 459232fc

drivers/bluetooth/hci_ldisc.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -523,13 +523,13 @@ static void hci_uart_tty_close(struct tty_struct *tty)
		if (hdev)
		hci_uart_close(hdev);

		cancel_work_sync(&hu->write_work);

		if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) {
		percpu_down_write(&hu->proto_lock);
		clear_bit(HCI_UART_PROTO_READY, &hu->flags);
		percpu_up_write(&hu->proto_lock);

		cancel_work_sync(&hu->write_work);

		if (hdev) {
		if (test_bit(HCI_UART_REGISTERED, &hu->flags))
		hci_unregister_dev(hdev);