Bluetooth: Fix the reference counting of tty_port (ece3150d) · Commits · e / devices / android_kernel_teracube_2e

net/bluetooth/rfcomm/tty.c

+12 −34

Original line number	Diff line number	Diff line
		@@ -324,23 +324,6 @@ static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
		return err;
		}

		static void rfcomm_dev_del(struct rfcomm_dev *dev)
		{
		unsigned long flags;
		BT_DBG("dev %p", dev);

		BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));

		spin_lock_irqsave(&dev->port.lock, flags);
		if (dev->port.count > 0) {
		spin_unlock_irqrestore(&dev->port.lock, flags);
		return;
		}
		spin_unlock_irqrestore(&dev->port.lock, flags);

		tty_port_put(&dev->port);
		}

		/* ---- Send buffer ---- */
		static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
		{
		@@ -454,8 +437,9 @@ static int rfcomm_release_dev(void __user *arg)
		tty_kref_put(tty);
		}

		if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
		rfcomm_dev_del(dev);
		if (!test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
		tty_port_put(&dev->port);

		tty_port_put(&dev->port);
		return 0;
		}
		@@ -607,6 +591,9 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
		* rfcomm_dev_lock -> dlc lock
		* 2. tty_port_put will deadlock if it's
		* the last reference
		*
		* FIXME: when we release the lock anything
		* could happen to dev, even its destruction
		*/
		rfcomm_dlc_unlock(dlc);
		if (rfcomm_dev_get(dev->id) == NULL) {
		@@ -614,7 +601,10 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
		return;
		}

		rfcomm_dev_del(dev);
		if (!test_and_set_bit(RFCOMM_TTY_RELEASED,
		&dev->flags))
		tty_port_put(&dev->port);

		tty_port_put(&dev->port);
		rfcomm_dlc_lock(dlc);
		}
		@@ -741,16 +731,10 @@ static void rfcomm_tty_close(struct tty_struct tty, struct file filp)
		{
		struct rfcomm_dev dev = (struct rfcomm_dev ) tty->driver_data;

		if (!dev)
		return;

		BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
		dev->port.count);

		tty_port_close(&dev->port, tty, filp);

		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
		tty_port_put(&dev->port);
		}

		static int rfcomm_tty_write(struct tty_struct tty, const unsigned char buf, int count)
		@@ -1050,18 +1034,12 @@ static void rfcomm_tty_hangup(struct tty_struct *tty)

		BT_DBG("tty %p dev %p", tty, dev);

		if (!dev)
		return;

		tty_port_hangup(&dev->port);

		if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
		if (rfcomm_dev_get(dev->id) == NULL)
		return;
		rfcomm_dev_del(dev);
		if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags) &&
		!test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
		tty_port_put(&dev->port);
		}
		}

		static int rfcomm_tty_tiocmget(struct tty_struct *tty)
		{