Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 844e4b76 authored by David Herrmann's avatar David Herrmann Committed by Gustavo Padovan
Browse files

Bluetooth: bcm203x: Fix race condition on disconnect 



When disconnecting a bcm203x device we kill and destroy the usb-urb, however,
there might still be a pending work-structure which resubmits the now invalid
urb. To avoid this race condition, we simply set a shutdown-flag and
synchronously kill the worker first.

This also adds a comment to all schedule_work()s, as it is really not clear
that they are used as replacement for short timers (which can be seen in the git
history).

Signed-off-by: default avatarDavid Herrmann <dh.herrmann@googlemail.com>
Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
parent 52a1020e

drivers/bluetooth/bcm203x.c

+10 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ 


#include <linux/module.h>



#include <linux/atomic.h>

#include <linux/kernel.h>

#include <linux/init.h>

#include <linux/slab.h>
@@ -65,6 +66,7 @@ struct bcm203x_data { 
	unsigned long		state;



	struct work_struct	work;

	atomic_t		shutdown;



	struct urb		*urb;

	unsigned char		*buffer;
@@ -97,6 +99,7 @@ static void bcm203x_complete(struct urb *urb) 


		data->state = BCM203X_SELECT_MEMORY;



		/* use workqueue to have a small delay */

		schedule_work(&data->work);

		break;
@@ -155,6 +158,9 @@ static void bcm203x_work(struct work_struct *work) 
	struct bcm203x_data *data =

		container_of(work, struct bcm203x_data, work);



	if (atomic_read(&data->shutdown))

		return;



	if (usb_submit_urb(data->urb, GFP_ATOMIC) < 0)

		BT_ERR("Can't submit URB");

}
@@ -243,6 +249,7 @@ static int bcm203x_probe(struct usb_interface *intf, const struct usb_device_id 


	usb_set_intfdata(intf, data);



	/* use workqueue to have a small delay */

	schedule_work(&data->work);



	return 0;
@@ -254,6 +261,9 @@ static void bcm203x_disconnect(struct usb_interface *intf) 


	BT_DBG("intf %p", intf);



	atomic_inc(&data->shutdown);

	cancel_work_sync(&data->work);



	usb_kill_urb(data->urb);



	usb_set_intfdata(intf, NULL);