Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c327cddd authored Feb 18, 2014 by Michael Knudsen Committed by Johan Hedberg Mar 04, 2014

Bluetooth: Stop BCSP/H5 timer before cleaning up

When stopping BCSP/H5, stop the retransmission timer before proceeding
to clean up packet queues. The previous code had a race condition where
the timer could trigger after the packet lists and protocol structure
had been removed which led to dereferencing NULL or use-after-free bugs.

Signed-off-by: Michael Knudsen <m.knudsen@samsung.com>
Reported-by: Kirill Tkhai <ktkhai@parallels.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

parent 81ad6fd9

drivers/bluetooth/hci_bcsp.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -715,6 +715,9 @@ static int bcsp_open(struct hci_uart *hu)
		static int bcsp_close(struct hci_uart *hu)
		{
		struct bcsp_struct *bcsp = hu->priv;

		del_timer_sync(&bcsp->tbcsp);

		hu->priv = NULL;

		BT_DBG("hu %p", hu);
		@@ -722,7 +725,6 @@ static int bcsp_close(struct hci_uart *hu)
		skb_queue_purge(&bcsp->unack);
		skb_queue_purge(&bcsp->rel);
		skb_queue_purge(&bcsp->unrel);
		del_timer(&bcsp->tbcsp);

		kfree(bcsp);
		return 0;

drivers/bluetooth/hci_h5.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -206,12 +206,12 @@ static int h5_close(struct hci_uart *hu)
		{
		struct h5 *h5 = hu->priv;

		del_timer_sync(&h5->timer);

		skb_queue_purge(&h5->unack);
		skb_queue_purge(&h5->rel);
		skb_queue_purge(&h5->unrel);

		del_timer(&h5->timer);

		kfree(h5);

		return 0;