[Bluetooth] Check that device is in rfcomm_dev_list before deleting

If RFCOMM_RELEASE_ONHUP flag is on and rfcomm_release_dev is called before connection is closed, rfcomm_dev is deleted twice from the rfcomm_dev_list and refcount is messed up. This patch adds a check before deleting device that the device actually is listed. Signed-off-by: N Ville Tervo <ville.tervo@nokia.com> Signed-off-by: N Marcel Holtmann <marcel@holtmann.org>

[Bluetooth] Check that device is in rfcomm_dev_list before deleting
If RFCOMM_RELEASE_ONHUP flag is on and rfcomm_release_dev is called before connection is closed, rfcomm_dev is deleted twice from the rfcomm_dev_list and refcount is messed up. This patch adds a check before deleting device that the device actually is listed. Signed-off-by: N Ville Tervo <ville.tervo@nokia.com> Signed-off-by: N Marcel Holtmann <marcel@holtmann.org>
77f2a45f · Marcel Holtmann · 48db9ca4 · 77f2a45f
隐藏空白更改
内联并排

Showing with 8 addition and 3 deletion

net/bluetooth/rfcomm/tty.c net/bluetooth/rfcomm/tty.c +8 -3

未找到文件。
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -517,9 +517,10 @@ static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
 	if (dlc->state == BT_CLOSED) {
 		if (!dev->tty) {
 			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
-				rfcomm_dev_hold(dev);
+				if (rfcomm_dev_get(dev->id) == NULL)
-				rfcomm_dev_del(dev);
+					return;
+				rfcomm_dev_del(dev);
 				/* We have to drop DLC lock here, otherwise
 				   rfcomm_dev_put() will dead lock if it's
 				   the last reference. */
@@ -974,8 +975,12 @@ static void rfcomm_tty_hangup(struct tty_struct *tty)
 	rfcomm_tty_flush_buffer(tty);
-	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
+	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
+		if (rfcomm_dev_get(dev->id) == NULL)
+			return;
 		rfcomm_dev_del(dev);
+		rfcomm_dev_put(dev);
+	}
 }
 static int rfcomm_tty_read_proc(char *buf, char **start, off_t offset, int len, int *eof, void *unused)