提交 033ace99 编写于 作者: P Peter Hurley 提交者: Marcel Holtmann

Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls

At least two different race conditions exist with multiple concurrent
RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls:
* Multiple concurrent RFCOMMCREATEDEVs with RFCOMM_REUSE_DLC can
  mistakenly share the same DLC.
* RFCOMMRELEASEDEV can destruct the rfcomm_dev still being
  constructed by RFCOMMCREATEDEV.

Introduce rfcomm_ioctl_mutex to serialize these add/remove operations.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Tested-By: NAlexander Holler <holler@ahsoftware.de>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
上级 7611fced
...@@ -40,6 +40,7 @@ ...@@ -40,6 +40,7 @@
#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */ #define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0 #define RFCOMM_TTY_MINOR 0
static DEFINE_MUTEX(rfcomm_ioctl_mutex);
static struct tty_driver *rfcomm_tty_driver; static struct tty_driver *rfcomm_tty_driver;
struct rfcomm_dev { struct rfcomm_dev {
...@@ -373,7 +374,7 @@ static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size ...@@ -373,7 +374,7 @@ static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size
#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP)) #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
static int rfcomm_create_dev(struct sock *sk, void __user *arg) static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
{ {
struct rfcomm_dev_req req; struct rfcomm_dev_req req;
struct rfcomm_dlc *dlc; struct rfcomm_dlc *dlc;
...@@ -423,7 +424,7 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg) ...@@ -423,7 +424,7 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
return id; return id;
} }
static int rfcomm_release_dev(void __user *arg) static int __rfcomm_release_dev(void __user *arg)
{ {
struct rfcomm_dev_req req; struct rfcomm_dev_req req;
struct rfcomm_dev *dev; struct rfcomm_dev *dev;
...@@ -466,6 +467,28 @@ static int rfcomm_release_dev(void __user *arg) ...@@ -466,6 +467,28 @@ static int rfcomm_release_dev(void __user *arg)
return 0; return 0;
} }
static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
int ret;
mutex_lock(&rfcomm_ioctl_mutex);
ret = __rfcomm_create_dev(sk, arg);
mutex_unlock(&rfcomm_ioctl_mutex);
return ret;
}
static int rfcomm_release_dev(void __user *arg)
{
int ret;
mutex_lock(&rfcomm_ioctl_mutex);
ret = __rfcomm_release_dev(arg);
mutex_unlock(&rfcomm_ioctl_mutex);
return ret;
}
static int rfcomm_get_dev_list(void __user *arg) static int rfcomm_get_dev_list(void __user *arg)
{ {
struct rfcomm_dev *dev; struct rfcomm_dev *dev;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册