提交 960603a5 编写于 作者: P Peter Hurley 提交者: Marcel Holtmann

Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl

When enumerating RFCOMM devices in the rfcomm_dev_list, holding
the rfcomm_dev_lock only guarantees the existence of the enumerated
rfcomm_dev in memory, and not safe access to its state. Testing
the device state (such as RFCOMM_TTY_RELEASED) does not guarantee
the device will remain in that state for the subsequent access
to the rfcomm_dev's fields, nor guarantee that teardown has not
commenced.

Obtain an rfcomm_dev reference for the duration of rfcomm_dev
access.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Tested-By: NAlexander Holler <holler@ahsoftware.de>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
上级 082a1532
...@@ -468,7 +468,7 @@ static int rfcomm_get_dev_list(void __user *arg) ...@@ -468,7 +468,7 @@ static int rfcomm_get_dev_list(void __user *arg)
spin_lock(&rfcomm_dev_lock); spin_lock(&rfcomm_dev_lock);
list_for_each_entry(dev, &rfcomm_dev_list, list) { list_for_each_entry(dev, &rfcomm_dev_list, list) {
if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) if (!tty_port_get(&dev->port))
continue; continue;
(di + n)->id = dev->id; (di + n)->id = dev->id;
(di + n)->flags = dev->flags; (di + n)->flags = dev->flags;
...@@ -476,6 +476,7 @@ static int rfcomm_get_dev_list(void __user *arg) ...@@ -476,6 +476,7 @@ static int rfcomm_get_dev_list(void __user *arg)
(di + n)->channel = dev->channel; (di + n)->channel = dev->channel;
bacpy(&(di + n)->src, &dev->src); bacpy(&(di + n)->src, &dev->src);
bacpy(&(di + n)->dst, &dev->dst); bacpy(&(di + n)->dst, &dev->dst);
tty_port_put(&dev->port);
if (++n >= dev_num) if (++n >= dev_num)
break; break;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册