Bluetooth: Stop BCSP/H5 timer before cleaning up When stopping BCSP/H5, stop the retransmission timer before proceeding to clean up packet queues. The previous code had a race condition where the timer could trigger after the packet lists and protocol structure had been removed which led to dereferencing NULL or use-after-free bugs. Signed-off-by: Michael Knudsen <m.knudsen@samsung.com> Reported-by: Kirill Tkhai <ktkhai@parallels.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

commit: c327cddd184059d018b12d7ef818ba0961200079 [log] [tgz]
author: Michael Knudsen <m.knudsen@samsung.com> Tue Feb 18 09:48:08 2014 +0100
committer: Johan Hedberg <johan.hedberg@intel.com> Tue Mar 04 11:03:14 2014 +0200
tree: 61434dce7c8a233fbdf0f2c6103c27321202cb1f
parent: 81ad6fd9698f659dbabdc6cd3e1667a98eb2be3b [diff] [blame]
diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index 0bc87f7..eee2fb2 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c

@@ -715,6 +715,9 @@
 static int bcsp_close(struct hci_uart *hu)
 {
 	struct bcsp_struct *bcsp = hu->priv;
+
+	del_timer_sync(&bcsp->tbcsp);
+
 	hu->priv = NULL;
 
 	BT_DBG("hu %p", hu);
@@ -722,7 +725,6 @@
 	skb_queue_purge(&bcsp->unack);
 	skb_queue_purge(&bcsp->rel);
 	skb_queue_purge(&bcsp->unrel);
-	del_timer(&bcsp->tbcsp);
 
 	kfree(bcsp);
 	return 0;
commit	c327cddd184059d018b12d7ef818ba0961200079	[log] [tgz]
author	Michael Knudsen <m.knudsen@samsung.com>	Tue Feb 18 09:48:08 2014 +0100
committer	Johan Hedberg <johan.hedberg@intel.com>	Tue Mar 04 11:03:14 2014 +0200
tree	61434dce7c8a233fbdf0f2c6103c27321202cb1f
parent	81ad6fd9698f659dbabdc6cd3e1667a98eb2be3b [diff] [blame]