Bluetooth: Add locking scheme to L2CAP timeout callbacks
Avoid race conditions when accessing the L2CAP socket from within the
timeout handlers.
Signed-off-by: Gustavo F. Padovan <gustavo@las.ic.unicamp.br>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index c04526f..efac637 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1192,6 +1192,7 @@
struct sock *sk = (void *) arg;
u16 control;
+ bh_lock_sock(sk);
if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
return;
@@ -1203,6 +1204,7 @@
control = L2CAP_CTRL_POLL;
control |= L2CAP_SUPER_RCV_READY;
l2cap_send_sframe(l2cap_pi(sk), control);
+ bh_unlock_sock(sk);
}
static void l2cap_retrans_timeout(unsigned long arg)
@@ -1210,6 +1212,7 @@
struct sock *sk = (void *) arg;
u16 control;
+ bh_lock_sock(sk);
l2cap_pi(sk)->retry_count = 1;
__mod_monitor_timer();
@@ -1218,6 +1221,7 @@
control = L2CAP_CTRL_POLL;
control |= L2CAP_SUPER_RCV_READY;
l2cap_send_sframe(l2cap_pi(sk), control);
+ bh_unlock_sock(sk);
}
static void l2cap_drop_acked_frames(struct sock *sk)