Re: [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
From: Johan Hovold <hidden>
Date: 2012-03-09 15:50:13
Also in:
lkml, netdev, stable
From: Johan Hovold <hidden>
Date: 2012-03-09 15:50:13
Also in:
lkml, netdev, stable
On Fri, Mar 09, 2012 at 04:43:25PM +0100, Johan Hovold wrote:
Do not close protocol driver until device has been unregistered. This fixes a race between tty_close and hci_dev_open which can result in a NULL-pointer dereference. The line discipline closes the protocol driver while we may still have hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer dereference when lock is acquired and hci_init_req called.
[...]
Cc: stable <redacted> Signed-off-by: Johan Hovold <redacted>
David (Herrmann), I forgot to add your Reviewed-by on this one. Feel free to add it again if you want to. Thanks, Johan
--- drivers/bluetooth/hci_ldisc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index 97c5faa..5119c4b 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c@@ -309,11 +309,11 @@ static void hci_uart_tty_close(struct tty_struct *tty) hci_uart_close(hdev); if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) { - hu->proto->close(hu); if (hdev) { hci_unregister_dev(hdev); hci_free_dev(hdev); } + hu->proto->close(hu); } kfree(hu); }