Thread (2 messages) 2 messages, 1 author, 2012-03-09

Re: [PATCH 2/3] bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close

From: Johan Hovold <hidden>
Date: 2012-03-09 15:50:13
Also in: linux-bluetooth, lkml, netdev

On Fri, Mar 09, 2012 at 04:43:25PM +0100, Johan Hovold wrote:
Do not close protocol driver until device has been unregistered.

This fixes a race between tty_close and hci_dev_open which can result in
a NULL-pointer dereference.

The line discipline closes the protocol driver while we may still have
hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
dereference when lock is acquired and hci_init_req called.
[...]
Cc: stable <redacted>
Signed-off-by: Johan Hovold <redacted>
David (Herrmann), I forgot to add your Reviewed-by on this one. Feel
free to add it again if you want to.

Thanks,
Johan
quoted hunk ↗ jump to hunk
---
 drivers/bluetooth/hci_ldisc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 97c5faa..5119c4b 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -309,11 +309,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
 			hci_uart_close(hdev);
 
 		if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
-			hu->proto->close(hu);
 			if (hdev) {
 				hci_unregister_dev(hdev);
 				hci_free_dev(hdev);
 			}
+			hu->proto->close(hu);
 		}
 		kfree(hu);
 	}
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help