tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

When hci_register_dev() fails in hci_uart_register_dev()
HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu)
and setting hu->hdev to NULL. This means incoming UART data will reach
the protocol-specific recv handler in hci_uart_tty_receive() after
resources are freed.

Clear HCI_UART_PROTO_INIT with a write lock before calling
hu->proto->close() and setting hu->hdev to NULL. The write lock ensures
all active readers have completed and no new reader can enter the
protocol recv path before resources are freed.

This allows the protocol-specific recv functions to remove the
"HCI_UART_REGISTERED" guard without risking a null pointer dereference
if hci_register_dev() fails.

Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
Signed-off-by: Jonathan Rissanen <jonathan.rissanen@axis.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Jonathan Rissanen and committed by
Luiz Augusto von Dentz 68d39ea5 d288f4db

+3
+3
drivers/bluetooth/hci_ldisc.c
··· 692 692 693 693 if (hci_register_dev(hdev) < 0) { 694 694 BT_ERR("Can't register HCI device"); 695 + percpu_down_write(&hu->proto_lock); 696 + clear_bit(HCI_UART_PROTO_INIT, &hu->flags); 697 + percpu_up_write(&hu->proto_lock); 695 698 hu->proto->close(hu); 696 699 hu->hdev = NULL; 697 700 hci_free_dev(hdev);