From: Peter Hurley <peter@hurleysoftware.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Gianluca Anzolin <gianluca@sottospazio.it>,
Alexander Holler <holler@ahsoftware.de>,
Andrey Vihrov <andrey.vihrov@gmail.com>,
Sander Eikelenboom <linux@eikelenboom.it>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 08/24] Bluetooth: Fix unreleased rfcomm_dev reference
Date: Sun, 9 Feb 2014 20:59:08 -0500 [thread overview]
Message-ID: <1391997564-1805-9-git-send-email-peter@hurleysoftware.com> (raw)
In-Reply-To: <1391997564-1805-1-git-send-email-peter@hurleysoftware.com>
When RFCOMM_RELEASE_ONHUP is set, the rfcomm tty driver 'takes over'
the initial rfcomm_dev reference created by the RFCOMMCREATEDEV ioctl.
The assumption is that the rfcomm tty driver will release the
rfcomm_dev reference when the tty is freed (in rfcomm_tty_cleanup()).
However, if the tty is never opened, the 'take over' never occurs,
so when RFCOMMRELEASEDEV ioctl is called, the reference is not
released.
Track the state of the reference 'take over' so that the release
is guaranteed by either the RFCOMMRELEASEDEV ioctl or the rfcomm tty
driver.
Note that the synchronous hangup in rfcomm_release_dev() ensures
that rfcomm_tty_install() cannot race with the RFCOMMRELEASEDEV ioctl.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
include/net/bluetooth/rfcomm.h | 1 +
net/bluetooth/rfcomm/tty.c | 6 ++++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index 29d9727..6f3fbc5 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -332,6 +332,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel,
/* rfcomm_dev.status bit definitions */
#define RFCOMM_DEV_RELEASED 0
+#define RFCOMM_TTY_OWNED 1
struct rfcomm_dev_req {
s16 dev_id;
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index d9d4bc8..bb570d9 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -441,7 +441,7 @@ static int rfcomm_release_dev(void __user *arg)
tty_kref_put(tty);
}
- if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
+ if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
tty_port_put(&dev->port);
tty_port_put(&dev->port);
@@ -685,8 +685,10 @@ static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
* when the last process closes the tty. The behaviour is expected by
* userspace.
*/
- if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
+ if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
+ set_bit(RFCOMM_TTY_OWNED, &dev->status);
tty_port_put(&dev->port);
+ }
return 0;
}
--
1.8.1.2
next prev parent reply other threads:[~2014-02-10 2:25 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 1:59 [PATCH 00/24] rfcomm fixes Peter Hurley
2014-02-10 1:59 ` [PATCH 01/24] Revert "Bluetooth: Remove rfcomm_carrier_raised()" Peter Hurley
2014-02-10 1:59 ` [PATCH 02/24] Revert "Bluetooth: Always wait for a connection on RFCOMM open()" Peter Hurley
2014-02-10 1:59 ` [PATCH 03/24] Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()" Peter Hurley
2014-02-10 1:59 ` [PATCH 04/24] tty: Fix ref counting for port krefs Peter Hurley
2014-02-13 18:36 ` Greg Kroah-Hartman
2014-02-10 1:59 ` [PATCH 05/24] Bluetooth: Fix racy acquire of rfcomm_dev reference Peter Hurley
2014-02-10 1:59 ` [PATCH 06/24] Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl Peter Hurley
2014-02-10 1:59 ` [PATCH 07/24] Bluetooth: Release rfcomm_dev only once Peter Hurley
2014-02-10 1:59 ` Peter Hurley [this message]
2014-02-10 1:59 ` [PATCH 09/24] Bluetooth: Fix RFCOMM tty teardown race Peter Hurley
2014-02-10 1:59 ` [PATCH 10/24] Bluetooth: Verify dlci not in use before rfcomm_dev create Peter Hurley
2014-02-10 1:59 ` [PATCH 11/24] Bluetooth: Simplify RFCOMM session state eval Peter Hurley
2014-02-10 1:59 ` [PATCH 12/24] Bluetooth: Refactor deferred setup test in rfcomm_dlc_close() Peter Hurley
2014-02-10 1:59 ` [PATCH 13/24] Bluetooth: Refactor dlc disconnect logic " Peter Hurley
2014-02-10 1:59 ` [PATCH 14/24] Bluetooth: Directly close dlc for not yet started RFCOMM session Peter Hurley
2014-02-10 1:59 ` [PATCH 15/24] Bluetooth: Fix unsafe RFCOMM device parenting Peter Hurley
2014-02-10 1:59 ` [PATCH 16/24] Bluetooth: Fix RFCOMM parent device for reused dlc Peter Hurley
2014-02-10 1:59 ` [PATCH 17/24] Bluetooth: Rename __rfcomm_dev_get() to __rfcomm_dev_lookup() Peter Hurley
2014-02-10 1:59 ` [PATCH 18/24] Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls Peter Hurley
2014-02-10 1:59 ` [PATCH 19/24] Bluetooth: Refactor rfcomm_dev_add() Peter Hurley
2014-02-10 1:59 ` [PATCH 20/24] Bluetooth: Cleanup RFCOMM device registration error handling Peter Hurley
2014-02-10 1:59 ` [PATCH 21/24] Bluetooth: Force -EIO from tty read/write if .activate() fails Peter Hurley
2014-02-10 1:59 ` [PATCH 22/24] Bluetooth: Don't fail RFCOMM tty writes Peter Hurley
2014-02-10 1:59 ` [PATCH 23/24] Bluetooth: Refactor write_room() calculation Peter Hurley
2014-02-10 1:59 ` [PATCH 24/24] Bluetooth: Fix " Peter Hurley
2014-02-10 22:09 ` [PATCH 00/24] rfcomm fixes Marcel Holtmann
2014-02-10 22:09 ` Marcel Holtmann
2014-02-10 23:00 ` Peter Hurley
2014-02-10 23:00 ` Peter Hurley
2014-02-12 22:58 ` Marcel Holtmann
2014-02-12 22:58 ` Marcel Holtmann
2014-02-13 0:38 ` Peter Hurley
2014-02-13 0:38 ` Peter Hurley
2014-02-13 21:48 ` Alexander Holler
2014-02-13 21:48 ` Alexander Holler
2014-02-12 11:06 ` Sander Eikelenboom
2014-02-12 11:06 ` Sander Eikelenboom
2014-03-03 19:38 ` Sander Eikelenboom
2014-03-03 19:38 ` Sander Eikelenboom
2014-03-10 8:38 ` [RC6 Bell Chime] " Sander Eikelenboom
2014-03-10 8:38 ` Sander Eikelenboom
2014-03-10 15:08 ` John W. Linville
2014-03-10 15:08 ` John W. Linville
2014-03-11 15:14 ` [RC6 Bell Chime] " Marcel Holtmann
2014-03-11 15:14 ` Marcel Holtmann
2014-03-14 0:49 ` Sander Eikelenboom
2014-03-14 0:49 ` Sander Eikelenboom
2014-03-14 1:28 ` Marcel Holtmann
2014-03-14 1:28 ` Marcel Holtmann
2014-03-14 1:29 ` Peter Hurley
2014-03-14 1:29 ` Peter Hurley
2014-03-15 13:51 ` Sander Eikelenboom
2014-03-15 13:51 ` Sander Eikelenboom
2014-03-15 17:53 ` Linus Torvalds
2014-03-15 17:53 ` Linus Torvalds
2014-03-15 20:45 ` Peter Hurley
2014-03-15 20:45 ` Peter Hurley
2014-03-15 22:20 ` Sander Eikelenboom
2014-03-15 22:20 ` Sander Eikelenboom
2014-03-16 0:16 ` Linus Torvalds
2014-03-16 0:16 ` Linus Torvalds
2014-02-13 21:41 ` Alexander Holler
2014-02-14 21:45 ` Marcel Holtmann
2014-02-14 21:45 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1391997564-1805-9-git-send-email-peter@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=andrey.vihrov@gmail.com \
--cc=gianluca@sottospazio.it \
--cc=gustavo@padovan.org \
--cc=holler@ahsoftware.de \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@eikelenboom.it \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.