[PATCH 2/4] Bluetooth: Restore locking semantics when looking up L2CAP channels

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mat Martineau <mathewm@codeaurora.org>
To: linux-bluetooth@vger.kernel.org, gustavo@padovan.org,
	marcel@holtmann.org
Cc: pkrystad@codeaurora.org, ulisses@profusion.mobi,
	andrei.emeltchenko.news@gmail.com
Subject: [PATCH 2/4] Bluetooth: Restore locking semantics when looking up L2CAP channels
Date: Wed,  2 May 2012 09:42:00 -0700	[thread overview]
Message-ID: <1335976922-19456-3-git-send-email-mathewm@codeaurora.org> (raw)
In-Reply-To: <1335976922-19456-1-git-send-email-mathewm@codeaurora.org>

As the comment for l2cap_get_chan_by_scid indicated, the function used
to return a locked socket.  The lock for the socket was acquired while
the channel list was also locked.

When locking was moved over to the l2cap_chan structure, the channel
lock was no longer acquired with the channel list still locked.  This
made it possible for the l2cap_chan to be deleted after
conn->chan_lock was released but before l2cap_chan_lock was called.
Making the call to l2cap_chan_lock before releasing conn->chan_lock
makes it impossible for the l2cap_chan to be deleted at the wrong
time.

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
---
 net/bluetooth/l2cap_core.c |   10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 5d556b0..813cf06 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -98,13 +98,15 @@ static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16
 }
 
 /* Find channel with given SCID.
- * Returns locked socket */
+ * Returns locked channel. */
 static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
 {
 	struct l2cap_chan *c;
 
 	mutex_lock(&conn->chan_lock);
 	c = __l2cap_get_chan_by_scid(conn, cid);
+	if (c)
+		l2cap_chan_lock(c);
 	mutex_unlock(&conn->chan_lock);
 
 	return c;
@@ -3141,8 +3143,6 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
 	if (!chan)
 		return -ENOENT;
 
-	l2cap_chan_lock(chan);
-
 	if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
 		struct l2cap_cmd_rej_cid rej;
 
@@ -3255,8 +3255,6 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
 	if (!chan)
 		return 0;
 
-	l2cap_chan_lock(chan);
-
 	switch (result) {
 	case L2CAP_CONF_SUCCESS:
 		l2cap_conf_rfc_get(chan, rsp->data, len);
@@ -4589,8 +4587,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
 		return 0;
 	}
 
-	l2cap_chan_lock(chan);
-
 	BT_DBG("chan %p, len %d", chan, skb->len);
 
 	if (chan->state != BT_CONNECTED)
-- 
1.7.10

--
Mat Martineau
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum

next prev parent reply	other threads:[~2012-05-02 16:42 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-02 16:41 [PATCH 0/4] ERTM state machine changes, part 2 Mat Martineau
2012-05-02 16:41 ` [PATCH 1/4] Bluetooth: Fix a redundant and problematic incoming MTU check Mat Martineau
2012-05-04 18:55   ` Ulisses Furquim
2012-05-04 20:39     ` Gustavo Padovan
2012-05-04 20:37   ` Gustavo Padovan
2012-05-02 16:42 ` Mat Martineau [this message]
2012-05-04 18:58   ` [PATCH 2/4] Bluetooth: Restore locking semantics when looking up L2CAP channels Ulisses Furquim
2012-05-02 16:42 ` [PATCH 3/4] Bluetooth: Lock the L2CAP channel when sending Mat Martineau
2012-05-04 19:06   ` Ulisses Furquim
2012-05-04 21:54     ` Mat Martineau
2012-05-05  1:11       ` Ulisses Furquim
2012-05-02 16:42 ` [PATCH 4/4] Bluetooth: Refactor L2CAP ERTM and streaming transmit segmentation Mat Martineau
2012-05-04 19:12   ` Ulisses Furquim
2012-05-04 20:57   ` Gustavo Padovan
2012-05-14  9:52   ` Andrei Emeltchenko
2012-05-14 15:47     ` Mat Martineau
2012-05-02 21:40 ` [PATCH 0/4] ERTM state machine changes, part 2 Mat Martineau
2012-05-04 19:10   ` Ulisses Furquim

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5d556b0 dfblob:813cf06 )
 OR (
bs:"[PATCH 2/4] Bluetooth: Restore locking semantics when looking up L2CAP channels" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1335976922-19456-3-git-send-email-mathewm@codeaurora.org \
    --to=mathewm@codeaurora.org \
    --cc=andrei.emeltchenko.news@gmail.com \
    --cc=gustavo@padovan.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=pkrystad@codeaurora.org \
    --cc=ulisses@profusion.mobi \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).