[PATCH 06/24] Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Peter Hurley <peter@hurleysoftware.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>,
	Johan Hedberg <johan.hedberg@gmail.com>,
	Gianluca Anzolin <gianluca@sottospazio.it>,
	Alexander Holler <holler@ahsoftware.de>,
	Andrey Vihrov <andrey.vihrov@gmail.com>,
	Sander Eikelenboom <linux@eikelenboom.it>,
	linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
	Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 06/24] Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl
Date: Sun,  9 Feb 2014 20:59:06 -0500	[thread overview]
Message-ID: <1391997564-1805-7-git-send-email-peter@hurleysoftware.com> (raw)
In-Reply-To: <1391997564-1805-1-git-send-email-peter@hurleysoftware.com>

When enumerating RFCOMM devices in the rfcomm_dev_list, holding
the rfcomm_dev_lock only guarantees the existence of the enumerated
rfcomm_dev in memory, and not safe access to its state. Testing
the device state (such as RFCOMM_TTY_RELEASED) does not guarantee
the device will remain in that state for the subsequent access
to the rfcomm_dev's fields, nor guarantee that teardown has not
commenced.

Obtain an rfcomm_dev reference for the duration of rfcomm_dev
access.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 net/bluetooth/rfcomm/tty.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 7cf193f..b385d99 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -468,7 +468,7 @@ static int rfcomm_get_dev_list(void __user *arg)
 	spin_lock(&rfcomm_dev_lock);
 
 	list_for_each_entry(dev, &rfcomm_dev_list, list) {
-		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
+		if (!tty_port_get(&dev->port))
 			continue;
 		(di + n)->id      = dev->id;
 		(di + n)->flags   = dev->flags;
@@ -476,6 +476,7 @@ static int rfcomm_get_dev_list(void __user *arg)
 		(di + n)->channel = dev->channel;
 		bacpy(&(di + n)->src, &dev->src);
 		bacpy(&(di + n)->dst, &dev->dst);
+		tty_port_put(&dev->port);
 		if (++n >= dev_num)
 			break;
 	}
-- 
1.8.1.2

next prev parent reply	other threads:[~2014-02-10  2:23 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-10  1:59 [PATCH 00/24] rfcomm fixes Peter Hurley
2014-02-10  1:59 ` [PATCH 01/24] Revert "Bluetooth: Remove rfcomm_carrier_raised()" Peter Hurley
2014-02-10  1:59 ` [PATCH 02/24] Revert "Bluetooth: Always wait for a connection on RFCOMM open()" Peter Hurley
2014-02-10  1:59 ` [PATCH 03/24] Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()" Peter Hurley
2014-02-10  1:59 ` [PATCH 04/24] tty: Fix ref counting for port krefs Peter Hurley
2014-02-13 18:36   ` Greg Kroah-Hartman
2014-02-10  1:59 ` [PATCH 05/24] Bluetooth: Fix racy acquire of rfcomm_dev reference Peter Hurley
2014-02-10  1:59 ` Peter Hurley [this message]
2014-02-10  1:59 ` [PATCH 07/24] Bluetooth: Release rfcomm_dev only once Peter Hurley
2014-02-10  1:59 ` [PATCH 08/24] Bluetooth: Fix unreleased rfcomm_dev reference Peter Hurley
2014-02-10  1:59 ` [PATCH 09/24] Bluetooth: Fix RFCOMM tty teardown race Peter Hurley
2014-02-10  1:59 ` [PATCH 10/24] Bluetooth: Verify dlci not in use before rfcomm_dev create Peter Hurley
2014-02-10  1:59 ` [PATCH 11/24] Bluetooth: Simplify RFCOMM session state eval Peter Hurley
2014-02-10  1:59 ` [PATCH 12/24] Bluetooth: Refactor deferred setup test in rfcomm_dlc_close() Peter Hurley
2014-02-10  1:59 ` [PATCH 13/24] Bluetooth: Refactor dlc disconnect logic " Peter Hurley
2014-02-10  1:59 ` [PATCH 14/24] Bluetooth: Directly close dlc for not yet started RFCOMM session Peter Hurley
2014-02-10  1:59 ` [PATCH 15/24] Bluetooth: Fix unsafe RFCOMM device parenting Peter Hurley
2014-02-10  1:59 ` [PATCH 16/24] Bluetooth: Fix RFCOMM parent device for reused dlc Peter Hurley
2014-02-10  1:59 ` [PATCH 17/24] Bluetooth: Rename __rfcomm_dev_get() to __rfcomm_dev_lookup() Peter Hurley
2014-02-10  1:59 ` [PATCH 18/24] Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls Peter Hurley
2014-02-10  1:59 ` [PATCH 19/24] Bluetooth: Refactor rfcomm_dev_add() Peter Hurley
2014-02-10  1:59 ` [PATCH 20/24] Bluetooth: Cleanup RFCOMM device registration error handling Peter Hurley
2014-02-10  1:59 ` [PATCH 21/24] Bluetooth: Force -EIO from tty read/write if .activate() fails Peter Hurley
2014-02-10  1:59 ` [PATCH 22/24] Bluetooth: Don't fail RFCOMM tty writes Peter Hurley
2014-02-10  1:59 ` [PATCH 23/24] Bluetooth: Refactor write_room() calculation Peter Hurley
2014-02-10  1:59 ` [PATCH 24/24] Bluetooth: Fix " Peter Hurley
2014-02-10 22:09 ` [PATCH 00/24] rfcomm fixes Marcel Holtmann
2014-02-10 23:00   ` Peter Hurley
2014-02-12 22:58     ` Marcel Holtmann
2014-02-13  0:38       ` Peter Hurley
2014-02-13 21:48         ` Alexander Holler
2014-02-12 11:06   ` Sander Eikelenboom
2014-03-03 19:38     ` Sander Eikelenboom
2014-03-10  8:38       ` [RC6 Bell Chime] " Sander Eikelenboom
2014-03-10 15:08         ` John W. Linville
2014-03-11 15:14           ` [RC6 Bell Chime] " Marcel Holtmann
2014-03-14  0:49             ` Sander Eikelenboom
2014-03-14  1:28               ` Marcel Holtmann
2014-03-14  1:29               ` Peter Hurley
2014-03-15 13:51                 ` Sander Eikelenboom
2014-03-15 17:53                   ` Linus Torvalds
2014-03-15 20:45                     ` Peter Hurley
2014-03-15 22:20                       ` Sander Eikelenboom
2014-03-16  0:16                       ` Linus Torvalds
2014-02-13 21:41 ` Alexander Holler
2014-02-14 21:45 ` Marcel Holtmann

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7cf193f dfblob:b385d99 )
 OR (
bs:"[PATCH 06/24] Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1391997564-1805-7-git-send-email-peter@hurleysoftware.com \
    --to=peter@hurleysoftware.com \
    --cc=andrey.vihrov@gmail.com \
    --cc=gianluca@sottospazio.it \
    --cc=gustavo@padovan.org \
    --cc=holler@ahsoftware.de \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@eikelenboom.it \
    --cc=marcel@holtmann.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox