Commit 80ea7337 authored by Peter Hurley's avatar Peter Hurley Committed by Marcel Holtmann

Bluetooth: Fix unreleased rfcomm_dev reference

When RFCOMM_RELEASE_ONHUP is set, the rfcomm tty driver 'takes over'
the initial rfcomm_dev reference created by the RFCOMMCREATEDEV ioctl.
The assumption is that the rfcomm tty driver will release the
rfcomm_dev reference when the tty is freed (in rfcomm_tty_cleanup()).
However, if the tty is never opened, the 'take over' never occurs,
so when RFCOMMRELEASEDEV ioctl is called, the reference is not
released.

Track the state of the reference 'take over' so that the release
is guaranteed by either the RFCOMMRELEASEDEV ioctl or the rfcomm tty
driver.

Note that the synchronous hangup in rfcomm_release_dev() ensures
that rfcomm_tty_install() cannot race with the RFCOMMRELEASEDEV ioctl.
Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
Tested-By: default avatarAlexander Holler <holler@ahsoftware.de>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 1c64834e
...@@ -333,6 +333,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, ...@@ -333,6 +333,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel,
/* rfcomm_dev.status bit definitions */ /* rfcomm_dev.status bit definitions */
#define RFCOMM_DEV_RELEASED 0 #define RFCOMM_DEV_RELEASED 0
#define RFCOMM_TTY_OWNED 1
struct rfcomm_dev_req { struct rfcomm_dev_req {
s16 dev_id; s16 dev_id;
......
...@@ -441,7 +441,7 @@ static int rfcomm_release_dev(void __user *arg) ...@@ -441,7 +441,7 @@ static int rfcomm_release_dev(void __user *arg)
tty_kref_put(tty); tty_kref_put(tty);
} }
if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
tty_port_put(&dev->port); tty_port_put(&dev->port);
tty_port_put(&dev->port); tty_port_put(&dev->port);
...@@ -685,8 +685,10 @@ static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty) ...@@ -685,8 +685,10 @@ static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
* when the last process closes the tty. The behaviour is expected by * when the last process closes the tty. The behaviour is expected by
* userspace. * userspace.
*/ */
if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
set_bit(RFCOMM_TTY_OWNED, &dev->status);
tty_port_put(&dev->port); tty_port_put(&dev->port);
}
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment