• David Herrmann's avatar
    Bluetooth: introduce hci_conn ref-counting · 8d12356f
    David Herrmann authored
    We currently do not allow using hci_conn from outside of HCI-core.
    However, several other users could make great use of it. This includes
    HIDP, rfcomm and all other sub-protocols that rely on an active
    connection.
    
    Hence, we now introduce hci_conn ref-counting. We currently never call
    get_device(). put_device() is exclusively used in hci_conn_del_sysfs().
    Hence, we currently never have a greater device-refcnt than 1.
    Therefore, it is safe to move the put_device() call from
    hci_conn_del_sysfs() to hci_conn_del() (it's the only caller). In fact,
    this even fixes a "use-after-free" bug as we access hci_conn after calling
    hci_conn_del_sysfs() in hci_conn_del().
    
    From now on we can add references to hci_conn objects in other layers
    (like l2cap_sock, HIDP, rfcomm, ...) and grab a reference via
    hci_conn_get(). This does _not_ guarantee, that the connection is still
    alive. But, this isn't what we want. We can simply lock the hci_conn
    device and use "device_is_registered(hci_conn->dev)" to test that.
    However, this is hardly necessary as outside users should never rely on
    the HCI connection to be alive, anyway. Instead, they should solely rely
    on the device-object to be available.
    But if sub-devices want the hci_conn object as sysfs parent, they need to
    be notified when the connection drops. This will be introduced in later
    patches with l2cap_users.
    Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
    Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
    8d12356f
hci_conn.c 23.8 KB