Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls
At least two different race conditions exist with multiple concurrent RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls: * Multiple concurrent RFCOMMCREATEDEVs with RFCOMM_REUSE_DLC can mistakenly share the same DLC. * RFCOMMRELEASEDEV can destruct the rfcomm_dev still being constructed by RFCOMMCREATEDEV. Introduce rfcomm_ioctl_mutex to serialize these add/remove operations. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-By: Alexander Holler <holler@ahsoftware.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
Peter Hurley
Marcel Holtmann
Родитель
7611fcedd6
Коммит
033ace99c4
|
|
@ -40,6 +40,7 @@
|
||||||
#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
|
#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
|
||||||
#define RFCOMM_TTY_MINOR 0
|
#define RFCOMM_TTY_MINOR 0
|
||||||
|
|
||||||
|
static DEFINE_MUTEX(rfcomm_ioctl_mutex);
|
||||||
static struct tty_driver *rfcomm_tty_driver;
|
static struct tty_driver *rfcomm_tty_driver;
|
||||||
|
|
||||||
struct rfcomm_dev {
|
struct rfcomm_dev {
|
||||||
|
|
@ -373,7 +374,7 @@ static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size
|
||||||
|
|
||||||
#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
|
#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
|
||||||
|
|
||||||
static int rfcomm_create_dev(struct sock *sk, void __user *arg)
|
static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
|
||||||
{
|
{
|
||||||
struct rfcomm_dev_req req;
|
struct rfcomm_dev_req req;
|
||||||
struct rfcomm_dlc *dlc;
|
struct rfcomm_dlc *dlc;
|
||||||
|
|
@ -423,7 +424,7 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
|
||||||
return id;
|
return id;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int rfcomm_release_dev(void __user *arg)
|
static int __rfcomm_release_dev(void __user *arg)
|
||||||
{
|
{
|
||||||
struct rfcomm_dev_req req;
|
struct rfcomm_dev_req req;
|
||||||
struct rfcomm_dev *dev;
|
struct rfcomm_dev *dev;
|
||||||
|
|
@ -466,6 +467,28 @@ static int rfcomm_release_dev(void __user *arg)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int rfcomm_create_dev(struct sock *sk, void __user *arg)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
mutex_lock(&rfcomm_ioctl_mutex);
|
||||||
|
ret = __rfcomm_create_dev(sk, arg);
|
||||||
|
mutex_unlock(&rfcomm_ioctl_mutex);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int rfcomm_release_dev(void __user *arg)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
mutex_lock(&rfcomm_ioctl_mutex);
|
||||||
|
ret = __rfcomm_release_dev(arg);
|
||||||
|
mutex_unlock(&rfcomm_ioctl_mutex);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
static int rfcomm_get_dev_list(void __user *arg)
|
static int rfcomm_get_dev_list(void __user *arg)
|
||||||
{
|
{
|
||||||
struct rfcomm_dev *dev;
|
struct rfcomm_dev *dev;
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче