Bluetooth: Avoid rfcomm_session_timeout using freed session
Use del_timer_sync() instead of del_timer() as this ensures that rfcomm_session_timeout() is not running on a different CPU when rfcomm_session_put() is called. This avoids a race condition on SMP systems because potentially rfcomm_session_timeout() could reuse the freed RFCOMM session structure caused by the execution of rfcomm_session_put(). Note that this modification makes the reason for the RFCOMM session refcnt mechanism redundant. Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
This commit is contained in:
parent
be9f97f045
commit
fea7b02fbf
1 changed files with 1 additions and 1 deletions
|
@ -257,7 +257,7 @@ static void rfcomm_session_clear_timer(struct rfcomm_session *s)
|
|||
{
|
||||
BT_DBG("session %p state %ld", s, s->state);
|
||||
|
||||
if (del_timer(&s->timer))
|
||||
if (del_timer_sync(&s->timer))
|
||||
rfcomm_session_put(s);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue