From e686219a64fee9be9ce438dc3f040cd71ddd168a Mon Sep 17 00:00:00 2001 From: "Gustavo F. Padovan" Date: Mon, 24 Aug 2009 00:45:19 -0300 Subject: [PATCH] Bluetooth: Add locking scheme to L2CAP timeout callbacks Avoid race conditions when accessing the L2CAP socket from within the timeout handlers. Signed-off-by: Gustavo F. Padovan Signed-off-by: Marcel Holtmann --- net/bluetooth/l2cap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index c04526f3df2e..efac637525f1 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -1192,6 +1192,7 @@ static void l2cap_monitor_timeout(unsigned long arg) struct sock *sk = (void *) arg; u16 control; + bh_lock_sock(sk); if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) { l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk); return; @@ -1203,6 +1204,7 @@ static void l2cap_monitor_timeout(unsigned long arg) control = L2CAP_CTRL_POLL; control |= L2CAP_SUPER_RCV_READY; l2cap_send_sframe(l2cap_pi(sk), control); + bh_unlock_sock(sk); } static void l2cap_retrans_timeout(unsigned long arg) @@ -1210,6 +1212,7 @@ static void l2cap_retrans_timeout(unsigned long arg) struct sock *sk = (void *) arg; u16 control; + bh_lock_sock(sk); l2cap_pi(sk)->retry_count = 1; __mod_monitor_timer(); @@ -1218,6 +1221,7 @@ static void l2cap_retrans_timeout(unsigned long arg) control = L2CAP_CTRL_POLL; control |= L2CAP_SUPER_RCV_READY; l2cap_send_sframe(l2cap_pi(sk), control); + bh_unlock_sock(sk); } static void l2cap_drop_acked_frames(struct sock *sk)