Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl
When enumerating RFCOMM devices in the rfcomm_dev_list, holding the rfcomm_dev_lock only guarantees the existence of the enumerated rfcomm_dev in memory, and not safe access to its state. Testing the device state (such as RFCOMM_TTY_RELEASED) does not guarantee the device will remain in that state for the subsequent access to the rfcomm_dev's fields, nor guarantee that teardown has not commenced. Obtain an rfcomm_dev reference for the duration of rfcomm_dev access. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Tested-By: Alexander Holler <holler@ahsoftware.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
082a1532fc
commit
960603a54a
@ -468,7 +468,7 @@ static int rfcomm_get_dev_list(void __user *arg)
|
||||
spin_lock(&rfcomm_dev_lock);
|
||||
|
||||
list_for_each_entry(dev, &rfcomm_dev_list, list) {
|
||||
if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
|
||||
if (!tty_port_get(&dev->port))
|
||||
continue;
|
||||
(di + n)->id = dev->id;
|
||||
(di + n)->flags = dev->flags;
|
||||
@ -476,6 +476,7 @@ static int rfcomm_get_dev_list(void __user *arg)
|
||||
(di + n)->channel = dev->channel;
|
||||
bacpy(&(di + n)->src, &dev->src);
|
||||
bacpy(&(di + n)->dst, &dev->dst);
|
||||
tty_port_put(&dev->port);
|
||||
if (++n >= dev_num)
|
||||
break;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user