Commit fd1278d7 authored by Marcel Holtmann's avatar Marcel Holtmann Committed by David S. Miller

[Bluetooth] Fix deadlock in the L2CAP layer

The Bluetooth L2CAP layer has 2 locks that are used in softirq context,
(one spinlock and one rwlock, where the softirq usage is readlock) but
where not all usages of the lock were _bh safe. The patch below corrects
this.
Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 0263603a
...@@ -185,7 +185,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk) ...@@ -185,7 +185,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
{ {
struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c; struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
write_lock(&l->lock); write_lock_bh(&l->lock);
if (sk == l->head) if (sk == l->head)
l->head = next; l->head = next;
...@@ -193,7 +193,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk) ...@@ -193,7 +193,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
l2cap_pi(next)->prev_c = prev; l2cap_pi(next)->prev_c = prev;
if (prev) if (prev)
l2cap_pi(prev)->next_c = next; l2cap_pi(prev)->next_c = next;
write_unlock(&l->lock); write_unlock_bh(&l->lock);
__sock_put(sk); __sock_put(sk);
} }
...@@ -313,9 +313,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) ...@@ -313,9 +313,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent) static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
{ {
struct l2cap_chan_list *l = &conn->chan_list; struct l2cap_chan_list *l = &conn->chan_list;
write_lock(&l->lock); write_lock_bh(&l->lock);
__l2cap_chan_add(conn, sk, parent); __l2cap_chan_add(conn, sk, parent);
write_unlock(&l->lock); write_unlock_bh(&l->lock);
} }
static inline u8 l2cap_get_ident(struct l2cap_conn *conn) static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
...@@ -328,14 +328,14 @@ static inline u8 l2cap_get_ident(struct l2cap_conn *conn) ...@@ -328,14 +328,14 @@ static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
* 200 - 254 are used by utilities like l2ping, etc. * 200 - 254 are used by utilities like l2ping, etc.
*/ */
spin_lock(&conn->lock); spin_lock_bh(&conn->lock);
if (++conn->tx_ident > 128) if (++conn->tx_ident > 128)
conn->tx_ident = 1; conn->tx_ident = 1;
id = conn->tx_ident; id = conn->tx_ident;
spin_unlock(&conn->lock); spin_unlock_bh(&conn->lock);
return id; return id;
} }
...@@ -1416,11 +1416,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd ...@@ -1416,11 +1416,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
if (!sk) if (!sk)
goto response; goto response;
write_lock(&list->lock); write_lock_bh(&list->lock);
/* Check if we already have channel with that dcid */ /* Check if we already have channel with that dcid */
if (__l2cap_get_chan_by_dcid(list, scid)) { if (__l2cap_get_chan_by_dcid(list, scid)) {
write_unlock(&list->lock); write_unlock_bh(&list->lock);
sock_set_flag(sk, SOCK_ZAPPED); sock_set_flag(sk, SOCK_ZAPPED);
l2cap_sock_kill(sk); l2cap_sock_kill(sk);
goto response; goto response;
...@@ -1458,7 +1458,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd ...@@ -1458,7 +1458,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
result = status = 0; result = status = 0;
done: done:
write_unlock(&list->lock); write_unlock_bh(&list->lock);
response: response:
bh_unlock_sock(parent); bh_unlock_sock(parent);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment