git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Arjan van de Ven <arjan@linux.intel.com>
	Thu, 29 May 2008 08:32:47 +0000 (01:32 -0700)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Mon, 16 Jun 2008 20:19:53 +0000 (13:19 -0700)
commit	8b1a1d515c3499d3bff3ccb58b76d351c8a466bd
tree	36fc6197e1c7f2ae4bdf676718c49ef069c3b56d	tree \| snapshot
parent	0121f65abe268ba1cc3a3b9ece0a7467c20512d6	commit \| diff

bluetooth: fix locking bug in the rfcomm socket cleanup handling

[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]

in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the
following operation:

        if (parent && sock_flag(sk, SOCK_ZAPPED)) {
                /* We have to drop DLC lock here, otherwise
                 * rfcomm_sock_destruct() will dead lock. */
                rfcomm_dlc_unlock(d);
                rfcomm_sock_kill(sk);
                rfcomm_dlc_lock(d);
        }
}

which is fine, since rfcomm_sock_kill() will call sk_free() which will call
rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good.

HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets
called with the rfcomm_dlc_lock() taken. This is the case for all but one
case, and in that case where we don't have the lock, we do a double unlock
followed by an attempt to take the lock, which due to underflow isn't
going anywhere fast.

This patch fixes this by moving the stragling case inside the lock, like
the other usages of the same call are doing in this code.

This was found with the help of the www.kerneloops.org project, where this
deadlock was observed 51 times at this point in time:
http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>