Commit b67f0545 authored by Marcel Holtmann's avatar Marcel Holtmann

[Bluetooth] Fix rfcomm_sock_destruct() deadlock

The fix for socket unlink race introduced a deadlock in the RFCOMM
code. The state change function is always called under the DLC lock
and if rfcomm_sock_kill() is called the rfcomm_sock_destruct() will
dead lock. So the DLC lock must be dropped first and claimed again
afterwards.
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 295c1fd5
......@@ -117,8 +117,13 @@ static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
bh_unlock_sock(sk);
if (parent && sk->sk_zapped)
if (parent && sk->sk_zapped) {
/* We have to drop DLC lock here, otherwise
* rfcomm_sock_destruct() will dead lock. */
rfcomm_dlc_unlock(d);
rfcomm_sock_kill(sk);
rfcomm_dlc_lock(d);
}
}
/* ---- Socket functions ---- */
......@@ -184,7 +189,7 @@ static void rfcomm_sock_destruct(struct sock *sk)
rfcomm_dlc_lock(d);
rfcomm_pi(sk)->dlc = NULL;
/* Detach DLC if it's owned by this socket */
if (d->owner == sk)
d->owner = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment