This adds proper protection to the critical region in the function
hci_connect_sco by locking and unlocking the structure pointer hdev
before and after the critical region of this function has executed
including on error paths too.
Signed-off-by: Nicholas Krause <[email protected]>
---
net/bluetooth/hci_conn.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 2c48bf0..27e3440 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -900,11 +900,13 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
if (IS_ERR(acl))
return acl;
+ hci_dev_lock(hdev);
sco = hci_conn_hash_lookup_ba(hdev, type, dst);
if (!sco) {
sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
if (!sco) {
hci_conn_drop(acl);
+ hci_dev_unlock(hdev);
return ERR_PTR(-ENOMEM);
}
}
@@ -924,12 +926,14 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
/* defer SCO setup until mode change completed */
set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
+ hci_dev_unlock(hdev);
return sco;
}
hci_sco_setup(acl, 0x00);
}
-
+
+ hci_dev_unlock(hdev);
return sco;
}
--
2.1.4