Bluetooth: Avoid rfcomm_session_timeout using freed session
authorDean Jenkins <Dean_Jenkins@mentor.com>
Thu, 28 Feb 2013 14:21:53 +0000 (14:21 +0000)
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>
Fri, 8 Mar 2013 13:40:24 +0000 (10:40 -0300)
commitfea7b02fbf73adb2e746f00ed279a782de7e74e4
treeb5f944e911d7e9db66d503b45a8473a85948740e
parentbe9f97f04565a6c438b7521ad679870d25645475
Bluetooth: Avoid rfcomm_session_timeout using freed session

Use del_timer_sync() instead of del_timer() as this ensures
that rfcomm_session_timeout() is not running on a different
CPU when rfcomm_session_put() is called. This avoids a race
condition on SMP systems because potentially
rfcomm_session_timeout() could reuse the freed RFCOMM session
structure caused by the execution of rfcomm_session_put().

Note that this modification makes the reason for the RFCOMM
session refcnt mechanism redundant.

Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
net/bluetooth/rfcomm/core.c