Commit afe0b1c8 authored by Claire Chang's avatar Claire Chang Committed by Marcel Holtmann
Browse files

Bluetooth: hci_uart: Fix a race for write_work scheduling 



In hci_uart_write_work, there is a loop/goto checking the value of
HCI_UART_TX_WAKEUP. If HCI_UART_TX_WAKEUP is set again, it keeps trying
hci_uart_dequeue; otherwise, it clears HCI_UART_SENDING and returns.

In hci_uart_tx_wakeup, if HCI_UART_SENDING is already set, it sets
HCI_UART_TX_WAKEUP, skips schedule_work and assumes the running/pending
hci_uart_write_work worker will do hci_uart_dequeue properly.

However, if the HCI_UART_SENDING check in hci_uart_tx_wakeup is done after
the loop breaks, but before HCI_UART_SENDING is cleared in
hci_uart_write_work, the schedule_work is skipped incorrectly.

Fix this race by changing the order of HCI_UART_SENDING and
HCI_UART_TX_WAKEUP modification.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Fixes: 82f5169b ("Bluetooth: hci_uart: add serdev driver support library")
Signed-off-by: default avatarClaire Chang <tientzu@chromium.org>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent c0187b0b

drivers/bluetooth/hci_ldisc.c

+3 −4
Original line number Diff line number Diff line
@@ -127,10 +127,9 @@ int hci_uart_tx_wakeup(struct hci_uart *hu) 
	if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))

		goto no_schedule;



	if (test_and_set_bit(HCI_UART_SENDING, &hu->tx_state)) {

	set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state);

	if (test_and_set_bit(HCI_UART_SENDING, &hu->tx_state))

		goto no_schedule;

	}



	BT_DBG("");
@@ -174,10 +173,10 @@ static void hci_uart_write_work(struct work_struct *work) 
		kfree_skb(skb);

	}



	clear_bit(HCI_UART_SENDING, &hu->tx_state);

	if (test_bit(HCI_UART_TX_WAKEUP, &hu->tx_state))

		goto restart;



	clear_bit(HCI_UART_SENDING, &hu->tx_state);

	wake_up_bit(&hu->tx_state, HCI_UART_SENDING);

}

drivers/bluetooth/hci_serdev.c

+2 −2
Original line number Diff line number Diff line
@@ -83,9 +83,9 @@ static void hci_uart_write_work(struct work_struct *work) 
			hci_uart_tx_complete(hu, hci_skb_pkt_type(skb));

			kfree_skb(skb);

		}

	} while (test_bit(HCI_UART_TX_WAKEUP, &hu->tx_state));



		clear_bit(HCI_UART_SENDING, &hu->tx_state);

	} while (test_bit(HCI_UART_TX_WAKEUP, &hu->tx_state));

}



/* ------- Interface to HCI layer ------ */