Unverified Commit fb8c82bf authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14800 Bluetooth: fix use-after-free in device_for_each_child() 

Merge Pull Request from: @ci-robot 
 
PR sync from: Guo Mengqi <guomengqi3@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/QUEMONMX6DWSAVV4J7TDW757AMKR3RSY/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBEADX 
 
Link:https://gitee.com/openeuler/kernel/pulls/14800

 

Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 4d7999ed 56c499da

net/bluetooth/hci_sysfs.c

+4 −11
Original line number Diff line number Diff line
@@ -21,16 +21,6 @@ static const struct device_type bt_link = { 
	.release = bt_link_release,

};



/*

 * The rfcomm tty device will possibly retain even when conn

 * is down, and sysfs doesn't support move zombie device,

 * so we should move the device before conn device is destroyed.

 */

static int __match_tty(struct device *dev, void *data)

{

	return !strncmp(dev_name(dev), "rfcomm", 6);

}



void hci_conn_init_sysfs(struct hci_conn *conn)

{

	struct hci_dev *hdev = conn->hdev;
@@ -73,10 +63,13 @@ void hci_conn_del_sysfs(struct hci_conn *conn) 
		return;

	}



	/* If there are devices using the connection as parent reset it to NULL

	 * before unregistering the device.

	 */

	while (1) {

		struct device *dev;



		dev = device_find_child(&conn->dev, NULL, __match_tty);

		dev = device_find_any_child(&conn->dev);

		if (!dev)

			break;

		device_move(dev, NULL, DPM_ORDER_DEV_LAST);