Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls

At least two different race conditions exist with multiple concurrent
RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls:
* Multiple concurrent RFCOMMCREATEDEVs with RFCOMM_REUSE_DLC can
  mistakenly share the same DLC.
* RFCOMMRELEASEDEV can destruct the rfcomm_dev still being
  constructed by RFCOMMCREATEDEV.

Introduce rfcomm_ioctl_mutex to serialize these add/remove operations.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Tested-By: Alexander Holler <holler@ahsoftware.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 4a38b5454ab00bee82a0cca4b4496e0952919f45..ef2769553dab32ff65e334bd117e3fea681c0f49 100644 (file)
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -40,6 +40,7 @@
 #define RFCOMM_TTY_MAJOR 216           /* device node major id of the usb/bluetooth.c driver */
 #define RFCOMM_TTY_MINOR 0
 
+static DEFINE_MUTEX(rfcomm_ioctl_mutex);
 static struct tty_driver *rfcomm_tty_driver;
 
 struct rfcomm_dev {
@@ -373,7 +374,7 @@ static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size
 
 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
 
-static int rfcomm_create_dev(struct sock *sk, void __user *arg)
+static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
 {
        struct rfcomm_dev_req req;
        struct rfcomm_dlc *dlc;
@@ -423,7 +424,7 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
        return id;
 }
 
-static int rfcomm_release_dev(void __user *arg)
+static int __rfcomm_release_dev(void __user *arg)
 {
        struct rfcomm_dev_req req;
        struct rfcomm_dev *dev;
@@ -466,6 +467,28 @@ static int rfcomm_release_dev(void __user *arg)
        return 0;
 }
 
+static int rfcomm_create_dev(struct sock *sk, void __user *arg)
+{
+       int ret;
+
+       mutex_lock(&rfcomm_ioctl_mutex);
+       ret = __rfcomm_create_dev(sk, arg);
+       mutex_unlock(&rfcomm_ioctl_mutex);
+
+       return ret;
+}
+
+static int rfcomm_release_dev(void __user *arg)
+{
+       int ret;
+
+       mutex_lock(&rfcomm_ioctl_mutex);
+       ret = __rfcomm_release_dev(arg);
+       mutex_unlock(&rfcomm_ioctl_mutex);
+
+       return ret;
+}
+
 static int rfcomm_get_dev_list(void __user *arg)
 {
        struct rfcomm_dev *dev;