mirror of
https://github.com/torvalds/linux
synced 2024-09-22 03:55:39 +00:00
7ab56c3a6e
A deadlock occurs when PDU containing invalid SMP opcode is received on Security Manager Channel over LE link and conn->pending_rx_work worker has not run yet. When LE link is created l2cap_conn_ready() is called and before returning it schedules conn->pending_rx_work worker to hdev->workqueue. Incoming data to SMP fixed channel is handled by l2cap_recv_frame() which calls smp_sig_channel() to handle the SMP PDU. If smp_sig_channel() indicates failure l2cap_conn_del() is called to delete the connection. When deleting the connection, l2cap_conn_del() purges the pending_rx queue and calls flush_work() to wait for the pending_rx_work worker to complete. Since incoming data is handled by a worker running from the same workqueue as the pending_rx_work is being scheduled on, we will deadlock on waiting for pending_rx_work to complete. This patch fixes the deadlock by calling cancel_work_sync() instead of flush_work(). Signed-off-by: Jukka Taimisto <jtt@codenomicon.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org |
||
|---|---|---|
| .. | ||
| bnep | ||
| cmtp | ||
| hidp | ||
| rfcomm | ||
| 6lowpan.c | ||
| 6lowpan.h | ||
| a2mp.c | ||
| a2mp.h | ||
| af_bluetooth.c | ||
| amp.c | ||
| amp.h | ||
| hci_conn.c | ||
| hci_core.c | ||
| hci_event.c | ||
| hci_sock.c | ||
| hci_sysfs.c | ||
| Kconfig | ||
| l2cap_core.c | ||
| l2cap_sock.c | ||
| lib.c | ||
| Makefile | ||
| mgmt.c | ||
| sco.c | ||
| smp.c | ||
| smp.h | ||