[PATCH v4a 10/38] timers: Bluetooth: Use timer_shutdown_sync() before freeing timer

Steven Rostedt <rostedt@xxxxxxxxxxx> · Sat, 05 Nov 2022 02:00:34 -0400

From: "Steven Rostedt (Google)" <rostedt@xxxxxxxxxxx>

Before a timer is freed, timer_shutdown_sync() must be called.

In h5_close(), the timer is removed with del_timer_sync(), but it is only
freed if hu->serdev is NULL. I added timer_shutdown_sync() just before it
is freed. timer_shutdown() may also be used, but just in case it gets
re-armed somehow, I figured another sync will keep that from being an
issue.

Link: https://lore.kernel.org/all/20221104054053.431922658@xxxxxxxxxxx/

Cc: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Cc: Johan Hedberg <johan.hedberg@xxxxxxxxx>
Cc: Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>
Cc: linux-bluetooth@xxxxxxxxxxxxxxx
Signed-off-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx>
---
 drivers/bluetooth/hci_bcsp.c | 2 +-
 drivers/bluetooth/hci_h5.c   | 4 +++-
 drivers/bluetooth/hci_qca.c  | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index cf4a56095817..834b2efaa9bf 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -737,7 +737,7 @@ static int bcsp_close(struct hci_uart *hu)
 {
 	struct bcsp_struct *bcsp = hu->priv;
 
-	del_timer_sync(&bcsp->tbcsp);
+	timer_shutdown_sync(&bcsp->tbcsp);
 
 	hu->priv = NULL;
 
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index c5a0409ef84f..633f3027abd2 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -265,8 +265,10 @@ static int h5_close(struct hci_uart *hu)
 	if (h5->vnd && h5->vnd->close)
 		h5->vnd->close(h5);
 
-	if (!hu->serdev)
+	if (!hu->serdev) {
+		timer_shutdown_sync(&h5->timer);
 		kfree(h5);
+	}
 
 	return 0;
 }
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 8df11016fd51..eb81296b284c 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -697,8 +697,8 @@ static int qca_close(struct hci_uart *hu)
 	skb_queue_purge(&qca->txq);
 	skb_queue_purge(&qca->rx_memdump_q);
 	destroy_workqueue(qca->workqueue);
-	del_timer_sync(&qca->tx_idle_timer);
-	del_timer_sync(&qca->wake_retrans_timer);
+	timer_shutdown_sync(&qca->tx_idle_timer);
+	timer_shutdown_sync(&qca->wake_retrans_timer);
 	qca->hu = NULL;
 
 	kfree_skb(qca->rx_skb);
-- 
2.35.1






