Hi Michael, On Tue, Mar 04, 2014, Michael Knudsen wrote: > On 03/04/2014 08:14 AM, Johan Hedberg wrote: > >>>When stopping BCSP/H5, stop the retransmission timer before proceeding > >>>to clean up packet queues. The previous code had a race condition where > >>>the timer could trigger after the packet lists and protocol structure > >>>had been removed which lead to dereferencing NULL or use-after-free bugs. > >> > >>No interest? > > > >I was just discussing this yesterday with Marcel (that we seem to have > >forgotten about this patch). The only concern is whether it's safe to > >sleep in the *_close callbacks (since you use del_timer_sync). Have you > >verified that this doesn't cause any issues? > > Our internal testing was reliably triggering the crash before and > has been stable since our fix went into local trees. I expected > sleeping to be fine since the path is in process context, and I > found that slip uses the same approach: > > drivers/net/slip/slip.c:slip_close() > > I think I saw other line disciplines that did the same but I don't > recall which ones. > > Btw. if this is committed, there is a small typo in the message I > used: Instead of ``lead'' it should be ``led''. Thanks for the confirmation. I've now pushed the patch to the bluetooth-next tree (with the typo fixed too). Johan -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
