| From b8a5277fa002a28cf3a49cd872ab3d41f677e22a Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 9 Jun 2020 21:27:08 +0530 |
| Subject: Bluetooth: hci_qca: Bug fix during SSR timeout |
| |
| From: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org> |
| |
| [ Upstream commit f98aa80ff78c34fe328eb9cd3e2cc3058e42bcfd ] |
| |
| Due to race conditions between qca_hw_error and qca_controller_memdump |
| during SSR timeout,the same pointer is freed twice. This results in a |
| double free. Now a lock is acquired before checking the stauts of SSR |
| state. |
| |
| Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR") |
| Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org> |
| Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org> |
| Signed-off-by: Marcel Holtmann <marcel@holtmann.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/bluetooth/hci_qca.c | 29 +++++++++++++++++------------ |
| 1 file changed, 17 insertions(+), 12 deletions(-) |
| |
| diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c |
| index dc949592c4ed5..a6dd13a2975a8 100644 |
| --- a/drivers/bluetooth/hci_qca.c |
| +++ b/drivers/bluetooth/hci_qca.c |
| @@ -981,8 +981,11 @@ static void qca_controller_memdump(struct work_struct *work) |
| while ((skb = skb_dequeue(&qca->rx_memdump_q))) { |
| |
| mutex_lock(&qca->hci_memdump_lock); |
| - /* Skip processing the received packets if timeout detected. */ |
| - if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT) { |
| + /* Skip processing the received packets if timeout detected |
| + * or memdump collection completed. |
| + */ |
| + if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT || |
| + qca->memdump_state == QCA_MEMDUMP_COLLECTED) { |
| mutex_unlock(&qca->hci_memdump_lock); |
| return; |
| } |
| @@ -1451,8 +1454,6 @@ static void qca_hw_error(struct hci_dev *hdev, u8 code) |
| { |
| struct hci_uart *hu = hci_get_drvdata(hdev); |
| struct qca_data *qca = hu->priv; |
| - struct qca_memdump_data *qca_memdump = qca->qca_memdump; |
| - char *memdump_buf = NULL; |
| |
| set_bit(QCA_SSR_TRIGGERED, &qca->flags); |
| set_bit(QCA_HW_ERROR_EVENT, &qca->flags); |
| @@ -1476,19 +1477,23 @@ static void qca_hw_error(struct hci_dev *hdev, u8 code) |
| qca_wait_for_dump_collection(hdev); |
| } |
| |
| + mutex_lock(&qca->hci_memdump_lock); |
| if (qca->memdump_state != QCA_MEMDUMP_COLLECTED) { |
| bt_dev_err(hu->hdev, "clearing allocated memory due to memdump timeout"); |
| - mutex_lock(&qca->hci_memdump_lock); |
| - if (qca_memdump) |
| - memdump_buf = qca_memdump->memdump_buf_head; |
| - vfree(memdump_buf); |
| - kfree(qca_memdump); |
| - qca->qca_memdump = NULL; |
| + if (qca->qca_memdump) { |
| + vfree(qca->qca_memdump->memdump_buf_head); |
| + kfree(qca->qca_memdump); |
| + qca->qca_memdump = NULL; |
| + } |
| qca->memdump_state = QCA_MEMDUMP_TIMEOUT; |
| cancel_delayed_work(&qca->ctrl_memdump_timeout); |
| - skb_queue_purge(&qca->rx_memdump_q); |
| - mutex_unlock(&qca->hci_memdump_lock); |
| + } |
| + mutex_unlock(&qca->hci_memdump_lock); |
| + |
| + if (qca->memdump_state == QCA_MEMDUMP_TIMEOUT || |
| + qca->memdump_state == QCA_MEMDUMP_COLLECTED) { |
| cancel_work_sync(&qca->ctrl_memdump_evt); |
| + skb_queue_purge(&qca->rx_memdump_q); |
| } |
| |
| clear_bit(QCA_HW_ERROR_EVENT, &qca->flags); |
| -- |
| 2.25.1 |
| |