git.baikalelectronics.ru Git - kernel.git/commit

author	Kiran K <kiran.k@intel.com>
	Sun, 15 Aug 2021 23:37:47 +0000 (05:07 +0530)
committer	Marcel Holtmann <marcel@holtmann.org>
	Mon, 16 Aug 2021 16:04:23 +0000 (18:04 +0200)
commit	c4a4bab114abddf88c6ced87a306db910f7e9af3
tree	9513dedd4d026f232947452601b3ee9bb0ed8e16	tree \| snapshot
parent	3d2def7f55810408be3e028bd9094c6f15d85c29	commit \| diff

Bluetooth: Fix race condition in handling NOP command

For NOP command, need to cancel work scheduled on cmd_timer,
on receiving command status or commmand complete event.

Below use case might lead to race condition multiple when NOP
commands are queued sequentially:

hci_cmd_work() {
   if (atomic_read(&hdev->cmd_cnt) {
            .
            .
            .
      atomic_dec(&hdev->cmd_cnt);
      hci_send_frame(hdev,...);
      schedule_delayed_work(&hdev->cmd_timer,...);
   }
}

On receiving event for first NOP, the work scheduled on hdev->cmd_timer
is not cancelled and second NOP is dequeued and sent to controller.

While waiting for an event for second NOP command, work scheduled on
cmd_timer for the first NOP can get scheduled, resulting in sending third
NOP command (sending back to back NOP commands). This might
cause issues at controller side (like memory overrun, controller going
unresponsive) resulting in hci tx timeouts, hardware errors etc.

The fix to this issue is to cancel the delayed work scheduled on
cmd_timer on receiving command status or command complete event for
NOP command (this patch handles NOP command same as any other SIG
command).

Signed-off-by: Kiran K <kiran.k@intel.com>
Reviewed-by: Chethan T N <chethan.tumkur.narayan@intel.com>
Reviewed-by: Srivatsa Ravishankar <ravishankar.srivatsa@intel.com>
Acked-by: Manish Mandlik <mmandlik@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>