Bluetooth: vhci: fix open_timeout vs. hdev race

[cascardo/linux.git] / drivers / bluetooth / hci_vhci.c

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 80783dc..3ec580e 100644 (file)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -189,13 +189,13 @@ static inline ssize_t vhci_get_user(struct vhci_data *data,
                break;
 
        case HCI_VENDOR_PKT:
+               cancel_delayed_work_sync(&data->open_timeout);
+
                if (data->hdev) {
                        kfree_skb(skb);
                        return -EBADFD;
                }
 
-               cancel_delayed_work_sync(&data->open_timeout);
-
                opcode = *((__u8 *) skb->data);
                skb_pull(skb, 1);
 
@@ -333,10 +333,12 @@ static int vhci_open(struct inode *inode, struct file *file)
 static int vhci_release(struct inode *inode, struct file *file)
 {
        struct vhci_data *data = file->private_data;
-       struct hci_dev *hdev = data->hdev;
+       struct hci_dev *hdev;
 
        cancel_delayed_work_sync(&data->open_timeout);
 
+       hdev = data->hdev;
+
        if (hdev) {
                hci_unregister_dev(hdev);
                hci_free_dev(hdev);