Commit 308a3a8c authored by Pauli Virtanen's avatar Pauli Virtanen Committed by Luiz Augusto von Dentz
Browse files

Bluetooth: hci_core: fix list_for_each_entry_rcu usage 



Releasing + re-acquiring RCU lock inside list_for_each_entry_rcu() loop
body is not correct.

Fix by taking the update-side hdev->lock instead.

Fixes: c7eaf80b ("Bluetooth: Fix hci_link_tx_to RCU lock usage")
Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
Reviewed-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent 3cae906e

net/bluetooth/hci_core.c

+3 −8
Original line number Diff line number Diff line
@@ -3417,23 +3417,18 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type) 


	bt_dev_err(hdev, "link tx timeout");



	rcu_read_lock();

	hci_dev_lock(hdev);



	/* Kill stalled connections */

	list_for_each_entry_rcu(c, &h->list, list) {

	list_for_each_entry(c, &h->list, list) {

		if (c->type == type && c->sent) {

			bt_dev_err(hdev, "killing stalled connection %pMR",

				   &c->dst);

			/* hci_disconnect might sleep, so, we have to release

			 * the RCU read lock before calling it.

			 */

			rcu_read_unlock();

			hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);

			rcu_read_lock();

		}

	}



	rcu_read_unlock();

	hci_dev_unlock(hdev);

}



static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,