From: Andrei Emeltchenko Date: Thu, 2 Feb 2012 08:32:18 +0000 (+0200) Subject: Bluetooth: Use list _safe deleting from conn chan_list X-Git-Tag: firefly_0821_release~3680^2~3338^2~112^2~189 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2a5a5ec620a29d4ba07743c3151cdf0a417c8f8c;p=firefly-linux-kernel-4.4.55.git Bluetooth: Use list _safe deleting from conn chan_list Fixes possible bug when deleting element from the list in function hci_chan_list_flush. list_for_each_entry_rcu is used and after deleting element from the list we also free pointer and then list_entry_rcu is taken from freed pointer. Signed-off-by: Andrei Emeltchenko Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg --- diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index b074bd698cf6..b4ecddee11b5 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -975,10 +975,10 @@ int hci_chan_del(struct hci_chan *chan) void hci_chan_list_flush(struct hci_conn *conn) { - struct hci_chan *chan; + struct hci_chan *chan, *n; BT_DBG("conn %p", conn); - list_for_each_entry_rcu(chan, &conn->chan_list, list) + list_for_each_entry_safe(chan, n, &conn->chan_list, list) hci_chan_del(chan); }