Bluetooth: Use list _safe deleting from conn chan_list

Fixes possible bug when deleting element from the list in function hci_chan_list_flush. list_for_each_entry_rcu is used and after deleting element from the list we also free pointer and then list_entry_rcu is taken from freed pointer. Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

Bluetooth: Use list _safe deleting from conn chan_list
Fixes possible bug when deleting element from the list in function hci_chan_list_flush. list_for_each_entry_rcu is used and after deleting element from the list we also free pointer and then list_entry_rcu is taken from freed pointer. Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
2a5a5ec6 · Andrei Emeltchenko · Johan Hedberg · 3c4e0df0 · 2a5a5ec6
Commit 2a5a5ec6 authored Feb 02, 2012 by Andrei Emeltchenko Committed by Johan Hedberg Feb 13, 2012
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

net/bluetooth/hci_conn.c net/bluetooth/hci_conn.c +2 -2

No files found.
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -975,10 +975,10 @@ int hci_chan_del(struct hci_chan *chan)
 void hci_chan_list_flush(struct hci_conn *conn)
 {
-	struct hci_chan *chan;
+	struct hci_chan *chan, *n;
 	BT_DBG("conn %p", conn);
-	list_for_each_entry_rcu(chan, &conn->chan_list, list)
+	list_for_each_entry_safe(chan, n, &conn->chan_list, list)
 		hci_chan_del(chan);
 }