summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Emeltchenko <andrei.emeltchenko@intel.com>2012-02-02 10:32:18 +0200
committerJohan Hedberg <johan.hedberg@intel.com>2012-02-13 17:01:32 +0200
commit2a5a5ec620a29d4ba07743c3151cdf0a417c8f8c (patch)
treea135890c9ad5aedd305f0ad905fb81ddaeddfddf
parent3c4e0df028935618d052235ba85bc7079be13394 (diff)
downloadlwn-2a5a5ec620a29d4ba07743c3151cdf0a417c8f8c.tar.gz
lwn-2a5a5ec620a29d4ba07743c3151cdf0a417c8f8c.zip
Bluetooth: Use list _safe deleting from conn chan_list
Fixes possible bug when deleting element from the list in function hci_chan_list_flush. list_for_each_entry_rcu is used and after deleting element from the list we also free pointer and then list_entry_rcu is taken from freed pointer. Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
-rw-r--r--net/bluetooth/hci_conn.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b074bd698cf6..b4ecddee11b5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -975,10 +975,10 @@ int hci_chan_del(struct hci_chan *chan)
void hci_chan_list_flush(struct hci_conn *conn)
{
- struct hci_chan *chan;
+ struct hci_chan *chan, *n;
BT_DBG("conn %p", conn);
- list_for_each_entry_rcu(chan, &conn->chan_list, list)
+ list_for_each_entry_safe(chan, n, &conn->chan_list, list)
hci_chan_del(chan);
}