From 2a5a5ec620a29d4ba07743c3151cdf0a417c8f8c Mon Sep 17 00:00:00 2001 From: Andrei Emeltchenko Date: Thu, 2 Feb 2012 10:32:18 +0200 Subject: [PATCH] Bluetooth: Use list _safe deleting from conn chan_list Fixes possible bug when deleting element from the list in function hci_chan_list_flush. list_for_each_entry_rcu is used and after deleting element from the list we also free pointer and then list_entry_rcu is taken from freed pointer. Signed-off-by: Andrei Emeltchenko Acked-by: Marcel Holtmann Signed-off-by: Johan Hedberg --- net/bluetooth/hci_conn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index b074bd698cf..b4ecddee11b 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -975,10 +975,10 @@ int hci_chan_del(struct hci_chan *chan) void hci_chan_list_flush(struct hci_conn *conn) { - struct hci_chan *chan; + struct hci_chan *chan, *n; BT_DBG("conn %p", conn); - list_for_each_entry_rcu(chan, &conn->chan_list, list) + list_for_each_entry_safe(chan, n, &conn->chan_list, list) hci_chan_del(chan); } -- 2.39.5