Bluetooth: hci_core: fix list_for_each_entry_rcu usage

Releasing + re-acquiring RCU lock inside list_for_each_entry_rcu() loop
body is not correct.

Fix by taking the update-side hdev->lock instead.

Fixes: c7eaf80bfb0c ("Bluetooth: Fix hci_link_tx_to RCU lock usage")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3b49828160b739390d646ed793be8941fbdc02e3..04845ff3ad57d14efd9d60f48b1a32cbe0a3039e 100644 (file)
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3417,23 +3417,18 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
 
        bt_dev_err(hdev, "link tx timeout");
 
-       rcu_read_lock();
+       hci_dev_lock(hdev);
 
        /* Kill stalled connections */
-       list_for_each_entry_rcu(c, &h->list, list) {
+       list_for_each_entry(c, &h->list, list) {
                if (c->type == type && c->sent) {
                        bt_dev_err(hdev, "killing stalled connection %pMR",
                                   &c->dst);
-                       /* hci_disconnect might sleep, so, we have to release
-                        * the RCU read lock before calling it.
-                        */
-                       rcu_read_unlock();
                        hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
-                       rcu_read_lock();
                }
        }
 
-       rcu_read_unlock();
+       hci_dev_unlock(hdev);
 }
 
 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,