Bluetooth: hci_core: fix list_for_each_entry_rcu usage

[ Upstream commit 308a3a8ce8ea41b26c46169f3263e50f5997c28e ]

Releasing + re-acquiring RCU lock inside list_for_each_entry_rcu() loop
body is not correct.

Fix by taking the update-side hdev->lock instead.

Fixes: c7eaf80bfb0c ("Bluetooth: Fix hci_link_tx_to RCU lock usage")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 743b63287a18fdc09337c5a6b367e85065a903ab..831f41f6bc6de75ca958ca02f3f716557bb6941c 100644 (file)
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3416,23 +3416,18 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
 
        bt_dev_err(hdev, "link tx timeout");
 
-       rcu_read_lock();
+       hci_dev_lock(hdev);
 
        /* Kill stalled connections */
-       list_for_each_entry_rcu(c, &h->list, list) {
+       list_for_each_entry(c, &h->list, list) {
                if (c->type == type && c->sent) {
                        bt_dev_err(hdev, "killing stalled connection %pMR",
                                   &c->dst);
-                       /* hci_disconnect might sleep, so, we have to release
-                        * the RCU read lock before calling it.
-                        */
-                       rcu_read_unlock();
                        hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
-                       rcu_read_lock();
                }
        }
 
-       rcu_read_unlock();
+       hci_dev_unlock(hdev);
 }
 
 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,