Bluetooth: Fix missing hdev locking in smp_cmd_ident_addr_info

The hdev lock must be held before calling into smp_distribute_keys. Also
things such as hci_add_irk() require the lock. This patch fixes the
issue by adding the necessary locking into the smp_cmd_ident_addr_info
function.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 976fce2315fd4bb959a0f3ae765885ed6025f0e0..a38941593e8b1c1d569d520377e02877dcc7d26c 100644 (file)
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1076,6 +1076,8 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
 
        skb_pull(skb, sizeof(*info));
 
+       hci_dev_lock(hcon->hdev);
+
        /* Strictly speaking the Core Specification (4.1) allows sending
         * an empty address which would force us to rely on just the IRK
         * as "identity information". However, since such
@@ -1085,8 +1087,7 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
         */
        if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
                BT_ERR("Ignoring IRK with no identity address");
-               smp_distribute_keys(conn);
-               return 0;
+               goto distribute;
        }
 
        bacpy(&smp->id_addr, &info->bdaddr);
@@ -1100,8 +1101,11 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
        smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
                                      smp->id_addr_type, smp->irk, &rpa);
 
+distribute:
        smp_distribute_keys(conn);
 
+       hci_dev_unlock(hcon->hdev);
+
        return 0;
 }