Bluetooth: move adv_instance_cnt read within the device lock

The field adv_instance_cnt is always accessed within a device lock,
except in the function add_advertising. A concurrent remove of an
advertisement with adding another one could result in the if check
"if a new instance was actually added" to not trigger, resulting
in not triggering the "advertising added event".

Signed-off-by: Niels Dossche <niels.dossche@ugent.be>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 89b1c0488527f8e2ee6538b4f879ddbc296c651b..68ce7dcff0e3f9ec950662831f033eeaeebfb8b7 100644 (file)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8079,7 +8079,7 @@ static int add_advertising(struct sock *sk, struct hci_dev *hdev,
        u32 flags;
        u8 status;
        u16 timeout, duration;
-       unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
+       unsigned int prev_instance_cnt;
        u8 schedule_instance = 0;
        struct adv_info *next_instance;
        int err;
@@ -8130,6 +8130,8 @@ static int add_advertising(struct sock *sk, struct hci_dev *hdev,
                goto unlock;
        }
 
+       prev_instance_cnt = hdev->adv_instance_cnt;
+
        err = hci_add_adv_instance(hdev, cp->instance, flags,
                                   cp->adv_data_len, cp->data,
                                   cp->scan_rsp_len,