[bluetooth-dev] race condition in hci_inquiry

 inq_res = (inquiry_results*) kmalloc(sizeof(inquiry_results)
          + 6 * num_resp, GFP_ATOMIC);

/* More stuff, then the caller will block here... but what if another
process calls in while this one is blocked? The new process will delete
this one's inquiry_result... */
 tmp = send_inq_cmd_block((u8*) &c_pkt ,c_pkt.len + CMD_HDR_LEN +

Why not have the callers provide their own inquiry_result struct?


