commit 1352ebadd2641e9a7c9eb3bd76481a9508a8a8fc
Author: Warner Losh <imp@bsdimp.com>
Date:   Sat Aug 24 11:25:00 2019 -0600

    Drop locks around copyout. This is likely less safe than it sounds.

diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
index 9523d88af63..f1341b4739a 100644
--- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
+++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
@@ -1248,10 +1248,14 @@ ng_btsocket_hci_raw_control(struct socket *so, u_long cmd, caddr_t data,
 
 			p->num_connections = min(p->num_connections,
 						p1->num_connections);
-			if (p->num_connections > 0)
+			if (p->num_connections > 0) {
+				/* XXX Bad -- but can't hold this XXX */
+				mtx_unlock(&pcb->pcb_mtx);
 				error = copyout((caddr_t) p2, 
 					(caddr_t) p->connections,
 					p->num_connections * sizeof(*p2));
+				mtx_lock(&pcb->pcb_mtx);
+			}
 		} else
 			error = EINVAL;
 
@@ -1367,9 +1371,11 @@ ng_btsocket_hci_raw_control(struct socket *so, u_long cmd, caddr_t data,
 
 			while (nl->num_names > 0 && nl1->numnames > 0) {
 				if (strcmp(ni1->type, NG_HCI_NODE_TYPE) == 0) {
+					mtx_unlock(&pcb->pcb_mtx);
 					error = copyout((caddr_t) ni1,
 							(caddr_t) ni,
 							sizeof(*ni));
+					mtx_lock(&pcb->pcb_mtx);
 					if (error != 0)
 						break;