Bluetooth: Fix double locking in LE and conless chan

static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)

static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)

{

{

	struct sock *sk = NULL;

	struct l2cap_chan *chan;

	struct l2cap_chan *chan;

	chan = l2cap_global_chan_by_psm(0, psm, conn->src);

	chan = l2cap_global_chan_by_psm(0, psm, conn->src);

	if (!chan)

	if (!chan)

		goto drop;

		goto drop;

	sk = chan->sk;

	BT_DBG("chan %p, len %d", chan, skb->len);

	lock_sock(sk);

	BT_DBG("sk %p, len %d", sk, skb->len);

	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)

	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)

		goto drop;

		goto drop;

		goto drop;

		goto drop;

	if (!chan->ops->recv(chan->data, skb))

	if (!chan->ops->recv(chan->data, skb))

		goto done;

		return 0;

drop:

drop:

	kfree_skb(skb);

	kfree_skb(skb);

done:

	if (sk)

		release_sock(sk);

	return 0;

	return 0;

}

}

static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)

static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)

{

{

	struct sock *sk = NULL;

	struct l2cap_chan *chan;

	struct l2cap_chan *chan;

	chan = l2cap_global_chan_by_scid(0, cid, conn->src);

	chan = l2cap_global_chan_by_scid(0, cid, conn->src);

	if (!chan)

	if (!chan)

		goto drop;

		goto drop;

	sk = chan->sk;

	BT_DBG("chan %p, len %d", chan, skb->len);

	lock_sock(sk);

	BT_DBG("sk %p, len %d", sk, skb->len);

	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)

	if (chan->state != BT_BOUND && chan->state != BT_CONNECTED)

		goto drop;

		goto drop;

		goto drop;

		goto drop;

	if (!chan->ops->recv(chan->data, skb))

	if (!chan->ops->recv(chan->data, skb))

		goto done;

		return 0;

drop:

drop:

	kfree_skb(skb);

	kfree_skb(skb);

done:

	if (sk)

		release_sock(sk);

	return 0;

	return 0;

}

}