Commit 6c388d32 authored Aug 18, 2014 by Johan Hedberg Committed by Marcel Holtmann Sep 08, 2014

Bluetooth: Fix hci_conn reference counting with hci_chan

The hci_chan_del() function was doing a hci_conn_drop() but there was no
matching hci_conn_hold() in the hci_chan_create() function. Furthermore,
as the hci_chan struct holds a pointer to the hci_conn there should be
proper use of hci_conn_get/put. This patch fixes both issues so that
hci_chan does correct reference counting of the hci_conn object.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

parent eb78d7e5

net/bluetooth/hci_conn.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1295,7 +1295,8 @@ struct hci_chan hci_chan_create(struct hci_conn conn)
		if (!chan)
		return NULL;

		chan->conn = conn;
		chan->conn = hci_conn_get(conn);
		hci_conn_hold(conn);
		skb_queue_head_init(&chan->data_q);
		chan->state = BT_CONNECTED;

		@@ -1316,6 +1317,7 @@ void hci_chan_del(struct hci_chan *chan)
		synchronize_rcu();

		hci_conn_drop(conn);
		hci_conn_put(conn);

		skb_queue_purge(&chan->data_q);
		kfree(chan);