Bluetooth: Fix hci_conn reference counting with hci_chan The hci_chan_del() function was doing a hci_conn_drop() but there was no matching hci_conn_hold() in the hci_chan_create() function. Furthermore, as the hci_chan struct holds a pointer to the hci_conn there should be proper use of hci_conn_get/put. This patch fixes both issues so that hci_chan does correct reference counting of the hci_conn object. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

commit: 6c388d32ec1b9fcc2f2404fb5e9b3b0096be5de9 [log] [tgz]
author: Johan Hedberg <johan.hedberg@intel.com> Mon Aug 18 00:41:42 2014 +0300
committer: Marcel Holtmann <marcel@holtmann.org> Mon Sep 08 19:07:53 2014 +0200
tree: d25aa7646454e2f0cbd73ce4b724c3cfa9587e84
parent: eb78d7e53d144995b9e023b151de19fa40af72f3 [diff] [blame]
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 4ecc9d5..7815826 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c

@@ -1295,7 +1295,8 @@
 	if (!chan)
 		return NULL;
 
-	chan->conn = conn;
+	chan->conn = hci_conn_get(conn);
+	hci_conn_hold(conn);
 	skb_queue_head_init(&chan->data_q);
 	chan->state = BT_CONNECTED;
 
@@ -1316,6 +1317,7 @@
 	synchronize_rcu();
 
 	hci_conn_drop(conn);
+	hci_conn_put(conn);
 
 	skb_queue_purge(&chan->data_q);
 	kfree(chan);
commit	6c388d32ec1b9fcc2f2404fb5e9b3b0096be5de9	[log] [tgz]
author	Johan Hedberg <johan.hedberg@intel.com>	Mon Aug 18 00:41:42 2014 +0300
committer	Marcel Holtmann <marcel@holtmann.org>	Mon Sep 08 19:07:53 2014 +0200
tree	d25aa7646454e2f0cbd73ce4b724c3cfa9587e84
parent	eb78d7e53d144995b9e023b151de19fa40af72f3 [diff] [blame]