diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2009-05-08 21:20:43 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2009-05-09 21:09:38 -0400 |
commit | 384943ec1bb462e410390ad8f108ff1474cd882d (patch) | |
tree | df2fba9cebf66d5617bda674b4bbb997f01e8016 | |
parent | e1cc1c578055d20d36e084e324001fb5e0355a71 (diff) |
Bluetooth: Fix wrong module refcount when connection setup fails
The module refcount is increased by hci_dev_hold() call in hci_conn_add()
and decreased by hci_dev_put() call in del_conn(). In case the connection
setup fails, hci_dev_put() is never called.
Procedure to reproduce the issue:
# hciconfig hci0 up
# lsmod | grep btusb -> "used by" refcount = 1
# hcitool cc <non-exisiting bdaddr> -> will get timeout
# lsmod | grep btusb -> "used by" refcount = 2
# hciconfig hci0 down
# lsmod | grep btusb -> "used by" refcount = 1
# rmmod btusb -> ERROR: Module btusb is in use
The hci_dev_put() call got moved into del_conn() with the 2.6.25 kernel
to fix an issue with hci_dev going away before hci_conn. However that
change was wrong and introduced this problem.
When calling hci_conn_del() it has to call hci_dev_put() after freeing
the connection details. This handling should be fully symmetric. The
execution of del_conn() is done in a work queue and needs it own calls
to hci_dev_hold() and hci_dev_put() to ensure that the hci_dev stays
until the connection cleanup has been finished.
Based on a report by Bing Zhao <bzhao@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Tested-by: Bing Zhao <bzhao@marvell.com>
-rw-r--r-- | net/bluetooth/hci_conn.c | 2 | ||||
-rw-r--r-- | net/bluetooth/hci_sysfs.c | 3 |
2 files changed, 5 insertions, 0 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 61309b26f27..85a1c6be2db 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c | |||
@@ -292,6 +292,8 @@ int hci_conn_del(struct hci_conn *conn) | |||
292 | 292 | ||
293 | hci_conn_del_sysfs(conn); | 293 | hci_conn_del_sysfs(conn); |
294 | 294 | ||
295 | hci_dev_put(hdev); | ||
296 | |||
295 | return 0; | 297 | return 0; |
296 | } | 298 | } |
297 | 299 | ||
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index a05d45eb3ba..4cc3624bd22 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c | |||
@@ -99,6 +99,8 @@ static void add_conn(struct work_struct *work) | |||
99 | BT_ERR("Failed to register connection device"); | 99 | BT_ERR("Failed to register connection device"); |
100 | return; | 100 | return; |
101 | } | 101 | } |
102 | |||
103 | hci_dev_hold(hdev); | ||
102 | } | 104 | } |
103 | 105 | ||
104 | /* | 106 | /* |
@@ -134,6 +136,7 @@ static void del_conn(struct work_struct *work) | |||
134 | 136 | ||
135 | device_del(&conn->dev); | 137 | device_del(&conn->dev); |
136 | put_device(&conn->dev); | 138 | put_device(&conn->dev); |
139 | |||
137 | hci_dev_put(hdev); | 140 | hci_dev_put(hdev); |
138 | } | 141 | } |
139 | 142 | ||