Bluetooth: Make better use of l2cap_chan reference counting

L2CAP sockets contain a pointer to l2cap_chan that needs to be
reference counted in order to prevent a possible dangling pointer when
the channel is freed.

There were a few other cases where an l2cap_chan pointer on the stack
was dereferenced after a call to l2cap_chan_del. Those pointers are
also now reference counted.

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>

1 files changed, 3 insertions, 0 deletions

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 2b5e7e81c3c0..6bf8ff75d95f 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -956,6 +956,7 @@ static void l2cap_sock_destruct(struct sock *sk)
 {
         BT_DBG("sk %p", sk);
 
+        l2cap_chan_put(l2cap_pi(sk)->chan);
         if (l2cap_pi(sk)->rx_busy_skb) {
                 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
                 l2cap_pi(sk)->rx_busy_skb = NULL;
@@ -1057,6 +1058,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
                 return NULL;
         }
 
+        l2cap_chan_hold(chan);
+
         chan->sk = sk;
 
         l2cap_pi(sk)->chan = chan;