aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohan Hedberg <johan.hedberg@intel.com>2014-08-17 17:41:42 -0400
committerMarcel Holtmann <marcel@holtmann.org>2014-09-08 13:07:53 -0400
commit6c388d32ec1b9fcc2f2404fb5e9b3b0096be5de9 (patch)
treed25aa7646454e2f0cbd73ce4b724c3cfa9587e84 /net
parenteb78d7e53d144995b9e023b151de19fa40af72f3 (diff)
Bluetooth: Fix hci_conn reference counting with hci_chan
The hci_chan_del() function was doing a hci_conn_drop() but there was no matching hci_conn_hold() in the hci_chan_create() function. Furthermore, as the hci_chan struct holds a pointer to the hci_conn there should be proper use of hci_conn_get/put. This patch fixes both issues so that hci_chan does correct reference counting of the hci_conn object. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/hci_conn.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 4ecc9d5fce7a..7815826a48e4 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1295,7 +1295,8 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn)
1295 if (!chan) 1295 if (!chan)
1296 return NULL; 1296 return NULL;
1297 1297
1298 chan->conn = conn; 1298 chan->conn = hci_conn_get(conn);
1299 hci_conn_hold(conn);
1299 skb_queue_head_init(&chan->data_q); 1300 skb_queue_head_init(&chan->data_q);
1300 chan->state = BT_CONNECTED; 1301 chan->state = BT_CONNECTED;
1301 1302
@@ -1316,6 +1317,7 @@ void hci_chan_del(struct hci_chan *chan)
1316 synchronize_rcu(); 1317 synchronize_rcu();
1317 1318
1318 hci_conn_drop(conn); 1319 hci_conn_drop(conn);
1320 hci_conn_put(conn);
1319 1321
1320 skb_queue_purge(&chan->data_q); 1322 skb_queue_purge(&chan->data_q);
1321 kfree(chan); 1323 kfree(chan);