diff options
author | Johan Hedberg <johan.hedberg@intel.com> | 2014-08-17 17:41:42 -0400 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2014-09-08 13:07:53 -0400 |
commit | 6c388d32ec1b9fcc2f2404fb5e9b3b0096be5de9 (patch) | |
tree | d25aa7646454e2f0cbd73ce4b724c3cfa9587e84 /net | |
parent | eb78d7e53d144995b9e023b151de19fa40af72f3 (diff) |
Bluetooth: Fix hci_conn reference counting with hci_chan
The hci_chan_del() function was doing a hci_conn_drop() but there was no
matching hci_conn_hold() in the hci_chan_create() function. Furthermore,
as the hci_chan struct holds a pointer to the hci_conn there should be
proper use of hci_conn_get/put. This patch fixes both issues so that
hci_chan does correct reference counting of the hci_conn object.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/bluetooth/hci_conn.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 4ecc9d5fce7a..7815826a48e4 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c | |||
@@ -1295,7 +1295,8 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn) | |||
1295 | if (!chan) | 1295 | if (!chan) |
1296 | return NULL; | 1296 | return NULL; |
1297 | 1297 | ||
1298 | chan->conn = conn; | 1298 | chan->conn = hci_conn_get(conn); |
1299 | hci_conn_hold(conn); | ||
1299 | skb_queue_head_init(&chan->data_q); | 1300 | skb_queue_head_init(&chan->data_q); |
1300 | chan->state = BT_CONNECTED; | 1301 | chan->state = BT_CONNECTED; |
1301 | 1302 | ||
@@ -1316,6 +1317,7 @@ void hci_chan_del(struct hci_chan *chan) | |||
1316 | synchronize_rcu(); | 1317 | synchronize_rcu(); |
1317 | 1318 | ||
1318 | hci_conn_drop(conn); | 1319 | hci_conn_drop(conn); |
1320 | hci_conn_put(conn); | ||
1319 | 1321 | ||
1320 | skb_queue_purge(&chan->data_q); | 1322 | skb_queue_purge(&chan->data_q); |
1321 | kfree(chan); | 1323 | kfree(chan); |