6 files changed, 79 insertions, 70 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b7c4224f4e7d..b10e3cdb08f8 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -377,6 +377,9 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
        if (acl->state == BT_CONNECTED &&
                        (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
+                acl->power_save = 1;
+                hci_conn_enter_active_mode(acl);
                if (lmp_esco_capable(hdev))
                        hci_setup_sync(sco, acl->handle);
                else
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 28517bad796c..592da5c909c1 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1699,6 +1699,7 @@ static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_bu
                break;
        case 0x1c:      /* SCO interval rejected */
+        case 0x1a:      /* Unsupported Remote Feature */
        case 0x1f:      /* Unspecified error */
                if (conn->out && conn->attempt < 2) {
                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 18e7f5a43dc4..fc6ec1e72652 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -243,6 +243,39 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
        input_sync(dev);
 }
+static int __hidp_send_ctrl_message(struct hidp_session *session,
+                        unsigned char hdr, unsigned char *data, int size)
+{
+        struct sk_buff *skb;
+        BT_DBG("session %p data %p size %d", session, data, size);
+        if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
+                BT_ERR("Can't allocate memory for new frame");
+                return -ENOMEM;
+        }
+        *skb_put(skb, 1) = hdr;
+        if (data && size > 0)
+                memcpy(skb_put(skb, size), data, size);
+        skb_queue_tail(&session->ctrl_transmit, skb);
+        return 0;
+}
+static inline int hidp_send_ctrl_message(struct hidp_session *session,
+                        unsigned char hdr, unsigned char *data, int size)
+{
+        int err;
+        err = __hidp_send_ctrl_message(session, hdr, data, size);
+        hidp_schedule(session);
+        return err;
+}
 static int hidp_queue_report(struct hidp_session *session,
                                unsigned char *data, int size)
 {
@@ -282,7 +315,9 @@ static int hidp_send_report(struct hidp_session *session, struct hid_report *rep
 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count)
 {
-        if (hidp_queue_report(hid->driver_data, data, count))
+        if (hidp_send_ctrl_message(hid->driver_data,
+                        HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE,
+                        data, count))
                return -ENOMEM;
        return count;
 }
@@ -307,39 +342,6 @@ static inline void hidp_del_timer(struct hidp_session *session)
                del_timer(&session->timer);
 }
-static int __hidp_send_ctrl_message(struct hidp_session *session,
-                        unsigned char hdr, unsigned char *data, int size)
-{
-        struct sk_buff *skb;
-        BT_DBG("session %p data %p size %d", session, data, size);
-        if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
-                BT_ERR("Can't allocate memory for new frame");
-                return -ENOMEM;
-        }
-        *skb_put(skb, 1) = hdr;
-        if (data && size > 0)
-                memcpy(skb_put(skb, size), data, size);
-        skb_queue_tail(&session->ctrl_transmit, skb);
-        return 0;
-}
-static inline int hidp_send_ctrl_message(struct hidp_session *session,
-                        unsigned char hdr, unsigned char *data, int size)
-{
-        int err;
-        err = __hidp_send_ctrl_message(session, hdr, data, size);
-        hidp_schedule(session);
-        return err;
-}
 static void hidp_process_handshake(struct hidp_session *session,
                                        unsigned char param)
 {
@@ -701,29 +703,9 @@ static void hidp_close(struct hid_device *hid)
 static int hidp_parse(struct hid_device *hid)
 {
        struct hidp_session *session = hid->driver_data;
-        struct hidp_connadd_req *req = session->req;
-        unsigned char *buf;
-        int ret;
-        buf = kmalloc(req->rd_size, GFP_KERNEL);
-        if (!buf)
-                return -ENOMEM;
-        if (copy_from_user(buf, req->rd_data, req->rd_size)) {
-                kfree(buf);
-                return -EFAULT;
-        }
-        ret = hid_parse_report(session->hid, buf, req->rd_size);
-        kfree(buf);
-        if (ret)
-                return ret;
-        session->req = NULL;
+        return hid_parse_report(session->hid, session->rd_data,
+                        session->rd_size);
-        return 0;
 }
 static int hidp_start(struct hid_device *hid)
@@ -768,12 +750,24 @@ static int hidp_setup_hid(struct hidp_session *session,
        bdaddr_t src, dst;
        int err;
+        session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
+        if (!session->rd_data)
+                return -ENOMEM;
+        if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
+                err = -EFAULT;
+                goto fault;
+        }
+        session->rd_size = req->rd_size;
        hid = hid_allocate_device();
-        if (IS_ERR(hid))
+        if (IS_ERR(hid)) {
-                return PTR_ERR(hid);
+                err = PTR_ERR(hid);
+                goto fault;
+        }
        session->hid = hid;
-        session->req = req;
        hid->driver_data = session;
        baswap(&src, &bt_sk(session->ctrl_sock->sk)->src);
@@ -804,6 +798,10 @@ failed:
        hid_destroy_device(hid);
        session->hid = NULL;
+fault:
+        kfree(session->rd_data);
+        session->rd_data = NULL;
        return err;
 }
@@ -898,6 +896,9 @@ unlink:
                session->hid = NULL;
        }
+        kfree(session->rd_data);
+        session->rd_data = NULL;
 purge:
        skb_queue_purge(&session->ctrl_transmit);
        skb_queue_purge(&session->intr_transmit);
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index faf3d74c3586..a4e215d50c10 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -154,7 +154,9 @@ struct hidp_session {
        struct sk_buff_head ctrl_transmit;
        struct sk_buff_head intr_transmit;
-        struct hidp_connadd_req *req;
+        /* Report descriptor */
+        __u8 *rd_data;
+        uint rd_size;
 };
 static inline void hidp_schedule(struct hidp_session *session)
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 1120cf14a548..400efa26ddba 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1368,7 +1368,6 @@ static int l2cap_ertm_send(struct sock *sk)
        while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
               !(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
-                tx_skb = skb_clone(skb, GFP_ATOMIC);
                if (pi->remote_max_tx &&
                                bt_cb(skb)->retries == pi->remote_max_tx) {
@@ -1376,6 +1375,8 @@ static int l2cap_ertm_send(struct sock *sk)
                        break;
                }
+                tx_skb = skb_clone(skb, GFP_ATOMIC);
                bt_cb(skb)->retries++;
                control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
@@ -3518,7 +3519,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
        struct l2cap_pinfo *pi;
        u16 control, len;
        u8 tx_seq;
-        int err;
        sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
        if (!sk) {
@@ -3570,13 +3570,11 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                        goto drop;
                if (__is_iframe(control))
-                        err = l2cap_data_channel_iframe(sk, control, skb);
+                        l2cap_data_channel_iframe(sk, control, skb);
                else
-                        err = l2cap_data_channel_sframe(sk, control, skb);
+                        l2cap_data_channel_sframe(sk, control, skb);
-                if (!err)
+                goto done;
-                        goto done;
-                break;
        case L2CAP_MODE_STREAMING:
                control = get_unaligned_le16(skb->data);
@@ -3602,7 +3600,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
                else
                        pi->expected_tx_seq = tx_seq + 1;
-                err = l2cap_sar_reassembly_sdu(sk, skb, control);
+                l2cap_sar_reassembly_sdu(sk, skb, control);
                goto done;
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index fc5ee3296e22..89f4a59eb82b 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -252,7 +252,6 @@ static void rfcomm_session_timeout(unsigned long arg)
        BT_DBG("session %p state %ld", s, s->state);
        set_bit(RFCOMM_TIMED_OUT, &s->flags);
-        rfcomm_session_put(s);
        rfcomm_schedule(RFCOMM_SCHED_TIMEO);
 }
@@ -1151,7 +1150,11 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
                        break;
                case BT_DISCONN:
-                        rfcomm_session_put(s);
+                        /* When socket is closed and we are not RFCOMM
+                         * initiator rfcomm_process_rx already calls
+                         * rfcomm_session_put() */
+                        if (s->sock->sk->sk_state != BT_CLOSED)
+                                rfcomm_session_put(s);
                        break;
                }
        }
@@ -1920,6 +1923,7 @@ static inline void rfcomm_process_sessions(void)
                if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
                        s->state = BT_DISCONN;
                        rfcomm_send_disc(s, 0);
+                        rfcomm_session_put(s);
                        continue;
                }

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index b7c4224f4e7d..b10e3cdb08f8 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c
@@ -377,6 +377,9 @@ struct hci_conn hci_connect(struct hci_dev hdev, int type, bdaddr_t *dst, __u8
377		377
378	if (acl->state == BT_CONNECTED &&	378	if (acl->state == BT_CONNECTED &&
379	(sco->state == BT_OPEN \|\| sco->state == BT_CLOSED)) {	379	(sco->state == BT_OPEN \|\| sco->state == BT_CLOSED)) {
		380	acl->power_save = 1;
		381	hci_conn_enter_active_mode(acl);
		382
380	if (lmp_esco_capable(hdev))	383	if (lmp_esco_capable(hdev))
381	hci_setup_sync(sco, acl->handle);	384	hci_setup_sync(sco, acl->handle);
382	else	385	else


diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 28517bad796c..592da5c909c1 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c
@@ -1699,6 +1699,7 @@ static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_bu
1699	break;	1699	break;
1700		1700
1701	case 0x1c: /* SCO interval rejected */	1701	case 0x1c: /* SCO interval rejected */
		1702	case 0x1a: /* Unsupported Remote Feature */
1702	case 0x1f: /* Unspecified error */	1703	case 0x1f: /* Unspecified error */
1703	if (conn->out && conn->attempt < 2) {	1704	if (conn->out && conn->attempt < 2) {
1704	conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) \|	1705	conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) \|


diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 18e7f5a43dc4..fc6ec1e72652 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c
@@ -243,6 +243,39 @@ static void hidp_input_report(struct hidp_session session, struct sk_buff skb)
243	input_sync(dev);	243	input_sync(dev);
244	}	244	}
245		245
		246	static int __hidp_send_ctrl_message(struct hidp_session *session,
		247	unsigned char hdr, unsigned char *data, int size)
		248	{
		249	struct sk_buff *skb;
		250
		251	BT_DBG("session %p data %p size %d", session, data, size);
		252
		253	if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
		254	BT_ERR("Can't allocate memory for new frame");
		255	return -ENOMEM;
		256	}
		257
		258	*skb_put(skb, 1) = hdr;
		259	if (data && size > 0)
		260	memcpy(skb_put(skb, size), data, size);
		261
		262	skb_queue_tail(&session->ctrl_transmit, skb);
		263
		264	return 0;
		265	}
		266
		267	static inline int hidp_send_ctrl_message(struct hidp_session *session,
		268	unsigned char hdr, unsigned char *data, int size)
		269	{
		270	int err;
		271
		272	err = __hidp_send_ctrl_message(session, hdr, data, size);
		273
		274	hidp_schedule(session);
		275
		276	return err;
		277	}
		278
246	static int hidp_queue_report(struct hidp_session *session,	279	static int hidp_queue_report(struct hidp_session *session,
247	unsigned char *data, int size)	280	unsigned char *data, int size)
248	{	281	{
@@ -282,7 +315,9 @@ static int hidp_send_report(struct hidp_session session, struct hid_report rep
282		315
283	static int hidp_output_raw_report(struct hid_device hid, unsigned char data, size_t count)	316	static int hidp_output_raw_report(struct hid_device hid, unsigned char data, size_t count)
284	{	317	{
285	if (hidp_queue_report(hid->driver_data, data, count))	318	if (hidp_send_ctrl_message(hid->driver_data,
		319	HIDP_TRANS_SET_REPORT \| HIDP_DATA_RTYPE_FEATURE,
		320	data, count))
286	return -ENOMEM;	321	return -ENOMEM;
287	return count;	322	return count;
288	}	323	}
@@ -307,39 +342,6 @@ static inline void hidp_del_timer(struct hidp_session *session)
307	del_timer(&session->timer);	342	del_timer(&session->timer);
308	}	343	}
309		344
310	static int __hidp_send_ctrl_message(struct hidp_session *session,
311	unsigned char hdr, unsigned char *data, int size)
312	{
313	struct sk_buff *skb;
314
315	BT_DBG("session %p data %p size %d", session, data, size);
316
317	if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
318	BT_ERR("Can't allocate memory for new frame");
319	return -ENOMEM;
320	}
321
322	*skb_put(skb, 1) = hdr;
323	if (data && size > 0)
324	memcpy(skb_put(skb, size), data, size);
325
326	skb_queue_tail(&session->ctrl_transmit, skb);
327
328	return 0;
329	}
330
331	static inline int hidp_send_ctrl_message(struct hidp_session *session,
332	unsigned char hdr, unsigned char *data, int size)
333	{
334	int err;
335
336	err = __hidp_send_ctrl_message(session, hdr, data, size);
337
338	hidp_schedule(session);
339
340	return err;
341	}
342
343	static void hidp_process_handshake(struct hidp_session *session,	345	static void hidp_process_handshake(struct hidp_session *session,
344	unsigned char param)	346	unsigned char param)
345	{	347	{
@@ -701,29 +703,9 @@ static void hidp_close(struct hid_device *hid)
701	static int hidp_parse(struct hid_device *hid)	703	static int hidp_parse(struct hid_device *hid)
702	{	704	{
703	struct hidp_session *session = hid->driver_data;	705	struct hidp_session *session = hid->driver_data;
704	struct hidp_connadd_req *req = session->req;
705	unsigned char *buf;
706	int ret;
707
708	buf = kmalloc(req->rd_size, GFP_KERNEL);
709	if (!buf)
710	return -ENOMEM;
711
712	if (copy_from_user(buf, req->rd_data, req->rd_size)) {
713	kfree(buf);
714	return -EFAULT;
715	}
716
717	ret = hid_parse_report(session->hid, buf, req->rd_size);
718
719	kfree(buf);
720
721	if (ret)
722	return ret;
723		706
724	session->req = NULL;	707	return hid_parse_report(session->hid, session->rd_data,
725		708	session->rd_size);
726	return 0;
727	}	709	}
728		710
729	static int hidp_start(struct hid_device *hid)	711	static int hidp_start(struct hid_device *hid)
@@ -768,12 +750,24 @@ static int hidp_setup_hid(struct hidp_session *session,
768	bdaddr_t src, dst;	750	bdaddr_t src, dst;
769	int err;	751	int err;
770		752
		753	session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
		754	if (!session->rd_data)
		755	return -ENOMEM;
		756
		757	if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
		758	err = -EFAULT;
		759	goto fault;
		760	}
		761	session->rd_size = req->rd_size;
		762
771	hid = hid_allocate_device();	763	hid = hid_allocate_device();
772	if (IS_ERR(hid))	764	if (IS_ERR(hid)) {
773	return PTR_ERR(hid);	765	err = PTR_ERR(hid);
		766	goto fault;
		767	}
774		768
775	session->hid = hid;	769	session->hid = hid;
776	session->req = req;	770
777	hid->driver_data = session;	771	hid->driver_data = session;
778		772
779	baswap(&src, &bt_sk(session->ctrl_sock->sk)->src);	773	baswap(&src, &bt_sk(session->ctrl_sock->sk)->src);
@@ -804,6 +798,10 @@ failed:
804	hid_destroy_device(hid);	798	hid_destroy_device(hid);
805	session->hid = NULL;	799	session->hid = NULL;
806		800
		801	fault:
		802	kfree(session->rd_data);
		803	session->rd_data = NULL;
		804
807	return err;	805	return err;
808	}	806	}
809		807
@@ -898,6 +896,9 @@ unlink:
898	session->hid = NULL;	896	session->hid = NULL;
899	}	897	}
900		898
		899	kfree(session->rd_data);
		900	session->rd_data = NULL;
		901
901	purge:	902	purge:
902	skb_queue_purge(&session->ctrl_transmit);	903	skb_queue_purge(&session->ctrl_transmit);
903	skb_queue_purge(&session->intr_transmit);	904	skb_queue_purge(&session->intr_transmit);


diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h index faf3d74c3586..a4e215d50c10 100644 --- a/net/bluetooth/hidp/hidp.h +++ b/net/bluetooth/hidp/hidp.h
@@ -154,7 +154,9 @@ struct hidp_session {
154	struct sk_buff_head ctrl_transmit;	154	struct sk_buff_head ctrl_transmit;
155	struct sk_buff_head intr_transmit;	155	struct sk_buff_head intr_transmit;
156		156
157	struct hidp_connadd_req *req;	157	/* Report descriptor */
		158	__u8 *rd_data;
		159	uint rd_size;
158	};	160	};
159		161
160	static inline void hidp_schedule(struct hidp_session *session)	162	static inline void hidp_schedule(struct hidp_session *session)


diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 1120cf14a548..400efa26ddba 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c
@@ -1368,7 +1368,6 @@ static int l2cap_ertm_send(struct sock *sk)
1368		1368
1369	while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&	1369	while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk)) &&
1370	!(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {	1370	!(pi->conn_state & L2CAP_CONN_REMOTE_BUSY)) {
1371	tx_skb = skb_clone(skb, GFP_ATOMIC);
1372		1371
1373	if (pi->remote_max_tx &&	1372	if (pi->remote_max_tx &&
1374	bt_cb(skb)->retries == pi->remote_max_tx) {	1373	bt_cb(skb)->retries == pi->remote_max_tx) {
@@ -1376,6 +1375,8 @@ static int l2cap_ertm_send(struct sock *sk)
1376	break;	1375	break;
1377	}	1376	}
1378		1377
		1378	tx_skb = skb_clone(skb, GFP_ATOMIC);
		1379
1379	bt_cb(skb)->retries++;	1380	bt_cb(skb)->retries++;
1380		1381
1381	control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);	1382	control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
@@ -3518,7 +3519,6 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3518	struct l2cap_pinfo *pi;	3519	struct l2cap_pinfo *pi;
3519	u16 control, len;	3520	u16 control, len;
3520	u8 tx_seq;	3521	u8 tx_seq;
3521	int err;
3522		3522
3523	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);	3523	sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
3524	if (!sk) {	3524	if (!sk) {
@@ -3570,13 +3570,11 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3570	goto drop;	3570	goto drop;
3571		3571
3572	if (__is_iframe(control))	3572	if (__is_iframe(control))
3573	err = l2cap_data_channel_iframe(sk, control, skb);	3573	l2cap_data_channel_iframe(sk, control, skb);
3574	else	3574	else
3575	err = l2cap_data_channel_sframe(sk, control, skb);	3575	l2cap_data_channel_sframe(sk, control, skb);
3576		3576
3577	if (!err)	3577	goto done;
3578	goto done;
3579	break;
3580		3578
3581	case L2CAP_MODE_STREAMING:	3579	case L2CAP_MODE_STREAMING:
3582	control = get_unaligned_le16(skb->data);	3580	control = get_unaligned_le16(skb->data);
@@ -3602,7 +3600,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
3602	else	3600	else
3603	pi->expected_tx_seq = tx_seq + 1;	3601	pi->expected_tx_seq = tx_seq + 1;
3604		3602
3605	err = l2cap_sar_reassembly_sdu(sk, skb, control);	3603	l2cap_sar_reassembly_sdu(sk, skb, control);
3606		3604
3607	goto done;	3605	goto done;
3608		3606


diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index fc5ee3296e22..89f4a59eb82b 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c
@@ -252,7 +252,6 @@ static void rfcomm_session_timeout(unsigned long arg)
252	BT_DBG("session %p state %ld", s, s->state);	252	BT_DBG("session %p state %ld", s, s->state);
253		253
254	set_bit(RFCOMM_TIMED_OUT, &s->flags);	254	set_bit(RFCOMM_TIMED_OUT, &s->flags);
255	rfcomm_session_put(s);
256	rfcomm_schedule(RFCOMM_SCHED_TIMEO);	255	rfcomm_schedule(RFCOMM_SCHED_TIMEO);
257	}	256	}
258		257
@@ -1151,7 +1150,11 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1151	break;	1150	break;
1152		1151
1153	case BT_DISCONN:	1152	case BT_DISCONN:
1154	rfcomm_session_put(s);	1153	/* When socket is closed and we are not RFCOMM
		1154	* initiator rfcomm_process_rx already calls
		1155	* rfcomm_session_put() */
		1156	if (s->sock->sk->sk_state != BT_CLOSED)
		1157	rfcomm_session_put(s);
1155	break;	1158	break;
1156	}	1159	}
1157	}	1160	}
@@ -1920,6 +1923,7 @@ static inline void rfcomm_process_sessions(void)
1920	if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {	1923	if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1921	s->state = BT_DISCONN;	1924	s->state = BT_DISCONN;
1922	rfcomm_send_disc(s, 0);	1925	rfcomm_send_disc(s, 0);
		1926	rfcomm_session_put(s);
1923	continue;	1927	continue;
1924	}	1928	}
1925		1929