Bluetooth: Fix RFCOMM session reference counting issue

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / rfcomm / core.c

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 501649bf5596d0373d6b6dd3be791dd1345ad33e..8a602388f1e73c185aa24499e9ff636c9358fcee 100644 (file)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1164,12 +1164,18 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
                        break;
 
                case BT_DISCONN:
-                       /* When socket is closed and we are not RFCOMM
-                        * initiator rfcomm_process_rx already calls
-                        * rfcomm_session_put() */
-                       if (s->sock->sk->sk_state != BT_CLOSED)
-                               if (list_empty(&s->dlcs))
-                                       rfcomm_session_put(s);
+                       /* rfcomm_session_put is called later so don't do
+                        * anything here otherwise we will mess up the session
+                        * reference counter:
+                        *
+                        * (a) when we are the initiator dlc_unlink will drive
+                        * the reference counter to 0 (there is no initial put
+                        * after session_add)
+                        *
+                        * (b) when we are not the initiator rfcomm_rx_process
+                        * will explicitly call put to balance the initial hold
+                        * done after session add.
+                        */
                        break;
                }
        }