Bluetooth: Fix hci_conn reference counting with hci_chan

The hci_chan_del() function was doing a hci_conn_drop() but there was no
matching hci_conn_hold() in the hci_chan_create() function. Furthermore,
as the hci_chan struct holds a pointer to the hci_conn there should be
proper use of hci_conn_get/put. This patch fixes both issues so that
hci_chan does correct reference counting of the hci_conn object.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 4ecc9d5fce7a5cba59cbeb893e045de3eb0ebb54..7815826a48e4618fc72a35f4417d2d621385977d 100644 (file)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1295,7 +1295,8 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn)
        if (!chan)
                return NULL;
 
-       chan->conn = conn;
+       chan->conn = hci_conn_get(conn);
+       hci_conn_hold(conn);
        skb_queue_head_init(&chan->data_q);
        chan->state = BT_CONNECTED;
 
@@ -1316,6 +1317,7 @@ void hci_chan_del(struct hci_chan *chan)
        synchronize_rcu();
 
        hci_conn_drop(conn);
+       hci_conn_put(conn);
 
        skb_queue_purge(&chan->data_q);
        kfree(chan);