Bluetooth: Fix hci_conn reference counting with hci_chan
The hci_chan_del() function was doing a hci_conn_drop() but there was no matching hci_conn_hold() in the hci_chan_create() function. Furthermore, as the hci_chan struct holds a pointer to the hci_conn there should be proper use of hci_conn_get/put. This patch fixes both issues so that hci_chan does correct reference counting of the hci_conn object. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
eb78d7e53d
commit
6c388d32ec
@ -1295,7 +1295,8 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn)
|
||||
if (!chan)
|
||||
return NULL;
|
||||
|
||||
chan->conn = conn;
|
||||
chan->conn = hci_conn_get(conn);
|
||||
hci_conn_hold(conn);
|
||||
skb_queue_head_init(&chan->data_q);
|
||||
chan->state = BT_CONNECTED;
|
||||
|
||||
@ -1316,6 +1317,7 @@ void hci_chan_del(struct hci_chan *chan)
|
||||
synchronize_rcu();
|
||||
|
||||
hci_conn_drop(conn);
|
||||
hci_conn_put(conn);
|
||||
|
||||
skb_queue_purge(&chan->data_q);
|
||||
kfree(chan);
|
||||
|
Loading…
Reference in New Issue
Block a user