Bluetooth: Fix HCI channel reference counting
When an incoming HCI logical link event came in at the same time
a socket structure was deleted, it was possible to end up with a stale
pointer to the socket. The socket and associated HCI channel struct
need to be properly reference counted so they are not freed
prematurely.
CRs-Fixed: 325023
Change-Id: Ia5724a9ce2000acd60a174c354be04029bac5324
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index be0f55c..f98a90e 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1396,10 +1396,10 @@
if (chan && chan->state == BT_CONNECT) {
chan->state = BT_CLOSED;
hci_proto_create_cfm(chan, status);
- hci_chan_del(chan);
}
- } else if (chan)
- chan->state = BT_CONNECT2;
+ } else if (chan) {
+ chan->state = BT_CONNECT2;
+ }
hci_dev_unlock(hdev);
}
@@ -1425,7 +1425,6 @@
if (chan && chan->state == BT_CONNECT) {
chan->state = BT_CLOSED;
hci_proto_create_cfm(chan, status);
- hci_chan_del(chan);
}
} else if (chan)
chan->state = BT_CONNECT2;
@@ -3201,19 +3200,15 @@
chan = hci_chan_list_lookup_id(hdev, ev->phy_handle);
- if (ev->status == 0) {
- if (chan) {
+ if (chan) {
+ if (ev->status == 0) {
chan->ll_handle = __le16_to_cpu(ev->log_handle);
chan->state = BT_CONNECTED;
- hci_proto_create_cfm(chan, ev->status);
- hci_chan_hold(chan);
- }
- } else {
- if (chan) {
+ } else {
chan->state = BT_CLOSED;
- hci_proto_create_cfm(chan, ev->status);
- hci_chan_del(chan);
}
+
+ hci_proto_create_cfm(chan, ev->status);
}
hci_dev_unlock(hdev);
@@ -3252,10 +3247,8 @@
hci_dev_lock(hdev);
chan = hci_chan_list_lookup_handle(hdev, __le16_to_cpu(ev->log_handle));
- if (chan) {
+ if (chan)
hci_proto_destroy_cfm(chan, ev->reason);
- hci_chan_del(chan);
- }
hci_dev_unlock(hdev);
}