From: Johan Hedberg <johan.hedberg@xxxxxxxxx> The hci_chan_del() function was doing a hci_conn_drop() but there was no matching hci_conn_hold() in the hci_chan_create() function. Furthermore, as the hci_chan struct holds a pointer to the hci_conn there should be proper use of hci_conn_get/put. This patch fixes both issues so that hci_chan does correct reference counting of the hci_conn object. Signed-off-by: Johan Hedberg <johan.hedberg@xxxxxxxxx> --- net/bluetooth/hci_conn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 4ecc9d5fce7a..7815826a48e4 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1295,7 +1295,8 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn) if (!chan) return NULL; - chan->conn = conn; + chan->conn = hci_conn_get(conn); + hci_conn_hold(conn); skb_queue_head_init(&chan->data_q); chan->state = BT_CONNECTED; @@ -1316,6 +1317,7 @@ void hci_chan_del(struct hci_chan *chan) synchronize_rcu(); hci_conn_drop(conn); + hci_conn_put(conn); skb_queue_purge(&chan->data_q); kfree(chan); -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
