When destroying a logical link (HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE) in AMP, L2CAP connection (struct l2cap_conn) should be deleted together with HCI channel (struct hci_chan). Otherwise HCI channel will be deleted twice when unregistering a HCI device. `static void l2cap_conn_del(struct hci_conn *hcon, int err)` could achieve this purpose. Make it a public function. Reported-and-tested-by: syzbot+305a91e025a73e4fd6ce@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce Signed-off-by: Coiby Xu <coiby.xu@xxxxxxxxx> --- include/net/bluetooth/l2cap.h | 1 + net/bluetooth/amp.c | 2 +- net/bluetooth/l2cap_core.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h index 8f1e6a7a2df8..8508a433d6ac 100644 --- a/include/net/bluetooth/l2cap.h +++ b/include/net/bluetooth/l2cap.h @@ -988,6 +988,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan); typedef void (*l2cap_chan_func_t)(struct l2cap_chan *chan, void *data); void l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func, void *data); +void l2cap_conn_del(struct hci_conn *hcon, int err); void l2cap_chan_del(struct l2cap_chan *chan, int err); void l2cap_send_conn_req(struct l2cap_chan *chan); void l2cap_move_start(struct l2cap_chan *chan); diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c index 9c711f0dfae3..cee02f009cef 100644 --- a/net/bluetooth/amp.c +++ b/net/bluetooth/amp.c @@ -584,5 +584,5 @@ void amp_destroy_logical_link(struct hci_chan *hchan, u8 reason) { BT_DBG("hchan %p", hchan); - hci_chan_del(hchan); + l2cap_conn_del(hchan->conn, bt_to_errno(reason)); } diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index fe913a5c754a..38f60fb9b515 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -1851,7 +1851,7 @@ static void l2cap_unregister_all_users(struct l2cap_conn *conn) } } -static void l2cap_conn_del(struct hci_conn *hcon, int err) +void l2cap_conn_del(struct hci_conn *hcon, int err) { struct l2cap_conn *conn = hcon->l2cap_data; struct l2cap_chan *chan, *l; -- 2.27.0