Bluetooth: Fix using hci_conn_get() for hci_conn pointers
Wherever we keep hci_conn pointers around we should be using
hci_conn_get/put to ensure that they stay valid. This patch fixes
all places violating against the principle currently.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index faff624..4ecc9d5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -595,6 +595,7 @@
conn->dst_type);
if (params && params->conn) {
hci_conn_drop(params->conn);
+ hci_conn_put(params->conn);
params->conn = NULL;
}
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 9b71459..ed60d37 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2541,6 +2541,7 @@
list_for_each_entry(p, &hdev->le_conn_params, list) {
if (p->conn) {
hci_conn_drop(p->conn);
+ hci_conn_put(p->conn);
p->conn = NULL;
}
list_del_init(&p->action);
@@ -3734,8 +3735,10 @@
if (!params)
return;
- if (params->conn)
+ if (params->conn) {
hci_conn_drop(params->conn);
+ hci_conn_put(params->conn);
+ }
list_del(¶ms->action);
list_del(¶ms->list);
@@ -3767,8 +3770,10 @@
struct hci_conn_params *params, *tmp;
list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
- if (params->conn)
+ if (params->conn) {
hci_conn_drop(params->conn);
+ hci_conn_put(params->conn);
+ }
list_del(¶ms->action);
list_del(¶ms->list);
kfree(params);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index d2ee162..e6a496a 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4231,6 +4231,7 @@
list_del_init(¶ms->action);
if (params->conn) {
hci_conn_drop(params->conn);
+ hci_conn_put(params->conn);
params->conn = NULL;
}
}
@@ -4322,7 +4323,7 @@
* the parameters get removed and keep the reference
* count consistent once the connection is established.
*/
- params->conn = conn;
+ params->conn = hci_conn_get(conn);
return;
}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index c245743..d8c6666 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -3063,6 +3063,7 @@
conn->disconn_cfm_cb = NULL;
hci_conn_drop(conn);
+ hci_conn_put(conn);
mgmt_pending_remove(cmd);
}
@@ -3212,7 +3213,7 @@
}
conn->io_capability = cp->io_cap;
- cmd->user_data = conn;
+ cmd->user_data = hci_conn_get(conn);
if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
hci_conn_security(conn, sec_level, auth_type, true))
@@ -4914,6 +4915,7 @@
match->mgmt_status, &rp, sizeof(rp));
hci_conn_drop(conn);
+ hci_conn_put(conn);
mgmt_pending_remove(cmd);
}
@@ -5070,7 +5072,7 @@
}
hci_conn_hold(conn);
- cmd->user_data = conn;
+ cmd->user_data = hci_conn_get(conn);
conn->conn_info_timestamp = jiffies;
} else {
@@ -5134,8 +5136,10 @@
cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(status),
&rp, sizeof(rp));
mgmt_pending_remove(cmd);
- if (conn)
+ if (conn) {
hci_conn_drop(conn);
+ hci_conn_put(conn);
+ }
unlock:
hci_dev_unlock(hdev);
@@ -5198,7 +5202,7 @@
if (conn) {
hci_conn_hold(conn);
- cmd->user_data = conn;
+ cmd->user_data = hci_conn_get(conn);
hci_cp.handle = cpu_to_le16(conn->handle);
hci_cp.which = 0x01; /* Piconet clock */