Message ID | 20230203173024.1.Ieb6662276f3bd3d79e9134ab04523d584c300c45@changeid (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | Bluetooth: Free potentially unfreed SCO connection | expand |
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Fri, 3 Feb 2023 17:30:55 +0800 you wrote: > From: Archie Pusaka <apusaka@chromium.org> > > It is possible to initiate a SCO connection while deleting the > corresponding ACL connection, e.g. in below scenario: > > (1) < hci setup sync connect command > (2) > hci disconn complete event (for the acl connection) > (3) > hci command complete event (for(1), failure) > > [...] Here is the summary with links: - Bluetooth: Free potentially unfreed SCO connection https://git.kernel.org/bluetooth/bluetooth-next/c/c2c762af5650 You are awesome, thank you!
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 61a34801e61e..838f51c272a6 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1061,8 +1061,15 @@ int hci_conn_del(struct hci_conn *conn) if (conn->type == ACL_LINK) { struct hci_conn *sco = conn->link; - if (sco) + if (sco) { sco->link = NULL; + /* Due to race, SCO connection might be not established + * yet at this point. Delete it now, otherwise it is + * possible for it to be stuck and can't be deleted. + */ + if (sco->handle == HCI_CONN_HANDLE_UNSET) + hci_conn_del(sco); + } /* Unacked frames */ hdev->acl_cnt += conn->sent;