From patchwork Thu Nov 7 18:34:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13866906 Received: from mail-oo1-f41.google.com (mail-oo1-f41.google.com [209.85.161.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64178194A52 for ; Thu, 7 Nov 2024 18:35:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731004505; cv=none; b=e0G3trwtwoP7t6xTlIOpD1Q1cSbWYB+ur+5Xj8QGvQKdGh/CzlZ018B+kqTPrQ8m6UwOx2TzimqLTfrB0pHh5/zT8Rs+VjeS5VCSjnSu1zlsFd8dDjw6+RgGz0D/kM0SA6sjZTHH73Ix/KVdzY8kOo02tPyM5Tdhf5l0aZEKk58= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731004505; c=relaxed/simple; bh=pgRFtBTjepowiu3sOT9bJ17uJB8xH/EBPwYhxONhIxw=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=TaoexhuBcKuKWOwQiWpOFNGgz9okG6jL1Po7uKidB9U76Fo6SgJL6MWsXmEceKS8uIMccu/wp5qy2O/ofBbxSP+xPfJ94yV4p9e2CMejBToeEzX/uBy3NW5wdR+9aKCwQ6KbCUeP5KsH9BMNTDQNwsONK7XPehT8VDXqgVeAMJE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AAtaC9oO; arc=none smtp.client-ip=209.85.161.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AAtaC9oO" Received: by mail-oo1-f41.google.com with SMTP id 006d021491bc7-5ebc349204cso660780eaf.3 for ; Thu, 07 Nov 2024 10:35:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731004501; x=1731609301; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=PGf+8VWlYjkPAavYKAvqyVUmgF4040Q4CTUzVu0kSlA=; b=AAtaC9oO23zIyp037qNhs2ULp0hnrYVndjh76mb8/5XHpbr+kZKR/vi/2SaWPMnYcg i2lsakWT96GyBMRfCpssgASyMQR6s9sSrClnk9F4mvSWtbKRkJ7xWNYCAFG7de+WBw9M iud77rqfMYR8mOjTiPpmAW4gNDg/VNY7UuL0MbKhPbZ/TzcVGQ3Zw9ikPbUOjy/545Ku Vlry/qcXkdSOgOU3k+ZKDcOypva/fu1vXRNUhqRZs5+yiyd+WA4SvKzrgEZYff6Hx2nm tmvZEcOmJsvyl8PzUCeb+IckF529ZBfgUehCk41UlK6CwDaE2HjIpGcWhYZx3Jt87GQT 2DlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731004501; x=1731609301; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PGf+8VWlYjkPAavYKAvqyVUmgF4040Q4CTUzVu0kSlA=; b=FWWLBcftkJ9MlxQ2uV/a+PoLMUfJlRR+B1M4vFd7AAtq/1G87NDmoIzZlu+8iNbfFZ tu7Sy6XAZc0/1hpWn0LZb23pJKPqyjCbQbS+OPKMlYfOMMCcjq1uUHAnnLibMaMLFJYC KB7fYUMfhRedg3bDMhOhr4VoKUFhQNE5MwT4OqCTC9dH9k8qleYqQ2vh9ZV2QKyLWv+j TK4XQ7l25Txpj2n5V5uMfOj9fGy4XAEiklrywBa81FztnKOyM8/PbjHNgZgnh/lKSl+k mSE/s0VUeJVwQlctdjYyQ9Yr1dZR8vYI8+Ks77r05Ao3UvR9hUWL8fJerJsZ2kYAs13J ISLA== X-Gm-Message-State: AOJu0YwWBJz/ha+mrJoG7FzpaFo3M+hGk1FHnwJWCsZUBpYsl8ZBRh4N s6IuNrAowjkG/LKIYT/IqMQ/RtJYflu/A6D4mt0l2fEZv0ru+QZW1+OIcA== X-Google-Smtp-Source: AGHT+IG7zjiPDhuAnsTzxxzsy19ipP8i7yiDT11AZ7cO5PErkR6/CcWIcz0/f3m2H+a0KMRHE9mL4A== X-Received: by 2002:a05:6358:6e92:b0:1c3:813d:47c6 with SMTP id e5c5f4694b2df-1c641f5f4c3mr11567655d.19.1731004499131; Thu, 07 Nov 2024 10:34:59 -0800 (PST) Received: from lvondent-mobl5.. (syn-107-146-107-067.res.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-856557908a3sm358193241.30.2024.11.07.10.34.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2024 10:34:57 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v1 1/2] Bluetooth: SCO: Use kref to track lifetime of sco_conn Date: Thu, 7 Nov 2024 13:34:54 -0500 Message-ID: <20241107183455.129897-1-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.47.0 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz This make use of kref to keep track of reference of sco_conn which allows better tracking of its lifetime with usage of things like kref_get_unless_zero in a similar way as used in l2cap_chan. In addition to it remove call to sco_sock_set_timer on __sco_sock_close since at that point it is useless to set a timer as the sk will be freed there is nothing to be done in sco_sock_timeout. Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/sco.c | 99 ++++++++++++++++++++++++++++++++------------- 1 file changed, 71 insertions(+), 28 deletions(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 1c7252a36866..1b8e468d24cf 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -51,6 +51,7 @@ struct sco_conn { struct delayed_work timeout_work; unsigned int mtu; + struct kref ref; }; #define sco_conn_lock(c) spin_lock(&c->lock) @@ -76,6 +77,49 @@ struct sco_pinfo { #define SCO_CONN_TIMEOUT (HZ * 40) #define SCO_DISCONN_TIMEOUT (HZ * 2) +static void sco_conn_free(struct kref *ref) +{ + struct sco_conn *conn = container_of(ref, struct sco_conn, ref); + + BT_DBG("conn %p", conn); + + if (conn->sk) + sco_pi(conn->sk)->conn = NULL; + + if (conn->hcon) { + conn->hcon->sco_data = NULL; + hci_conn_drop(conn->hcon); + } + + /* Ensure no more work items will run since hci_conn has been dropped */ + disable_delayed_work_sync(&conn->timeout_work); + + kfree(conn); +} + +static void sco_conn_put(struct sco_conn *conn) +{ + if (!conn) + return; + + BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); + + kref_put(&conn->ref, sco_conn_free); +} + +static struct sco_conn *sco_conn_hold_unless_zero(struct sco_conn *conn) +{ + if (!conn) + return NULL; + + BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); + + if (!kref_get_unless_zero(&conn->ref)) + return NULL; + + return conn; +} + static struct sock *sco_sock_hold(struct sco_conn *conn) { if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk)) @@ -92,6 +136,10 @@ static void sco_sock_timeout(struct work_struct *work) timeout_work.work); struct sock *sk; + conn = sco_conn_hold_unless_zero(conn); + if (!conn) + return; + sco_conn_lock(conn); if (!conn->hcon) { sco_conn_unlock(conn); @@ -99,6 +147,7 @@ static void sco_sock_timeout(struct work_struct *work) } sk = sco_sock_hold(conn); sco_conn_unlock(conn); + sco_conn_put(conn); if (!sk) return; @@ -136,9 +185,14 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) { struct sco_conn *conn = hcon->sco_data; + conn = sco_conn_hold_unless_zero(conn); if (conn) { - if (!conn->hcon) + if (!conn->hcon) { + sco_conn_lock(conn); conn->hcon = hcon; + sco_conn_unlock(conn); + } + sco_conn_put(conn); return conn; } @@ -146,6 +200,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) if (!conn) return NULL; + kref_init(&conn->ref); spin_lock_init(&conn->lock); INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); @@ -170,17 +225,15 @@ static void sco_chan_del(struct sock *sk, int err) struct sco_conn *conn; conn = sco_pi(sk)->conn; + sco_pi(sk)->conn = NULL; BT_DBG("sk %p, conn %p, err %d", sk, conn, err); if (conn) { sco_conn_lock(conn); conn->sk = NULL; - sco_pi(sk)->conn = NULL; sco_conn_unlock(conn); - - if (conn->hcon) - hci_conn_drop(conn->hcon); + sco_conn_put(conn); } sk->sk_state = BT_CLOSED; @@ -195,29 +248,28 @@ static void sco_conn_del(struct hci_conn *hcon, int err) struct sco_conn *conn = hcon->sco_data; struct sock *sk; + conn = sco_conn_hold_unless_zero(conn); if (!conn) return; BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); - /* Kill socket */ sco_conn_lock(conn); sk = sco_sock_hold(conn); sco_conn_unlock(conn); + sco_conn_put(conn); - if (sk) { - lock_sock(sk); - sco_sock_clear_timer(sk); - sco_chan_del(sk, err); - release_sock(sk); - sock_put(sk); + if (!sk) { + sco_conn_put(conn); + return; } - /* Ensure no more work items will run before freeing conn. */ - cancel_delayed_work_sync(&conn->timeout_work); - - hcon->sco_data = NULL; - kfree(conn); + /* Kill socket */ + lock_sock(sk); + sco_sock_clear_timer(sk); + sco_chan_del(sk, err); + release_sock(sk); + sock_put(sk); } static void __sco_chan_add(struct sco_conn *conn, struct sock *sk, @@ -401,6 +453,8 @@ static void sco_sock_destruct(struct sock *sk) { BT_DBG("sk %p", sk); + sco_conn_put(sco_pi(sk)->conn); + skb_queue_purge(&sk->sk_receive_queue); skb_queue_purge(&sk->sk_write_queue); } @@ -448,17 +502,6 @@ static void __sco_sock_close(struct sock *sk) case BT_CONNECTED: case BT_CONFIG: - if (sco_pi(sk)->conn->hcon) { - sk->sk_state = BT_DISCONN; - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); - sco_conn_lock(sco_pi(sk)->conn); - hci_conn_drop(sco_pi(sk)->conn->hcon); - sco_pi(sk)->conn->hcon = NULL; - sco_conn_unlock(sco_pi(sk)->conn); - } else - sco_chan_del(sk, ECONNRESET); - break; - case BT_CONNECT2: case BT_CONNECT: case BT_DISCONN: From patchwork Thu Nov 7 18:34:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luiz Augusto von Dentz X-Patchwork-Id: 13866907 Received: from mail-oo1-f53.google.com (mail-oo1-f53.google.com [209.85.161.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3DF23212F06 for ; Thu, 7 Nov 2024 18:35:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731004506; cv=none; b=U4HUCiHF09iLAOxldvEbK/+qq/hAyzqyRBemPogG2Q+TBFSSp6rUWdj1HNSPP1eh0aEismoIS6PHeb5D2pUCfQNe+mKm0+ictJiRQS5GRa+Pb/LtubSBs0XIB8BZj7zgalwVlu/6x+Qc9nsw0jzbX5KFRQVz+nE3j/Ps55iZHGI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731004506; c=relaxed/simple; bh=HPAIi4bI8l6adDycZMRrZckC2y2zZ+La5xl8hHiHVMo=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kL8rS+eb89Y+/06uHkDN3NHLtVxAfCQ1ftpZupM1xz9ZDxZoLVIK5ShWZab3kiPb/O44XzbA5xnSisxX7LscWIZE1TWMO/JtQueknV8g+HrEumrLqqKajkkg5j+H16tww+tFg5UYd6gexcU4HkPzbnNgPLJZiQKU6BqHH5OXxkg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=J8aovHXY; arc=none smtp.client-ip=209.85.161.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="J8aovHXY" Received: by mail-oo1-f53.google.com with SMTP id 006d021491bc7-5eb73ec1e1aso679066eaf.2 for ; Thu, 07 Nov 2024 10:35:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731004503; x=1731609303; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CxxI9JNhe8WZ4K7bmWVwdKBwGlWYZ3LncP13YptGGVM=; b=J8aovHXYI/QspUqcwbckXlX8ydLvLwsmqXCLe9bbQPSsyxJdzlye/imZUt4w0fBXaA Xvhb7wmCl/UhrjI6X9acDN1e2Wweviki42NWi71Y/BdZjbk25WaBnLQoVLLjHmtkFuEx jxKlEdeJn5hFMnYl5PXocLySk0UdkO8qHgmgtmFub5QHb52RVZsQp34ib6YWATtnpPQ9 XJrixc5ER2NsQXy5NvE7sV/Wo0hs+O+/F/5qZZDJsyiUdcTZv+dDUDZvitbzs4mKwlRy R8nJwNe55JoBjcETyYcy3OeExmnvGU8eAoRSBD9Kosvs8N5kdVu645aTrB1WDqJtbHEL E88g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731004503; x=1731609303; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CxxI9JNhe8WZ4K7bmWVwdKBwGlWYZ3LncP13YptGGVM=; b=O8kRi75jM1MfJrFzzfcvcVapqj2xxXACnb1aFKNts0o/7amFfB5E5w9z0sc0CuetXG +GomDsznsqS6ranFtKOlgOX9L/vARyjMrhPREi0XPnmes3bUqDwE/pWONjfxNjjbVvLy CA1jVKxS3BTXO4cMZs5kMGWWkOs8ft+LbtFSpOTRjkuRXcHTgK1BKrtqJQESMPSCPfIy pH4R6Ztag9SQB+FbD6UARzmbW4GRcOalZmYfviPeBRA+Dcl8uC/5KRO4MF/yulDnMBhQ 2aXIw48/ozpB9La/+BuIM5zLEk3VDNvYWfH/aUVrCdnytVcscgWA4xQRyAFFYvrKQ6IL MRkg== X-Gm-Message-State: AOJu0YyyZChnOZ0lqyC30AY0DjbfpWHoM/A5VHf2nHFcPr0O59Hwy1lN O87dWZdUpTw8mPAS6nqWjubNg3bbStzfQWQaasO6jD64WZsY38QcnBIcgg== X-Google-Smtp-Source: AGHT+IGXMyEW/1HMy49ww0fEUIkbPxYMAVgu0pmJz6MNyKzQJD+kxdWNat6pP2xpXYfte/gnmQOPhA== X-Received: by 2002:a05:6358:72a7:b0:1c2:f41e:dbd5 with SMTP id e5c5f4694b2df-1c641ea66c2mr14771455d.7.1731004503459; Thu, 07 Nov 2024 10:35:03 -0800 (PST) Received: from lvondent-mobl5.. (syn-107-146-107-067.res.spectrum.com. [107.146.107.67]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-856557908a3sm358193241.30.2024.11.07.10.34.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2024 10:35:00 -0800 (PST) From: Luiz Augusto von Dentz To: linux-bluetooth@vger.kernel.org Subject: [PATCH v1 2/2] Bluetooth: ISO: Use kref to track lifetime of iso_conn Date: Thu, 7 Nov 2024 13:34:55 -0500 Message-ID: <20241107183455.129897-2-luiz.dentz@gmail.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241107183455.129897-1-luiz.dentz@gmail.com> References: <20241107183455.129897-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Luiz Augusto von Dentz This make use of kref to keep track of reference of iso_conn which allows better tracking of its lifetime with usage of things like kref_get_unless_zero in a similar way as used in l2cap_chan. In addition to it remove call to iso_sock_set_timer on iso_sock_disconn since at that point it is useless to set a timer as the sk will be freed there is nothing to be done in iso_sock_timeout. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Signed-off-by: Luiz Augusto von Dentz --- net/bluetooth/iso.c | 88 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 71 insertions(+), 17 deletions(-) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 9e119da43147..24e78ada9ad2 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -35,6 +35,7 @@ struct iso_conn { struct sk_buff *rx_skb; __u32 rx_len; __u16 tx_sn; + struct kref ref; }; #define iso_conn_lock(c) spin_lock(&(c)->lock) @@ -93,6 +94,49 @@ static struct sock *iso_get_sock(bdaddr_t *src, bdaddr_t *dst, #define ISO_CONN_TIMEOUT (HZ * 40) #define ISO_DISCONN_TIMEOUT (HZ * 2) +static void iso_conn_free(struct kref *ref) +{ + struct iso_conn *conn = container_of(ref, struct iso_conn, ref); + + BT_DBG("conn %p", conn); + + if (conn->sk) + iso_pi(conn->sk)->conn = NULL; + + if (conn->hcon) { + conn->hcon->iso_data = NULL; + hci_conn_drop(conn->hcon); + } + + /* Ensure no more work items will run since hci_conn has been dropped */ + disable_delayed_work_sync(&conn->timeout_work); + + kfree(conn); +} + +static void iso_conn_put(struct iso_conn *conn) +{ + if (!conn) + return; + + BT_DBG("conn %p refcnt %d", conn, kref_read(&conn->ref)); + + kref_put(&conn->ref, iso_conn_free); +} + +static struct iso_conn *iso_conn_hold_unless_zero(struct iso_conn *conn) +{ + if (!conn) + return NULL; + + BT_DBG("conn %p refcnt %u", conn, kref_read(&conn->ref)); + + if (!kref_get_unless_zero(&conn->ref)) + return NULL; + + return conn; +} + static struct sock *iso_sock_hold(struct iso_conn *conn) { if (!conn || !bt_sock_linked(&iso_sk_list, conn->sk)) @@ -109,9 +153,14 @@ static void iso_sock_timeout(struct work_struct *work) timeout_work.work); struct sock *sk; + conn = iso_conn_hold_unless_zero(conn); + if (!conn) + return; + iso_conn_lock(conn); sk = iso_sock_hold(conn); iso_conn_unlock(conn); + iso_conn_put(conn); if (!sk) return; @@ -149,9 +198,14 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) { struct iso_conn *conn = hcon->iso_data; + conn = iso_conn_hold_unless_zero(conn); if (conn) { - if (!conn->hcon) + if (!conn->hcon) { + iso_conn_lock(conn); conn->hcon = hcon; + iso_conn_unlock(conn); + } + iso_conn_put(conn); return conn; } @@ -159,6 +213,7 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) if (!conn) return NULL; + kref_init(&conn->ref); spin_lock_init(&conn->lock); INIT_DELAYED_WORK(&conn->timeout_work, iso_sock_timeout); @@ -178,17 +233,15 @@ static void iso_chan_del(struct sock *sk, int err) struct sock *parent; conn = iso_pi(sk)->conn; + iso_pi(sk)->conn = NULL; BT_DBG("sk %p, conn %p, err %d", sk, conn, err); if (conn) { iso_conn_lock(conn); conn->sk = NULL; - iso_pi(sk)->conn = NULL; iso_conn_unlock(conn); - - if (conn->hcon) - hci_conn_drop(conn->hcon); + iso_conn_put(conn); } sk->sk_state = BT_CLOSED; @@ -210,6 +263,7 @@ static void iso_conn_del(struct hci_conn *hcon, int err) struct iso_conn *conn = hcon->iso_data; struct sock *sk; + conn = iso_conn_hold_unless_zero(conn); if (!conn) return; @@ -219,20 +273,18 @@ static void iso_conn_del(struct hci_conn *hcon, int err) iso_conn_lock(conn); sk = iso_sock_hold(conn); iso_conn_unlock(conn); + iso_conn_put(conn); - if (sk) { - lock_sock(sk); - iso_sock_clear_timer(sk); - iso_chan_del(sk, err); - release_sock(sk); - sock_put(sk); + if (!sk) { + iso_conn_put(conn); + return; } - /* Ensure no more work items will run before freeing conn. */ - cancel_delayed_work_sync(&conn->timeout_work); - - hcon->iso_data = NULL; - kfree(conn); + lock_sock(sk); + iso_sock_clear_timer(sk); + iso_chan_del(sk, err); + release_sock(sk); + sock_put(sk); } static int __iso_chan_add(struct iso_conn *conn, struct sock *sk, @@ -652,6 +704,8 @@ static void iso_sock_destruct(struct sock *sk) { BT_DBG("sk %p", sk); + iso_conn_put(iso_pi(sk)->conn); + skb_queue_purge(&sk->sk_receive_queue); skb_queue_purge(&sk->sk_write_queue); } @@ -711,6 +765,7 @@ static void iso_sock_disconn(struct sock *sk) */ if (bis_sk) { hcon->state = BT_OPEN; + hcon->iso_data = NULL; iso_pi(sk)->conn->hcon = NULL; iso_sock_clear_timer(sk); iso_chan_del(sk, bt_to_errno(hcon->abort_reason)); @@ -720,7 +775,6 @@ static void iso_sock_disconn(struct sock *sk) } sk->sk_state = BT_DISCONN; - iso_sock_set_timer(sk, ISO_DISCONN_TIMEOUT); iso_conn_lock(iso_pi(sk)->conn); hci_conn_drop(iso_pi(sk)->conn->hcon); iso_pi(sk)->conn->hcon = NULL;