diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index a5ac160c592e..19af148bbaf8 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -155,6 +155,36 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) return conn; } +static void sco_conn_drop(struct sco_conn *conn) +{ + if (!conn || !conn->hcon) + return; + + BT_DBG("conn %p hcon %p", conn, conn->hcon); + + hci_conn_drop(conn->hcon); + + sco_conn_lock(conn); + conn->hcon->sco_data = NULL; + conn->hcon = NULL; + sco_conn_unlock(conn); + + /* Ensure no more work items will run since hci_conn has been dropped */ + disable_delayed_work_sync(&conn->timeout_work); +} + +static void sco_conn_destruct(struct sco_conn *conn) +{ + if (!conn) + return; + + BT_DBG("conn %p", conn); + + sco_conn_drop(conn); + + kfree(conn); +} + /* Delete channel. * Must be called on the locked socket. */ static void sco_chan_del(struct sock *sk, int err) @@ -171,8 +201,7 @@ static void sco_chan_del(struct sock *sk, int err) sco_pi(sk)->conn = NULL; sco_conn_unlock(conn); - if (conn->hcon) - hci_conn_drop(conn->hcon); + sco_conn_drop(conn); } sk->sk_state = BT_CLOSED; @@ -192,26 +221,23 @@ static void sco_conn_del(struct hci_conn *hcon, int err) BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); - /* Kill socket */ sco_conn_lock(conn); sk = conn->sk; if (sk) sock_hold(sk); sco_conn_unlock(conn); - if (sk) { - lock_sock(sk); - sco_sock_clear_timer(sk); - sco_chan_del(sk, err); - release_sock(sk); - sock_put(sk); + if (!sk) { + sco_conn_destruct(conn); + return; } - /* Ensure no more work items will run before freeing conn. */ - cancel_delayed_work_sync(&conn->timeout_work); - - hcon->sco_data = NULL; - kfree(conn); + /* Kill socket */ + lock_sock(sk); + sco_sock_clear_timer(sk); + sco_chan_del(sk, err); + release_sock(sk); + sock_put(sk); } static void __sco_chan_add(struct sco_conn *conn, struct sock *sk, @@ -395,6 +421,8 @@ static void sco_sock_destruct(struct sock *sk) { BT_DBG("sk %p", sk); + sco_conn_destruct(sco_pi(sk)->conn); + skb_queue_purge(&sk->sk_receive_queue); skb_queue_purge(&sk->sk_write_queue); } @@ -442,17 +470,6 @@ static void __sco_sock_close(struct sock *sk) case BT_CONNECTED: case BT_CONFIG: - if (sco_pi(sk)->conn->hcon) { - sk->sk_state = BT_DISCONN; - sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); - sco_conn_lock(sco_pi(sk)->conn); - hci_conn_drop(sco_pi(sk)->conn->hcon); - sco_pi(sk)->conn->hcon = NULL; - sco_conn_unlock(sco_pi(sk)->conn); - } else - sco_chan_del(sk, ECONNRESET); - break; - case BT_CONNECT2: case BT_CONNECT: case BT_DISCONN: