• Marcel Holtmann's avatar
    Bluetooth: Fix wrong module refcount when connection setup fails · 384943ec
    Marcel Holtmann authored
    The module refcount is increased by hci_dev_hold() call in hci_conn_add()
    and decreased by hci_dev_put() call in del_conn(). In case the connection
    setup fails, hci_dev_put() is never called.
    
    Procedure to reproduce the issue:
    
      # hciconfig hci0 up
      # lsmod | grep btusb                   -> "used by" refcount = 1
    
      # hcitool cc <non-exisiting bdaddr>    -> will get timeout
    
      # lsmod | grep btusb                   -> "used by" refcount = 2
      # hciconfig hci0 down
      # lsmod | grep btusb                   -> "used by" refcount = 1
      # rmmod btusb                          -> ERROR: Module btusb is in use
    
    The hci_dev_put() call got moved into del_conn() with the 2.6.25 kernel
    to fix an issue with hci_dev going away before hci_conn. However that
    change was wrong and introduced this problem.
    
    When calling hci_conn_del() it has to call hci_dev_put() after freeing
    the connection details. This handling should be fully symmetric. The
    execution of del_conn() is done in a work queue and needs it own calls
    to hci_dev_hold() and hci_dev_put() to ensure that the hci_dev stays
    until the connection cleanup has been finished.
    
    Based on a report by Bing Zhao <bzhao@marvell.com>
    Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    Tested-by: default avatarBing Zhao <bzhao@marvell.com>
    384943ec
hci_conn.c 15.4 KB