Bluetooth: SCO: remove the redundant sco_conn_put

ea1davis · Vudentz · commit ed9588554943 · 2024-11-26T11:07:28.000-05:00
When adding conn, it is necessary to increase and retain the conn reference count at the same time. Another problem was fixed along the way, conn_put is missing when hcon is NULL in the timeout routine. Fixes: e672077 ("Bluetooth: SCO: Use kref to track lifetime of sco_conn") Reported-and-tested-by: syzbot+489f78df4709ac2bfdd3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=489f78df4709ac2bfdd3 Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
@@ -143,6 +143,7 @@ static void sco_sock_timeout(struct work_struct *work)
 	sco_conn_lock(conn);
 	if (!conn->hcon) {
 		sco_conn_unlock(conn);
+		sco_conn_put(conn);
 		return;
 	}
 	sk = sco_sock_hold(conn);
@@ -192,7 +193,6 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
 			conn->hcon = hcon;
 			sco_conn_unlock(conn);
 		}
-		sco_conn_put(conn);
 		return conn;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,7 @@ static void sco_sock_timeout(struct work_struct *work)`
`143`	`143`	`sco_conn_lock(conn);`
`144`	`144`	`if (!conn->hcon) {`
`145`	`145`	`sco_conn_unlock(conn);`
	`146`	`+ sco_conn_put(conn);`
`146`	`147`	`return;`
`147`	`148`	`}`
`148`	`149`	`sk = sco_sock_hold(conn);`
`@@ -192,7 +193,6 @@ static struct sco_conn sco_conn_add(struct hci_conn hcon)`
`192`	`193`	`conn->hcon = hcon;`
`193`	`194`	`sco_conn_unlock(conn);`
`194`	`195`	`}`
`195`		`- sco_conn_put(conn);`
`196`	`196`	`return conn;`
`197`	`197`	`}`
`198`	`198`