Merge tag 'asoc-v3.16-rc1' into asoc-linus

[firefly-linux-kernel-4.4.55.git] / net / bluetooth / hci_conn.c

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index ca01d18618549e2ef6caf5783bc9f2c7153a215b..a7a27bc2c0b1d8a7200e0a627c69b329e08cf838 100644 (file)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -289,10 +289,20 @@ static void hci_conn_timeout(struct work_struct *work)
 {
        struct hci_conn *conn = container_of(work, struct hci_conn,
                                             disc_work.work);
+       int refcnt = atomic_read(&conn->refcnt);
 
        BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 
-       if (atomic_read(&conn->refcnt))
+       WARN_ON(refcnt < 0);
+
+       /* FIXME: It was observed that in pairing failed scenario, refcnt
+        * drops below 0. Probably this is because l2cap_conn_del calls
+        * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
+        * dropped. After that loop hci_chan_del is called which also drops
+        * conn. For now make sure that ACL is alive if refcnt is higher then 0,
+        * otherwise drop it.
+        */
+       if (refcnt > 0)
                return;
 
        switch (conn->state) {