Commit c531e638 authored by Dmitry Antipov's avatar Dmitry Antipov Committed by Luiz Augusto von Dentz
Browse files

Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() 



Add missing call to 'l2cap_chan_unlock()' on receive error handling
path in 'l2cap_conless_channel()'.

Fixes: a24cce14 ("Bluetooth: Fix reference counting of global L2CAP channels")
Reported-by: default avatar <syzbot+45ac74737e866894acb0@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=45ac74737e866894acb0


Signed-off-by: default avatarDmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent e1d28be2

net/bluetooth/l2cap_core.c

+1 −0
Original line number Diff line number Diff line
@@ -6774,6 +6774,7 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, 
	bt_cb(skb)->l2cap.psm = psm;



	if (!chan->ops->recv(chan, skb)) {

		l2cap_chan_unlock(chan);

		l2cap_chan_put(chan);

		return;

	}