Merge tag 'v3.16-rc6' into next/dt

Update to Linux 3.16-rc6 as a dependency for the broadcom changes. Signed-off-by: Arnd Bergmann <arnd@arndb.de>
author: Arnd Bergmann <arnd@arndb.de> 2014-07-28 17:04:15 +0200
committer: Arnd Bergmann <arnd@arndb.de> 2014-07-28 17:04:15 +0200
commit: 565f46dc4d0c12dda1353dbd76314614c7069c20 (patch)
tree: a9e933f56e4f935bc3bb6b0d270b6be789fed6a9 /net/bluetooth/hci_conn.c
parent: 4fd1f229c2bc39b7f35f2a9f9fb9892f2d665359 (diff)
parent: 9a3c4145af32125c5ee39c0272662b47307a8323 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index ca01d1861854..a7a27bc2c0b1 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -289,10 +289,20 @@ static void hci_conn_timeout(struct work_struct *work)
 {
 	struct hci_conn *conn = container_of(work, struct hci_conn,
 					     disc_work.work);
+	int refcnt = atomic_read(&conn->refcnt);
 
 	BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 
-	if (atomic_read(&conn->refcnt))
+	WARN_ON(refcnt < 0);
+
+	/* FIXME: It was observed that in pairing failed scenario, refcnt
+	 * drops below 0. Probably this is because l2cap_conn_del calls
+	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
+	 * dropped. After that loop hci_chan_del is called which also drops
+	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
+	 * otherwise drop it.
+	 */
+	if (refcnt > 0)
 		return;
 
 	switch (conn->state) {
author	Arnd Bergmann <arnd@arndb.de>	2014-07-28 17:04:15 +0200
committer	Arnd Bergmann <arnd@arndb.de>	2014-07-28 17:04:15 +0200
commit	565f46dc4d0c12dda1353dbd76314614c7069c20 (patch)
tree	a9e933f56e4f935bc3bb6b0d270b6be789fed6a9 /net/bluetooth/hci_conn.c
parent	4fd1f229c2bc39b7f35f2a9f9fb9892f2d665359 (diff)
parent	9a3c4145af32125c5ee39c0272662b47307a8323 (diff)