From: Dmitry Antipov <dmantipov@yandex.ru>
Date: Wed, 31 Jul 2024 09:19:36 +0000 (+0300)
Subject: Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
X-Git-Tag: v6.11-rc3~25^2~9^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c531e63871c0b50c8c4e62c048535a08886fba3e;p=thirdparty%2Fkernel%2Flinux.git

Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()

Add missing call to 'l2cap_chan_unlock()' on receive error handling
path in 'l2cap_conless_channel()'.

Fixes: a24cce144b98 ("Bluetooth: Fix reference counting of global L2CAP channels")
Reported-by: syzbot+45ac74737e866894acb0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=45ac74737e866894acb0
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c3c26bbb5ddae..9988ba382b686 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6774,6 +6774,7 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm,
 	bt_cb(skb)->l2cap.psm = psm;
 
 	if (!chan->ops->recv(chan, skb)) {
+		l2cap_chan_unlock(chan);
 		l2cap_chan_put(chan);
 		return;
 	}