[PATCH v4 7/7] Bluetooth: hci_sync: remove unnecessary hci_conn_get in create_conn_sync
From: Pauli Virtanen
Date: Sun Jun 28 2026 - 09:23:00 EST
hci_conn_get() without already held reference is data race against
concurrent deletion.
In previous patches, the refcount has been changed to be taken before
starting the hci_sync task, so remove these extra get() + put() as they
are not needed.
Fixes: 76c2d047410ba ("Bluetooth: hci_conn: Fix null ptr deref in hci_abort_conn()")
Signed-off-by: Pauli Virtanen <pav@xxxxxx>
---
Notes:
v4:
- no change
net/bluetooth/hci_sync.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 11d0c2033c6a..7cc3cb12436d 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6607,11 +6607,6 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
bt_dev_dbg(hdev, "conn %p", conn);
- /* Hold a reference so conn stays valid for the HCI_CONN_CREATE
- * clear_bit() at done.
- */
- hci_conn_get(conn);
-
clear_bit(HCI_CONN_SCANNING, &conn->flags);
conn->state = BT_CONNECT;
@@ -6626,7 +6621,6 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
conn->state = BT_OPEN;
hci_abort_conn_sync(hdev, conn,
HCI_ERROR_REJ_LIMITED_RESOURCES);
- hci_conn_put(conn);
return -EBUSY;
}
@@ -6720,7 +6714,6 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
/* Re-enable advertising after the connection attempt is finished. */
hci_resume_advertising_sync(hdev);
- hci_conn_put(conn);
return err;
}
@@ -6995,11 +6988,6 @@ static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data)
else
cp.role_switch = 0x00;
- /* Hold a reference so conn stays valid for the HCI_CONN_CREATE
- * clear_bit() below.
- */
- hci_conn_get(conn);
-
/* Mark create connection in flight so hci_cancel_connect_sync() can
* cancel it while blocking on the connection complete event.
*/
@@ -7011,7 +6999,6 @@ static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data)
conn->conn_timeout, NULL);
clear_bit(HCI_CONN_CREATE, &conn->flags);
- hci_conn_put(conn);
return err;
}
--
2.54.0