From 09e95a26a4e91b86c02ee9bb459a60eba2ff65ad Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 28 Oct 2020 11:33:27 -0700
Subject: [PATCH] Bluetooth: ISO: Fix crash when channel has already been
 disconnected

If chan->conn is already NULL do not call bt_conn_unref as that will
likely cause a crash, also this make sure that if channel has been
disconnected using bt_iso_chan_disconnect it removes the channel from
connection list before setting the chan->conn to NULL.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 subsys/bluetooth/host/audio/iso.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/subsys/bluetooth/host/audio/iso.c b/subsys/bluetooth/host/audio/iso.c
index 48ce07e9945..52bd84d950a 100644
--- a/subsys/bluetooth/host/audio/iso.c
+++ b/subsys/bluetooth/host/audio/iso.c
@@ -742,8 +742,11 @@ void bt_iso_disconnected(struct bt_conn *conn)
 			chan->ops->disconnected(chan);
 		}
 
-		bt_conn_unref(chan->conn);
-		chan->conn = NULL;
+		if (chan->conn) {
+			bt_conn_unref(chan->conn);
+			chan->conn = NULL;
+		}
+
 		bt_iso_chan_set_state(chan, BT_ISO_DISCONNECTED);
 	}
 }
@@ -930,6 +933,7 @@ int bt_iso_chan_disconnect(struct bt_iso_chan *chan)
 
 	if (chan->state == BT_ISO_BOUND) {
 		bt_iso_chan_set_state(chan, BT_ISO_DISCONNECTED);
+		bt_iso_chan_remove(chan->conn, chan);
 		bt_conn_unref(chan->conn);
 		chan->conn = NULL;
 		return 0;