Bluetooth: Clear sk_send_head when purging ERTM transmit queue

In ERTM, the outgoing data queue contains both unsent data and unacked
data, and sk_send_head points to the first unsent packet. When
disconnecting a socket, it's possible for a process to attempt a
socket send while a disconnection is in progress and the outgoing data
queue has been purged. When this purge happens, sk_send_head must also
be set to NULL because the packet it was pointing to has been freed.

Change-Id: I87b37a13583fac705241549dfc492950c7c0ec0b
CRs-fixed: 326238
Signed-off-by: Mat Martineau <mathewm@codeaurora.org>

net/bluetooth/l2cap_core.c

@@ -569,6 +569,7 @@ void l2cap_chan_del(struct sock *sk, int err)
 	} else
 		sk->sk_state_change(sk);
 
+	sk->sk_send_head = NULL;
 	skb_queue_purge(TX_QUEUE(sk));
 
 	if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
@@ -782,6 +783,7 @@ void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
 	if (!conn)
 		return;
 
+	sk->sk_send_head = NULL;
 	skb_queue_purge(TX_QUEUE(sk));
 
 	if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
@@ -4515,6 +4517,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
 	if (sk->sk_state != BT_DISCONN) {
 		sk->sk_shutdown = SHUTDOWN_MASK;
 
+		sk->sk_send_head = NULL;
 		skb_queue_purge(TX_QUEUE(sk));
 
 		if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {