From: patchwork-bot+bluetooth@kernel.org
To: Ruihan Li <lrh2000@pku.edu.cn>
Cc: linux-bluetooth@vger.kernel.org, marcel@holtmann.org,
johan.hedberg@gmail.com, luiz.dentz@gmail.com,
syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com,
luiz.von.dentz@intel.com
Subject: Re: [PATCH v4 1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink
Date: Wed, 03 May 2023 17:30:22 +0000 [thread overview]
Message-ID: <168313502231.19283.12765545255824034324.git-patchwork-notify@kernel.org> (raw)
In-Reply-To: <20230503133937.169647-1-lrh2000@pku.edu.cn>
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 3 May 2023 21:39:34 +0800 you wrote:
> The hci_conn_unlink function is being called by hci_conn_del, which
> means it should not call hci_conn_del with the input parameter conn
> again. If it does, conn may have already been released when
> hci_conn_unlink returns, leading to potential UAF and double-free
> issues.
>
> This patch resolves the problem by modifying hci_conn_unlink to release
> only conn's child links when necessary, but never release conn itself.
>
> [...]
Here is the summary with links:
- [v4,1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink
https://git.kernel.org/bluetooth/bluetooth-next/c/3214238e9dc7
- [v4,2/4] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
https://git.kernel.org/bluetooth/bluetooth-next/c/38e9b45310de
- [v4,3/4] Bluetooth: Fix UAF in hci_conn_hash_flush again
https://git.kernel.org/bluetooth/bluetooth-next/c/29f883dcbfd0
- [v4,4/4] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del
https://git.kernel.org/bluetooth/bluetooth-next/c/e6e576ec4e72
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
prev parent reply other threads:[~2023-05-03 17:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-03 13:39 [PATCH v4 1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink Ruihan Li
2023-05-03 13:39 ` [PATCH v4 2/4] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink Ruihan Li
2023-05-03 13:39 ` [PATCH v4 3/4] Bluetooth: Fix UAF in hci_conn_hash_flush again Ruihan Li
2023-05-03 13:39 ` [PATCH v4 4/4] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del Ruihan Li
2023-05-03 14:38 ` [v4,1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink bluez.test.bot
2023-05-03 17:30 ` patchwork-bot+bluetooth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=168313502231.19283.12765545255824034324.git-patchwork-notify@kernel.org \
--to=patchwork-bot+bluetooth@kernel.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=lrh2000@pku.edu.cn \
--cc=luiz.dentz@gmail.com \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=syzbot+690b90b14f14f43f4688@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.