Re: [RFC PATCH 00/24] Bluetooth: add locks to hci_conn accesses

[patchwork-bot+bluetooth@kernel.org]

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 21 Sep 2025 22:14:15 +0300 you wrote:
> (RFC since this needs to be tested much better.)
> 
> Each hdev has two ordered workqueues that run in parallel, in addition
> to user tasks and some timers in global workqueues.
> 
> Both workqueues may delete hci_conn* and modify their state. The current
> situation is there are races and UAF due to this.  In older kernels, it
> used to be much of the work was done from a single ordered
> hdev->workqueue, so one could be more lax with locking.  I don't think
> what used to be safe earlier is necessarily so now, so some simple rules
> are probably needed.
> 
> [...]

Here is the summary with links:
  - [RFC,01/24] Bluetooth: ISO: free rx_skb if not consumed
    https://git.kernel.org/bluetooth/bluetooth-next/c/b18365fe359a
  - [RFC,02/24] Bluetooth: ISO: don't leak skb in ISO_CONT RX
    https://git.kernel.org/bluetooth/bluetooth-next/c/f7db34762ae5
  - [RFC,03/24] Bluetooth: hci_sync: make hci_cmd_sync_run* indicate if item was added
    (no matching commit)
  - [RFC,04/24] Bluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if exists
    (no matching commit)
  - [RFC,05/24] Bluetooth: hci_conn: avoid ABA error in abort_conn_sync
    (no matching commit)
  - [RFC,06/24] Bluetooth: hci_sync: avoid ABA/UAF in hci_sync callbacks
    (no matching commit)
  - [RFC,07/24] Bluetooth: hci_event: extend conn_hash lookup RCU critical sections
    (no matching commit)
  - [RFC,08/24] Bluetooth: hci_sync: extend conn_hash lookup RCU critical sections
    (no matching commit)
  - [RFC,09/24] Bluetooth: mgmt: extend conn_hash lookup RCU critical sections
    (no matching commit)
  - [RFC,10/24] Bluetooth: hci_conn: extend conn_hash lookup RCU critical sections
    (no matching commit)
  - [RFC,11/24] Bluetooth: hci_core: add lockdep check to hci_conn_hash lookups
    (no matching commit)
  - [RFC,12/24] Bluetooth: hci_core: add lockdep check to hci_conn_valid()
    (no matching commit)
  - [RFC,13/24] Bluetooth: hci_sync: fix hdev locking in hci_le_create_conn_sync
    (no matching commit)
  - [RFC,14/24] Bluetooth: hci_core: hold hdev lock in packet TX scheduler
    (no matching commit)
  - [RFC,15/24] Bluetooth: lookup hci_conn on RX path on protocol side
    (no matching commit)
  - [RFC,16/24] Bluetooth: L2CAP: fix hci_conn_valid() usage
    (no matching commit)
  - [RFC,17/24] Bluetooth: hci_sync: add helper for hdev locking across waits
    (no matching commit)
  - [RFC,18/24] Bluetooth: hci_sync: hold lock in hci_acl_create_conn_sync
    (no matching commit)
  - [RFC,19/24] Bluetooth: hci_sync: hold lock in hci_le_create_conn_sync
    (no matching commit)
  - [RFC,20/24] Bluetooth: hci_sync: add hdev lock lockdep asserts in subroutines
    (no matching commit)
  - [RFC,21/24] Bluetooth: fix locking for hci_abort_conn_sync()
    (no matching commit)
  - [RFC,22/24] Bluetooth: hci_sync: lock properly in hci_le_pa/big_create_sync
    (no matching commit)
  - [RFC,23/24] Bluetooth: hci_sync: fix locking in hci_disconnect_sync
    (no matching commit)
  - [RFC,24/24] Bluetooth: hci_conn: fix ABA and locking in hci_enhanced_setup_sync
    (no matching commit)

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html