From: Pauli Virtanen <pav@iki.fi>
To: linux-bluetooth@vger.kernel.org
Cc: Pauli Virtanen <pav@iki.fi>,
marcel@holtmann.org, luiz.dentz@gmail.com, oss@fourdim.xyz,
linux-kernel@vger.kernel.org
Subject: [PATCH v4 0/7] Bluetooth: hci_conn: hold conn references in hci_sync tasks
Date: Sun, 28 Jun 2026 16:20:25 +0300 [thread overview]
Message-ID: <cover.1782652695.git.pav@iki.fi> (raw)
Have hci_sync tasks hold reference to hci_conn pointer they want o use
later.
Avoids UAFs and passing potentially reused (possible even if very
unlikely) pointers to hci_conn_valid().
v4:
- Check !conn in hci_connect_big_sync() first.
It's probably bug in iso.c that it may call this with NULL, but
probably better fixed separately.
v3:
- resending some rebased parts from
https://lore.kernel.org/linux-bluetooth/cover.1762100290.git.pav@iki.fi/
https://lore.kernel.org/linux-bluetooth/cover.1758481869.git.pav@iki.fi/
Pauli Virtanen (7):
Bluetooth: hci_conn: hold conn reference in abort_conn_sync()
Bluetooth: hci_sync: hold conn in hci_connect_acl/le_sync() callbacks
Bluetooth: hci_sync: hold conn in hci_connect_big_sync() callback
Bluetooth: hci_sync: hold conn in hci_connect_pa_sync() callback
Bluetooth: hci_sync: hold conn in hci_past_sync() callback
Bluetooth: hci_sync: fix hci_conn_del() use in hci_le_create_conn_sync
Bluetooth: hci_sync: remove unnecessary hci_conn_get in
create_conn_sync
net/bluetooth/hci_conn.c | 12 +++++-
net/bluetooth/hci_sync.c | 86 ++++++++++++++++++++++++++--------------
2 files changed, 68 insertions(+), 30 deletions(-)
--
2.54.0
next reply other threads:[~2026-06-28 13:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-28 13:20 Pauli Virtanen [this message]
2026-06-28 13:20 ` [PATCH v4 1/7] Bluetooth: hci_conn: hold conn reference in abort_conn_sync() Pauli Virtanen
2026-06-28 15:07 ` Bluetooth: hci_conn: hold conn references in hci_sync tasks bluez.test.bot
2026-06-28 13:20 ` [PATCH v4 2/7] Bluetooth: hci_sync: hold conn in hci_connect_acl/le_sync() callbacks Pauli Virtanen
2026-06-28 13:20 ` [PATCH v4 3/7] Bluetooth: hci_sync: hold conn in hci_connect_big_sync() callback Pauli Virtanen
2026-06-28 13:20 ` [PATCH v4 4/7] Bluetooth: hci_sync: hold conn in hci_connect_pa_sync() callback Pauli Virtanen
2026-06-28 13:20 ` [PATCH v4 5/7] Bluetooth: hci_sync: hold conn in hci_past_sync() callback Pauli Virtanen
2026-06-28 13:20 ` [PATCH v4 6/7] Bluetooth: hci_sync: fix hci_conn_del() use in hci_le_create_conn_sync Pauli Virtanen
2026-06-28 13:20 ` [PATCH v4 7/7] Bluetooth: hci_sync: remove unnecessary hci_conn_get in create_conn_sync Pauli Virtanen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1782652695.git.pav@iki.fi \
--to=pav@iki.fi \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=oss@fourdim.xyz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox