Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER - lwn.git - Linux kernel documentation tree maintained by Jonathan Corbet

diff options

author	Pauli Virtanen <pav@iki.fi>	2026-03-29 16:42:59 +0300
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2026-04-13 09:18:16 -0400
commit	5c7209a341ff2ac338b2b0375c34a307b37c9ac2 (patch)
tree	16e8275f5743fb1ba730b2be858d07adf1dc2526 /drivers
parent	120941654f187674b3aac4d546c2a915965b3937 (diff)
download	lwn-5c7209a341ff2ac338b2b0375c34a307b37c9ac2.tar.gz lwn-5c7209a341ff2ac338b2b0375c34a307b37c9ac2.zip

Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER

When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Fix by holding the lock. Fixes: 70c464256310 ("Bluetooth: Refactor connection request handling") Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Diffstat (limited to 'drivers')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: