Re: [PATCH v4] Bluetooth: hci_conn: fix potential UAF in create_big_sync

Next message: Chuck Lever: "Re: [PATCH] nfsd: fix replay buffer length underflow in nfsd4_encode_operation"
Previous message: Luiz Augusto von Dentz: "Re: [PATCH] Bluetooth: RFCOMM: validate skb length in MCC handlers"
In reply to: David Carlier: "[PATCH v4] Bluetooth: hci_conn: fix potential UAF in create_big_sync"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Mon Apr 13 2026 - 14:22:31 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Sun, 12 Apr 2026 21:29:16 +0100 you wrote:
> Add hci_conn_valid() check in create_big_sync() to detect stale
> connections before proceeding with BIG creation. Handle the
> resulting -ECANCELED in create_big_complete() and re-validate the
> connection under hci_dev_lock() before dereferencing, matching the
> pattern used by create_le_conn_complete() and create_pa_complete().
>
> Keep the hci_conn object alive across the async boundary by taking
> a reference via hci_conn_get() when queueing create_big_sync(), and
> dropping it in the completion callback. The refcount and the lock
> are complementary: the refcount keeps the object allocated, while
> hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on
> hdev->conn_hash, as required by hci_conn_del().
>
> [...]

Here is the summary with links:
- [v4] Bluetooth: hci_conn: fix potential UAF in create_big_sync
https://git.kernel.org/bluetooth/bluetooth-next/c/d55d107b6fa6

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html