[PATCH v1 0/2] Bluetooth: Fix data-race on dst/src in connect paths

Next message: Waiman Long: "Re: [PATCH] cgroup/cpuset: Free sched domains on rebuild guard failure"
Previous message: Jakub Kicinski: "Re: [Patch net-next v6 1/7] r8169: add support for multi irqs"
Next in thread: SeungJu Cheon: "[PATCH v1 2/2] Bluetooth: SCO: Fix data-race on dst in sco_connect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: SeungJu Cheon

Date: Fri May 29 2026 - 14:07:50 EST

Two KCSAN-reported data races on socket address fields passed to
hci_get_route() without proper synchronization.

Patch 1/2 fixes ISO: iso_connect_bis(), iso_connect_cis(),
iso_listen_bis(), and iso_conn_big_sync() read iso_pi(sk)->dst/src
without lock_sock before calling hci_get_route().

Patch 2/2 fixes SCO: sco_connect() reads sco_pi(sk)->dst after
lock_sock has been released by the caller.

Both races were confirmed with KCSAN using VHCI-based reproducers.

SeungJu Cheon (2):
Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls
Bluetooth: SCO: Fix data-race on dst in sco_connect

net/bluetooth/iso.c | 51 ++++++++++++++++++++++++++++++++++-----------
net/bluetooth/sco.c | 11 +++++++---
2 files changed, 47 insertions(+), 15 deletions(-)

--
2.52.0