Re: [PATCH] Bluetooth: fix use-after-free in hci_conn_drop

Next message: Mike Rapoport: "Re: [PATCH v2 2/4] mm: rename my_zero_pfn() to zero_pfn()"
Previous message: Boris Brezillon: "Re: [RFC PATCH 2/4] rust: sync: Add dma_fence abstractions"
In reply to: Hillf Danton: "Re: [PATCH] Bluetooth: fix use-after-free in hci_conn_drop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: kawada

Date: Tue Feb 10 2026 - 09:51:35 EST

Apologies for the top-posting.

> Better not before spotting the reason why conn->refcnt
> failed to make the entry->destroy callback safe.

hci_conn_hold() increments conn->refcnt, but the actual
freeing of conn is done by put_device() called from
hci_conn_del(). hci_conn_del() does not check conn->refcnt
at all, so the hold/drop refcount cannot prevent the UAF
in entry->destroy callbacks.