[PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

Next message: lihuisong (C): "Re: [PATCH] ACPI: processor: Add cpuidle driver check in acpi_processor_register_idle_driver"
Previous message: Lorenzo Stoakes: "Re: [PATCH v10 05/37] mm: hugetlb: remove dead alloc_hugetlb_folio stub"
Next in thread: Sasha Levin: "Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alva Lan

Date: Mon Jun 08 2026 - 06:15:27 EST

From: Pauli Virtanen <pav@xxxxxx>

[ Upstream commit a2639a7f0f5bf7d73f337f8f077c19415c62ed2c ]

hci_conn lookup and field access must be covered by hdev lock in
set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified
concurrently. Just RCU lock is not suitable here, as we also want to
avoid "tearing" in the configuration.

Fixes: a091289218202 ("Bluetooth: hci_conn: Fix hci_le_set_cig_params")
Signed-off-by: Pauli Virtanen <pav@xxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
[ Minor context conflict resolved. ]
Signed-off-by: Alva Lan <alvalan9@xxxxxxxxxxx>
---
net/bluetooth/hci_conn.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index f51c530a3c45..ab86cc4a5e3f 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1734,9 +1734,13 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
struct iso_cig_params pdu;
u8 cis_id;

+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_cig(hdev, cig_id);
- if (!conn)
+ if (!conn) {
+ hci_dev_unlock(hdev);
return 0;
+ }

memset(&pdu, 0, sizeof(pdu));

@@ -1776,6 +1780,8 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
cis->p_rtn = qos->ucast.in.rtn;
}

+ hci_dev_unlock(hdev);
+
if (!pdu.cp.num_cis)
return 0;

--
2.43.0