Re: [PATCH] Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete

Next message: Andrei Vagin: "[PATCH 05/10] x86/fpu: Fix potential underflow in xstate_calculate_size()"
Previous message: Mike Rapoport: "Re: [PATCH v2 16/18] memblock: make HugeTLB bootmem allocation work with KHO"
In reply to: Samuel Page: "[PATCH] Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Mon Jun 15 2026 - 15:40:19 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Mon, 15 Jun 2026 16:09:22 +0100 you wrote:
> add_device_complete() runs from the hci_cmd_sync_work kworker, which
> holds only hci_req_sync_lock and *not* hci_dev_lock. It calls
> hci_conn_params_lookup() and then dereferences the returned object
> (params->flags) without taking hci_dev_lock:
>
> params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
> le_addr_type(cp->addr.type));
> ...
> device_flags_changed(NULL, hdev, &cp->addr.bdaddr,
> cp->addr.type, hdev->conn_flags,
> params ? params->flags : 0);
>
> [...]

Here is the summary with links:
- Bluetooth: MGMT: Fix UAF of hci_conn_params in add_device_complete
https://git.kernel.org/bluetooth/bluetooth-next/c/cb20f6afc25b

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html