Re: [PATCH RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout

Next message: Miguel Ojeda: "Re: [PATCH 6.12 000/261] 6.12.94-rc1 review"
Previous message: Thomas Zimmermann: "Re: [PATCH] drm: Consistently define pci_device_ids using named initializers"
In reply to: Sungwoo Kim: "[PATCH RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sungwoo Kim

Date: Wed Jun 17 2026 - 05:23:51 EST

On Tue, Jun 16, 2026 at 11:55 PM Sungwoo Kim <iam@xxxxxxxxxxxx> wrote:
>
> RFC only.
>
> The hci_conn_timeout() function dereferences hdev->sent_cmd when handling
> connection timeouts. However, an HCI_EV_HARDWARE_ERROR can trigger an
> asynchronous reset sequence that sets hdev->sent_cmd to NULL via
> hci_dev_close_sync().
>
> hdev->sent_cmd is dereferenced when conn->disc_work timeout:
>
> hci_conn_timeout()
> hci_abort_conn()
> switch (hci_skb_event(hdev->sent_cmd)) {
> ...
>
> However, an HCI hardware error event (HCI_EV_HARDWARE_ERROR) resets the
> hci device, setting hdev->sent_cmd = NULL asynchornously:
>
> hci_hardware_error_evt()
> hci_error_reset() (async)
> hci_dev_do_close()
> hci_dev_close_sync()
> hdev->sent_cmd = NULL;
>
> As a result, a race condition exists between conn->disc_work execution
> and the reset path, which can lead to a NULL pointer dereference when
> hci_abort_conn() accesses hdev->sent_cmd.

The Sashiko review[1] looks correct.
The race window is invalid because hci_conn_hash_flush() synchronously
disables all conn->disc_work, so hci_abort_conn() cannot execute
concurrently with hdev->sent_cmd being cleared.

[1] https://sashiko.dev/#/patchset/20260617035421.341457-2-iam%40sung-woo.kim

[snip]