Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

Next message: Shuangpeng Bai: "[PATCH] misc: pci_endpoint_test: fix use-after-free after device unbind"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] misc: nsm: bound the device-reported response length"
In reply to: XIAO WU: "Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Sun Jun 21 2026 - 01:38:51 EST

On Sun, Jun 21, 2026 at 09:57:51AM +0800, XIAO WU wrote:
> Hi,
>
> I came across a Sashiko AI code review [1] that flagged a related
> use-after-free in `get_l2cap_conn()` — it has the same lock-dropping
> pattern that your patch fixes in `set_cig_params_sync()`.
>
> I was able to trigger it in QEMU with KASAN on a 6.6.y kernel. Writing
> to the 6lowpan debugfs control file races against connection teardown.

That's a very old kernel version, can you try 7.1.1 please? Also, can
you just send a fix for it if it is an issue there?

thanks,

greg k-h