[PATCH v3 1/7] Bluetooth: hci_conn: hold conn reference in abort_conn_sync()

Next message: Pauli Virtanen: "[PATCH v3 4/7] Bluetooth: hci_sync: hold conn in hci_connect_pa_sync() callback"
Previous message: Pauli Virtanen: "[PATCH v3 2/7] Bluetooth: hci_sync: hold conn in hci_connect_acl/le_sync() callbacks"
Next in thread: Pauli Virtanen: "[PATCH v3 3/7] Bluetooth: hci_sync: hold conn in hci_connect_big_sync() callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pauli Virtanen

Date: Sun Jun 28 2026 - 08:13:45 EST

There is theoretical UAF if the conn is freed while the hci_sync task is
running.

Hold refcount to avoid that.

Fixes: 227a0cdf4a02 ("Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT")
Signed-off-by: Pauli Virtanen <pav@xxxxxx>
---

Notes:
v3:
- split to multiple patches per different Fixes:

net/bluetooth/hci_conn.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 1966cd153d97..6036ff66d8d9 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -3163,6 +3163,13 @@ static int abort_conn_sync(struct hci_dev *hdev, void *data)
return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
}

+static void abort_conn_destroy(struct hci_dev *hdev, void *data, int err)
+{
+ struct hci_conn *conn = data;
+
+ hci_conn_put(conn);
+}
+
int hci_abort_conn(struct hci_conn *conn, u8 reason)
{
struct hci_dev *hdev = conn->hdev;
@@ -3188,7 +3195,10 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
* as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
* already queue its callback on cmd_sync_work.
*/
- err = hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
+ err = hci_cmd_sync_run_once(hdev, abort_conn_sync, hci_conn_get(conn),
+ abort_conn_destroy);
+ if (err)
+ hci_conn_put(conn);
return (err == -EEXIST) ? 0 : err;
}

--
2.54.0