[PATCH v3 5/7] Bluetooth: hci_sync: hold conn in hci_past_sync() callback

Next message: Pauli Virtanen: "[PATCH v3 6/7] Bluetooth: hci_sync: fix hci_conn_del() use in hci_le_create_conn_sync"
Previous message: Pauli Virtanen: "[PATCH v3 4/7] Bluetooth: hci_sync: hold conn in hci_connect_pa_sync() callback"
In reply to: Pauli Virtanen: "[PATCH v3 4/7] Bluetooth: hci_sync: hold conn in hci_connect_pa_sync() callback"
Next in thread: Pauli Virtanen: "[PATCH v3 6/7] Bluetooth: hci_sync: fix hci_conn_del() use in hci_le_create_conn_sync"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pauli Virtanen

Date: Sun Jun 28 2026 - 08:14:59 EST

Avoids giving freed pointers to hci_conn_valid(), which kmalloc may have
reused.

Hold refcount to avoid that.

Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST")
Signed-off-by: Pauli Virtanen <pav@xxxxxx>
---

Notes:
v3:
- split to multiple patches per different Fixes:

net/bluetooth/hci_sync.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index bb59952779dd..0bbc57792206 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7458,6 +7458,8 @@ static void past_complete(struct hci_dev *hdev, void *data, int err)

bt_dev_dbg(hdev, "err %d", err);

+ hci_conn_put(past->conn);
+ hci_conn_put(past->le);
kfree(past);
}

@@ -7522,8 +7524,8 @@ int hci_past_sync(struct hci_conn *conn, struct hci_conn *le)
if (!data)
return -ENOMEM;

- data->conn = conn;
- data->le = le;
+ data->conn = hci_conn_get(conn);
+ data->le = hci_conn_get(le);

if (conn->role == HCI_ROLE_MASTER)
err = hci_cmd_sync_queue_once(conn->hdev,
@@ -7533,8 +7535,11 @@ int hci_past_sync(struct hci_conn *conn, struct hci_conn *le)
err = hci_cmd_sync_queue_once(conn->hdev, hci_le_past_sync,
data, past_complete);

- if (err)
+ if (err) {
+ hci_conn_put(data->conn);
+ hci_conn_put(data->le);
kfree(data);
+ }

return (err == -EEXIST) ? 0 : err;
}
--
2.54.0