[PATCH v4 5/7] Bluetooth: hci_sync: hold conn in hci_past_sync() callback

Next message: WenTao Liang: "[PATCH v2] edac: fix kobject refcount leak in edac_device_create_instance"
Previous message: Pauli Virtanen: "[PATCH v4 7/7] Bluetooth: hci_sync: remove unnecessary hci_conn_get in create_conn_sync"
In reply to: Pauli Virtanen: "[PATCH v4 7/7] Bluetooth: hci_sync: remove unnecessary hci_conn_get in create_conn_sync"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pauli Virtanen

Date: Sun Jun 28 2026 - 09:24:38 EST

Avoids giving freed pointers to hci_conn_valid(), which kmalloc may have
reused.

Hold refcount to avoid that.

Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST")
Signed-off-by: Pauli Virtanen <pav@xxxxxx>
---

Notes:
v4:
- no change
v3:
- split to multiple patches per different Fixes:

net/bluetooth/hci_sync.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 56018214120b..88572e52c860 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7461,6 +7461,8 @@ static void past_complete(struct hci_dev *hdev, void *data, int err)

bt_dev_dbg(hdev, "err %d", err);

+ hci_conn_put(past->conn);
+ hci_conn_put(past->le);
kfree(past);
}

@@ -7525,8 +7527,8 @@ int hci_past_sync(struct hci_conn *conn, struct hci_conn *le)
if (!data)
return -ENOMEM;

- data->conn = conn;
- data->le = le;
+ data->conn = hci_conn_get(conn);
+ data->le = hci_conn_get(le);

if (conn->role == HCI_ROLE_MASTER)
err = hci_cmd_sync_queue_once(conn->hdev,
@@ -7536,8 +7538,11 @@ int hci_past_sync(struct hci_conn *conn, struct hci_conn *le)
err = hci_cmd_sync_queue_once(conn->hdev, hci_le_past_sync,
data, past_complete);

- if (err)
+ if (err) {
+ hci_conn_put(data->conn);
+ hci_conn_put(data->le);
kfree(data);
+ }

return (err == -EEXIST) ? 0 : err;
}
--
2.54.0