From nobody Sat Jun 13 14:50:29 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1AC703F7871 for ; Wed, 6 May 2026 15:53:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778082811; cv=none; b=uHvc92yNNAxtGR3xJ5DXotftbEVzEj0Tf4dSsbjxMIsn0rPVIl6J/xSSu9IljGlFfWzZDFW1UOeRFkoPJKkwHqDOpEg3frwJLTGP6vc+c+o0YbmOLrywT3pXS1dZ3B+5Fhm64I52QaUZCki4AfZtVdDages1/SmwJpAlZeb40Ow= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778082811; c=relaxed/simple; bh=w9O93c/TS75EBL7gXp2NzdWnKQVcKaTpl0/IVtuSNCY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=pkhxBmOEwfCcQEMZLl8VxZqu798yrOZi13+hrW1JLirMAyFiikJqy5hv9UNmakSFDVyif2y9TUj2MDBKLK8txB587WPHraxwX6A+gIRyXhzmQYYx12nWNfyJ4WmGN+B3idcr3FB8EBND2sBs3QU0TKy9H96dyCqy04wJPUM0PBQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Yrv1q2a/; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yrv1q2a/" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2ab46931cf1so7684705ad.0 for ; Wed, 06 May 2026 08:53:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778082805; x=1778687605; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WQI53mMLR1YvrIwV+lGUVh6mVBJCqebaV/1Oy2Pn6Vg=; b=Yrv1q2a/DcY2ESuhTqLC5BDb655xO1H6iK03avvAMMHQ2ORelzwD9W2O5j4KF1OA2y YgrWtVN/8Xd7dy4zXuxCT0oJTN/NR9J6MgYrI4Sa4E2DGejqNkydZexlV62kzdxFMUQF xJp1MQZ0S+wSqZ2i1b3uo8DG/M362h7qcB/vt7aCalbUh8geefklUGGs7DY/Cui3LBXr pb8LvSGo15zp7FoXTlbXkdojCNJLpXHH0izgkQu9t9EQe/llvtXY/qev6h8qKeW3w7/0 0NdlR5v5cHC+kR40rNQeCIckb43IBPry9OfKrG2txOmtiv8qX0vHAZJ451xn16WPoZXr HA2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778082805; x=1778687605; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WQI53mMLR1YvrIwV+lGUVh6mVBJCqebaV/1Oy2Pn6Vg=; b=T2j+H4bZNbZmAJTMc6y/iWgsZUncxyyLQzLs0PSCEZl97vzrAfj2MOY5kIDcbJdZzd 9ZDcvGBlaF4BuHIxq2uIMOwx13gXtSSyMvmIfZvaf1NjrAn+CiBbOaP026Yeqro3oXqx /imRZITHvzILCm6ZYOOFuC1SZRo8Rj3MiXZtOk7RYm3D4qVkuUxJEKw+tq5xVLb7Gie8 dwMZq2HCqQ8xAUczDynUSm5l1HPQMhj8TvKFM6h+MRPoMa5xtExsd8MUVVOP/75SM6C/ GOhYgnAz5T5JZg9OLwg7kcLcIQON/0AyvMbChCwjf7Emuf90mevTkFJleSPmoEJuNKzW tkNQ== X-Forwarded-Encrypted: i=1; AFNElJ9HyVzlx52jjtPPvmKJdwmMKxIsLCfxm6B3B5/PX03Z+YV70vnLWDWSCuXdBK8NNP8pcnKlws4XOoYCfhw=@vger.kernel.org X-Gm-Message-State: AOJu0YzOFw4eIrDQtXvVyn2fOswNknyIXUJN2oFWcWSW4UvfUQnBky+I xDxI6upT63rAulzoZuTdzK58pgdDVH8L3mbLTwCxQQ1We2eHBvZZykg9 X-Gm-Gg: AeBDietHaPJCIn0jcV+l0jXd2PTC96flBdOrTwRs/ID0VrE0V9Z7in6BXogAD8pyAH7 Z0ubFw5DMNeGHT+4Jvc8xMZqHklywrowQQcCD9sync01ZHxBfQsfCHX63O3RjPrYCRFvsALx/TN FpffdgkF6GccwrFTkI0vxLqxk8RWGyHdE0h410OAly6BB9Ner2sPLosW9hPGqMdPYOjrK7e0fbo 2Z6xcsGJWwQuV8byTCpMxJYw5aJ9oxr3+VCo4dFwig+1vyR5MEnq8bFHN+UUWIUXoXnTG2WXmii /x+59PxVWP6v6w01wl5E/lwH1V5pcJBx0D7Tvwy/NqoksGWBUVtsT70zTCNXl+1kQ6Cq3Tpq4Vj Np9xJruAF7sHZ7D1p7woWjQCEDapEINhOrHQee8jhzeChh0UMMJ/w59wOEWLIerX+Xgr16Hu4IN IZP9V616BDW9Ce4i6G2LcXlBbtAOrk X-Received: by 2002:a17:903:448:b0:2b9:6cde:c345 with SMTP id d9443c01a7336-2ba4e49bf03mr53410165ad.18.1778082805086; Wed, 06 May 2026 08:53:25 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ba7bf2cd19sm29522485ad.24.2026.05.06.08.53.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 08:53:24 -0700 (PDT) From: Cen Zhang To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, Cen Zhang Subject: [PATCH] Bluetooth: L2CAP: avoid using hci_conn after dropping hold Date: Wed, 6 May 2026 23:53:13 +0800 Message-Id: <20260506155313.1412894-1-zzzccc427@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" l2cap_chan_connect() drops the temporary HCI connection hold after __l2cap_chan_add() attaches the L2CAP channel and takes its own hold. The function then checks hcon->state to see whether the channel can be started immediately because the underlying HCI link is already connected. Keep that state sample before hci_conn_drop(hcon), and only use the cached result afterwards. This avoids dereferencing hcon after the temporary hold has been released. Use READ_ONCE() for the sample because HCI connection state can be advanced concurrently by the command-sync worker while L2CAP is setting up the channel. The sampled state is only an optimization for the already-connected case: a stale non-connected value leaves the L2CAP channel pending for the normal HCI connect confirmation path. Signed-off-by: Cen Zhang --- net/bluetooth/l2cap_core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 95c65fece39bd..40e84c1623a9c 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -7078,6 +7078,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le1= 6 psm, u16 cid, struct l2cap_conn *conn; struct hci_conn *hcon; struct hci_dev *hdev; + bool link_connected; int err; =20 BT_DBG("%pMR -> %pMR (type %u) psm 0x%4.4x mode 0x%2.2x", &chan->src, @@ -7222,6 +7223,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le1= 6 psm, u16 cid, chan->src_type =3D bdaddr_src_type(hcon); =20 __l2cap_chan_add(conn, chan); + link_connected =3D READ_ONCE(hcon->state) =3D=3D BT_CONNECTED; =20 /* l2cap_chan_add takes its own ref so we can drop this one */ hci_conn_drop(hcon); @@ -7236,7 +7238,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le1= 6 psm, u16 cid, chan->sport =3D 0; write_unlock(&chan_list_lock); =20 - if (hcon->state =3D=3D BT_CONNECTED) { + if (link_connected) { if (chan->chan_type !=3D L2CAP_CHAN_CONN_ORIENTED) { __clear_chan_timer(chan); if (l2cap_chan_check_security(chan, true))