From nobody Mon Jun 8 10:56:49 2026 Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE877383C63 for ; Fri, 29 May 2026 17:34:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780076057; cv=none; b=iy8qPiB45EGsMsYWMc9qdZyFlrMJBaSH/N0/UXhd0p8F/5ZWMtmsNEZlNkshCfDoja7Q5OkmGh12kuEs96ivWKbZaxhvCDSKrqV+S3kxWh49tdED9a8gjvC2mD0N83e8mqbh1Mfjw+H//7fSOhlEpd/lKGz3aUkBcWrZVLqBx94= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780076057; c=relaxed/simple; bh=azSALTPQ56sMNNtKHXYrGxYYobQm99m8pEWlJiJK9HM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aSMEGBfTZIEVPp8nIMj2Gm1y4Q0yroR9zjg9u7+TbfiJBcNPkMZYrdCyRZe5D+uhKlhXFFLMi4nacp2qnE4hb5WS3XTUmQFUrkd/e2XtvGH4nKtdRjtNugcNwpNfsuYKgtKLg8tGCC/j0MIwd0FaBFD32AfHgLC3/46qEymMgLk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PS71q5r7; arc=none smtp.client-ip=209.85.215.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PS71q5r7" Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-c8584e80bd9so41400a12.3 for ; Fri, 29 May 2026 10:34:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780076055; x=1780680855; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=inVdfYyaHrC2ebCMrnnMifw7kxLNFvRNmB5wGenE+qI=; b=PS71q5r7pM26gIbNTzdQ4Fz73II7UYS+5ziyaE2TTAXIpmwQ7rn2BwvbscFK0qYnL9 Y6WYPFSaB1Wrp18cSkYeltTygTe444qCD5xAMPXFLRga1yY1sPPD6V/uC0oyiY9coyVr u9vflWh+saYxQ1rdx3Mupz7PmHEIzwO4I7XMK//HT0DjZ6wViTzK1viZwrSZ3t9r3g7+ Cz7mYCU8ppibw5b0demkqErx0RaiYhxcCu4dQNvZVlrasleWjviRAeCRC6czbsxQeSEa CvhglmHeXGojhwxtPIkJxyOvNDu7SQvw9gyz2xgk47F4YSwYK4PkTrlUwKI87QauCb1E FKHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780076055; x=1780680855; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=inVdfYyaHrC2ebCMrnnMifw7kxLNFvRNmB5wGenE+qI=; b=EC6JD3Oxgb9PoX4IJfCxjcHok2H5EFzgwacjGy9kx+q71LzXljZdzKe1gOOwonEhd7 LbYJqQ7j3uA/yL81JYYlikfRqksXvk88V2TSHuFbl0qOTbSshYCnB4UUEZHw8+yP+Nz0 Y/EgAWkAiv/N4R0Ffdlkd4S8QZIUKFcaVpIaKGW7RRm+bU+FJ12uflo/QMXZoTnXf81b l8pQGrWKkCBLnc34KYVIUpsbY5n3ps3NkLTKfjhVyfi+qNk4V6R+9mLBhmLEKpkRq2Zf 3gpHejJ1T2KFC0qyPfcjqcgwkklo2b4B8EVePTgpYFGdN0WT0Hy6wiL7rY4cVX4fnEQt JSDg== X-Forwarded-Encrypted: i=1; AFNElJ/gRTTrpHQuD5qE5bUKQDZWwgYivYbFxthpar65T1UEBBjKnY8NsBBVsfKGzWoyPH1oADLtZbrK7i3rGKY=@vger.kernel.org X-Gm-Message-State: AOJu0YwPP7Otyt0OZRSP1DcOh25a4Dd3QFaEAReUBFTqETGIuMibemXS 6xkx24KKwIW1LZp4F1j4aqKnleKD+4mtviSaodEYU94Oz8XG8Gp+bjaq X-Gm-Gg: Acq92OGfRVEpeAIQxkFsCCCPKjlGQu4k9Pj+f8hUutDSOntL9ywLVCiFvD5Tf7mRTOA gUvCQSx9X7Tc78xClSxbvQNnyACYCl1gGLGqBFYxySajzYdMn0iQJq8XLY07p+Xc0TTHPnGtWeX 1VgNBezELiLbRMoCHRCBnpTWybqZHEXc+BTAH0NQswTVdsW3jB0ZVC7OCTGFK1GxrgzbbxwObDH YW307olnOrpp8N7pBHzzdBYxRA34GZackPfnjtf7be44iA94bUHPfCaXVQeic+XPT2UJ1Ct0D5W 2G+nziTqfp3pj3C2S3vXrAlzlXWWK21e5uGkGVb5QD5nrG1KCMm2CGbLAD6x/v145xDLCPZIzV0 H4VN39b9f49Cs2sRNadR2YmaRffyWj/58EA4blsNjaOsjDMi3vYU+4Nt5okXRJCsNOE2egItoQd k+opC7YJzS9pIgL4YB9YfLkBVMbfGWSzLBSSz1Fo93q4T93kq4KH2hyj88Rw== X-Received: by 2002:a05:6a21:4e01:b0:398:840d:39aa with SMTP id adf61e73a8af0-3b427f7611dmr225863637.29.1780076055124; Fri, 29 May 2026 10:34:15 -0700 (PDT) Received: from fedora ([61.74.238.173]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85772ba4adsm2361027a12.23.2026.05.29.10.34.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 10:34:14 -0700 (PDT) From: SeungJu Cheon To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, me@brighamcampbell.com, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev, SeungJu Cheon Subject: [PATCH v1 1/2] Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls Date: Sat, 30 May 2026 02:33:46 +0900 Message-ID: <20260529173347.43967-2-suunj1331@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260529173347.43967-1-suunj1331@gmail.com> References: <20260529173347.43967-1-suunj1331@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" iso_connect_bis(), iso_connect_cis(), iso_listen_bis(), and iso_conn_big_sync() all call hci_get_route() reading iso_pi(sk)->dst, iso_pi(sk)->src, and iso_pi(sk)->src_type without holding lock_sock. These fields can be concurrently written by another thread calling connect() or setsockopt() on the same socket, leading to torn reads or TOCTOU mismatches. Fix by snapshotting dst, src, and src_type into local variables under lock_sock before calling hci_get_route() in all four functions. BUG: KCSAN: data-race in memcmp+0x45/0xb0 race at unknown origin, with read to 0xffff8880122135cf of 1 bytes by task = 333 on cpu 1: memcmp+0x45/0xb0 hci_get_route+0x27e/0x490 iso_connect_cis+0x4c/0xa10 iso_sock_connect+0x60e/0xb30 __sys_connect_file+0xbd/0xe0 __sys_connect+0xe0/0x110 __x64_sys_connect+0x40/0x50 x64_sys_call+0xcad/0x1c60 do_syscall_64+0x133/0x590 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency") Signed-off-by: SeungJu Cheon --- net/bluetooth/iso.c | 51 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index d7af617cda45..58bb3a10d49f 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -337,12 +337,19 @@ static int iso_connect_bis(struct sock *sk) struct iso_conn *conn; struct hci_conn *hcon; struct hci_dev *hdev; + bdaddr_t src, dst; + u8 src_type; int err; =20 - BT_DBG("%pMR (SID 0x%2.2x)", &iso_pi(sk)->src, iso_pi(sk)->bc_sid); + lock_sock(sk); + bacpy(&dst, &iso_pi(sk)->dst); + bacpy(&src, &iso_pi(sk)->src); + src_type =3D iso_pi(sk)->src_type; + release_sock(sk); + + BT_DBG("%pMR (SID 0x%2.2x)", &src, iso_pi(sk)->bc_sid); =20 - hdev =3D hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, - iso_pi(sk)->src_type); + hdev =3D hci_get_route(&dst, &src, src_type); if (!hdev) return -EHOSTUNREACH; =20 @@ -430,12 +437,19 @@ static int iso_connect_cis(struct sock *sk) struct iso_conn *conn; struct hci_conn *hcon; struct hci_dev *hdev; + bdaddr_t src, dst; + u8 src_type; int err; =20 - BT_DBG("%pMR -> %pMR", &iso_pi(sk)->src, &iso_pi(sk)->dst); + lock_sock(sk); + bacpy(&dst, &iso_pi(sk)->dst); + bacpy(&src, &iso_pi(sk)->src); + src_type =3D iso_pi(sk)->src_type; + release_sock(sk); + + BT_DBG("%pMR -> %pMR", &src, &dst); =20 - hdev =3D hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, - iso_pi(sk)->src_type); + hdev =3D hci_get_route(&dst, &src, src_type); if (!hdev) return -EHOSTUNREACH; =20 @@ -1210,11 +1224,18 @@ static int iso_listen_bis(struct sock *sk) { struct hci_dev *hdev; int err =3D 0; + bdaddr_t src, dst; + u8 src_type; struct iso_conn *conn; struct hci_conn *hcon; =20 - BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &iso_pi(sk)->src, - &iso_pi(sk)->dst, iso_pi(sk)->bc_sid); + lock_sock(sk); + bacpy(&dst, &iso_pi(sk)->dst); + bacpy(&src, &iso_pi(sk)->src); + src_type =3D iso_pi(sk)->src_type; + release_sock(sk); + + BT_DBG("%pMR -> %pMR (SID 0x%2.2x)", &src, &dst, iso_pi(sk)->bc_sid); =20 write_lock(&iso_sk_list.lock); =20 @@ -1227,8 +1248,7 @@ static int iso_listen_bis(struct sock *sk) if (err) return err; =20 - hdev =3D hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, - iso_pi(sk)->src_type); + hdev =3D hci_get_route(&dst, &src, src_type); if (!hdev) return -EHOSTUNREACH; =20 @@ -1564,9 +1584,16 @@ static void iso_conn_big_sync(struct sock *sk) { int err; struct hci_dev *hdev; + bdaddr_t src, dst; + u8 src_type; + + lock_sock(sk); + bacpy(&dst, &iso_pi(sk)->dst); + bacpy(&src, &iso_pi(sk)->src); + src_type =3D iso_pi(sk)->src_type; + release_sock(sk); =20 - hdev =3D hci_get_route(&iso_pi(sk)->dst, &iso_pi(sk)->src, - iso_pi(sk)->src_type); + hdev =3D hci_get_route(&dst, &src, src_type); =20 if (!hdev) return; --=20 2.52.0 From nobody Mon Jun 8 10:56:49 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D4F739020C for ; Fri, 29 May 2026 17:34:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780076061; cv=none; b=BP2UQZhQ3MK+tmWEMFLN39hQTFtRBhCXid3W1C325zSKAWQSLgtAVri5L22aPggTiXnptSOUsrOun6nmMsoDJ87vEfOCsgovHK1Mbd1olxCxfy4fwDnetZUaVjvZy4GBParrKg1vE12FZB2WQa/7E6aoaO48Yy4lv9VHYDzYo2o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780076061; c=relaxed/simple; bh=RdQD4wue90+v4yUM2xCSZUvp66yPWE/ku+bI86gv7wU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Hu4jKA73WTFr7ZYERIkTlFJ6nT85nG0qYR58M1L8qWvxQpxvlagAebLX0C0+VOGoGHLzrAbxZOiwoXCZ4xealXgJ3C1wERhTFPVa3zFzEdo/mHHSvy6quYJgJQ0Ae7XWY7tUkdY4aAmoy1RI3k4Hi1uGYyqj/4e5BqffAEaHP1U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PCaGwlVI; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PCaGwlVI" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-36b9b15af73so1823600a91.0 for ; Fri, 29 May 2026 10:34:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780076059; x=1780680859; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VSsUh1Q1AG0bKmm3IulRp5n1yyJwXsFuTPbDToRe2u0=; b=PCaGwlVIzmnF5fUNM9BmjrUJrDm5rAernFAyiHc9KCfR26fFJU9ASM/ulIg80uYGCX 3sdCRwSuQMmlOUHj5yiLY+mS0Y21aEGqQRBL218rX+sBVSMVUcgAKmFRhT01cTAD4fzn pq63RyRdOf0qkL5o2/izvBoA6hFJh8b0UKYeqz1jmBm07BmwR1HQVoR6zht23v8wNw2U 13P+2/oS1vCgwY4yKNftdn2KMdri7ct+EVS6j8ZSHYx9Qf9X7GiOg+abYLPeUHod+9yT imbTT4Cr4xpJfw3sPU2JNHyxyqR+xKb7AK8AA6eiVJ7exqXHhCuOu0VWVmhbIxPDigJq 1vfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780076059; x=1780680859; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VSsUh1Q1AG0bKmm3IulRp5n1yyJwXsFuTPbDToRe2u0=; b=csPqvgTqqw/WqPbXe+6g9Shs1H1/9i25IDjIOI8/8bGEBzktZrm8uuyh9pT6GbsMkt zpQP5u+CKkteOqRox3HWvpnfarvRElNnJT2VjNwx2IsrZjG4yiZz7zi6bVf+ZzopTyy0 NkFJ9ouFEsvCU6Sq6etJM4DqeDL1jhKTqhgk8bysR9G2aS/l+PaoJwyPmEAk+yTNKg29 BBD8YAk4u43ZA1/J3yZoh/zszXrv4SIj2EyZqpkXYieqyT5X+x48QTQ1ZR+Jn08uTCqH U9nz64UjY27KDsCQzS/Y8AKzGD/TqSRWmRga5XbfgBKErNuzBmdPeExQtsn4VdJjaXI4 QkVQ== X-Forwarded-Encrypted: i=1; AFNElJ+PkwNRNLCc2YpcGFe7oDtisLXeORflJPnAXsPQGvhw7J9W6fsFUH00HwaPjcX8Rw1K+ASCNtNNWuKFzvM=@vger.kernel.org X-Gm-Message-State: AOJu0YwE7061xJ3mvcUeLVtfM6IyQOTIRufjVqDYyTomAhDmy79J82Ra 4ssk6otSNrwvNMoQdFgohFvvZSO2bU98rE2pLYnzYHrPuuAwYHWqheJU X-Gm-Gg: Acq92OEvvrXRwgKKM/SlTpvNIvyE/YOZ6FkgoHmr9pZTuGmDg0B+sdE7i+mse3xBI7E epTb2DUl4l4vZwpj0HWBII3J7jkXrWLb46Tm4FhTlL0bj2nfeSOtXyr7cjuW/DiMhjJoeipDC1M mEH4yp1DP98SV7F/+egzdN7hLMIfHXksbciWKEqfYX6SqrDPuq5uaq2y8LY95EbHMrhCar9Y+5u Si3oy9xxFtLbEgzUj4UNGNJ4OHUJkVXqpd7RC2lJgDToSsqdHEE5+NLM6iUHdgdCkNiqp0TrOtk 7xvrnPpbG+GOV/GGZREidGDh0W/WdzL4B/HIM2eZ8B8nKDgd5+QmV9NhaGwDS8KJvKOp7228mfe pOQEBbMejVQZEmW9NvcuTAbyba7sXzmpZrI3J5na3oq4JsEpB1TRzwbClgdX+PnbsiZqS0J/hnn CHKe482X7iybI0ydztH/Hv2dWWGzwPrINg6PbyJgZaURX9iPSsyFAI9pI1ug== X-Received: by 2002:a17:90b:590e:b0:36b:211f:fa75 with SMTP id 98e67ed59e1d1-36c4ff4cfd4mr188994a91.8.1780076059232; Fri, 29 May 2026 10:34:19 -0700 (PDT) Received: from fedora ([61.74.238.173]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85772ba4adsm2361027a12.23.2026.05.29.10.34.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 10:34:18 -0700 (PDT) From: SeungJu Cheon To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, me@brighamcampbell.com, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev, SeungJu Cheon Subject: [PATCH v1 2/2] Bluetooth: SCO: Fix data-race on dst in sco_connect Date: Sat, 30 May 2026 02:33:47 +0900 Message-ID: <20260529173347.43967-3-suunj1331@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260529173347.43967-1-suunj1331@gmail.com> References: <20260529173347.43967-1-suunj1331@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sco_sock_connect() copies the destination address into sco_pi(sk)->dst under lock_sock, then releases the lock and calls sco_connect(), which reads dst back without holding any lock in hci_get_route() and hci_connect_sco(). If two threads call connect() on the same socket concurrently with different addresses, one thread can overwrite dst before the other thread's sco_connect() reads it. Fix by snapshotting dst into a local variable under lock_sock at the start of sco_connect(), matching the approach used for ISO in the previous patch. BUG: KCSAN: data-race in memcmp+0x45/0xb0 race at unknown origin, with read to 0xffff88800e6b0dd0 of 1 bytes by task = 315 on cpu 0: memcmp+0x45/0xb0 hci_connect_acl+0x1b7/0x6b0 hci_connect_sco+0x4d/0xb30 sco_sock_connect+0x27b/0xd60 __sys_connect_file+0xbd/0xe0 __sys_connect+0xe0/0x110 __x64_sys_connect+0x40/0x50 x64_sys_call+0xcad/0x1c60 do_syscall_64+0x133/0x590 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 9a8ec9e8ebb5 ("Bluetooth: Fix three socket race condition bugs in sc= o.c") Signed-off-by: SeungJu Cheon --- net/bluetooth/sco.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index f1799c6a6f87..c9f6a8aaee57 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -312,11 +312,16 @@ static int sco_connect(struct sock *sk) struct sco_conn *conn; struct hci_conn *hcon; struct hci_dev *hdev; + bdaddr_t dst; int err, type; =20 - BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst); + lock_sock(sk); + bacpy(&dst, &sco_pi(sk)->dst); + release_sock(sk); + + BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &dst); =20 - hdev =3D hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR); + hdev =3D hci_get_route(&dst, &sco_pi(sk)->src, BDADDR_BREDR); if (!hdev) return -EHOSTUNREACH; =20 @@ -336,7 +341,7 @@ static int sco_connect(struct sock *sk) break; } =20 - hcon =3D hci_connect_sco(hdev, type, &sco_pi(sk)->dst, + hcon =3D hci_connect_sco(hdev, type, &dst, sco_pi(sk)->setting, &sco_pi(sk)->codec, READ_ONCE(sk->sk_sndtimeo)); if (IS_ERR(hcon)) { --=20 2.52.0