From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE46C22FAFD; Sun, 2 Nov 2025 16:23:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100588; cv=pass; b=GYXX963ZC4puZtJl4On5Cc1pfbbJoxCNq2JebLPY3+EYXzOWOiJfvRxsz/wM3kIFyTWHBA5bSBt+hxwyhJz5DqW5o18wXDTYvvIa8UeuspdAkX/viUWk6au80AkXY06Uql+GQz6t7Eb4xB/lPRcMVyjNI1Tuw4TBHYgf6AwWp1M= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100588; c=relaxed/simple; bh=9P2BfdWr0ULqbleM1ZYC3iKyp/JalPh7fDzObFhwjiU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=g/k3QcP32EU/b5NYCE5Rkrh3PYNpw851zt9vvfwg1EG5/prvEMJAbsV4/tY0ihJIa28zRVruCp3A9VAw/dqm+KcQUMn7EixMogqQPAwB8MZeHsQgssNeu7Z6EZRRRBDlNOCvA949X8KsF+5365baZ2yoXq3u4eEXTmhG7LBNfUE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=yJCz2zKb; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="yJCz2zKb" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00PX0TWPz102R; Sun, 2 Nov 2025 18:22:55 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FXhhbeiBtqg1CFuh+OtSZuOuHQVw/IOKMOafPmVriC4=; b=yJCz2zKbg6SzBpz7fxhEiZeTowd6b0X3UrxV9cOum9ZBXOVGYuREAO/isGSwK5SsraVR4I dAuoROBP8SQE64gLc4Ui/KRRI4wmK6t2INm/fwZY+do4P2pgu/K34/wZ82q3x8tb8+Yw+n i2hzDA2uR388hq+5xlm2yWEmVUkZTo8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FXhhbeiBtqg1CFuh+OtSZuOuHQVw/IOKMOafPmVriC4=; b=hdFcW7whbEow/4kiWn4sa1bMyjyz/V0ZD/P2jZd7ITtdBFLd0RfYrogZ10jcNPa9GAA0h3 dryXmHxQTTHbCMafDwJYreqF7epHVTTTpYlEttRCEfwddKlIKZ+N8C0bxvmB4eqSNrar7k E52YB6B17CtjFK+NC1lyYVtp9rs0G7k= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100576; a=rsa-sha256; cv=none; b=xMi5b177SK/nVf+oPZtWPnNj1xZkFLfp8BRszsiFvSvwX6E5T57zuYC27Vdh+MHGJ7qkF6 zsYY2aD40JpLRqw6mFw7IX8wUxmVKerPPWUwQKw+oCFr5MVxQgn4Bh/tRaZ15C1bwNTard TokORly0KnVFsDwB6vmnRnt+7VZH64k= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/8] Bluetooth: hci_event: extend hdev lock in hci_le_remote_conn_param_req_evt Date: Sun, 2 Nov 2025 18:19:33 +0200 Message-ID: <2486739e3daff8e4fbc0e7fc95fb2e86f866cbc2.1762100290.git.pav@iki.fi> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Cover conn lookup and field access with hdev lock in hci_le_remote_conn_param_req_evt. This avoids any concurrent deletion of the conn before we are done dereferencing it. Fixes: 95118dd4edfec ("Bluetooth: hci_event: Use of a function table to han= dle LE subevents") Signed-off-by: Pauli Virtanen --- Notes: v2: - no change net/bluetooth/hci_event.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index ba0a7b41611f..54f757017f3f 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -6675,25 +6675,31 @@ static void hci_le_remote_conn_param_req_evt(struct= hci_dev *hdev, void *data, latency =3D le16_to_cpu(ev->latency); timeout =3D le16_to_cpu(ev->timeout); =20 + hci_dev_lock(hdev); + hcon =3D hci_conn_hash_lookup_handle(hdev, handle); - if (!hcon || hcon->state !=3D BT_CONNECTED) - return send_conn_param_neg_reply(hdev, handle, - HCI_ERROR_UNKNOWN_CONN_ID); + if (!hcon || hcon->state !=3D BT_CONNECTED) { + send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_UNKNOWN_CONN_ID); + goto unlock; + } =20 - if (max > hcon->le_conn_max_interval) - return send_conn_param_neg_reply(hdev, handle, - HCI_ERROR_INVALID_LL_PARAMS); + if (max > hcon->le_conn_max_interval) { + send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); + goto unlock; + } =20 - if (hci_check_conn_params(min, max, latency, timeout)) - return send_conn_param_neg_reply(hdev, handle, - HCI_ERROR_INVALID_LL_PARAMS); + if (hci_check_conn_params(min, max, latency, timeout)) { + send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); + goto unlock; + } =20 if (hcon->role =3D=3D HCI_ROLE_MASTER) { struct hci_conn_params *params; u8 store_hint; =20 - hci_dev_lock(hdev); - params =3D hci_conn_params_lookup(hdev, &hcon->dst, hcon->dst_type); if (params) { @@ -6706,8 +6712,6 @@ static void hci_le_remote_conn_param_req_evt(struct h= ci_dev *hdev, void *data, store_hint =3D 0x00; } =20 - hci_dev_unlock(hdev); - mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, store_hint, min, max, latency, timeout); } @@ -6721,6 +6725,9 @@ static void hci_le_remote_conn_param_req_evt(struct h= ci_dev *hdev, void *data, cp.max_ce_len =3D 0; =20 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); + +unlock: + hci_dev_unlock(hdev); } =20 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE37A15530C; Sun, 2 Nov 2025 16:23:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100588; cv=pass; b=bov15vB5urmAG1eZOo8biWecJ015/MBYIhNuhqPVT09ftGE+tU8hzX+vRAotjmiQUP3se/TYpikbIOl0ttna9oJNxdjk89gp1fNf7zpQTzjnnqXRsqA8t8AU6DPuNcn3I7fTRqLH43rRqt0RHHI5j7yB1S9ChxKGu00fr3lYRXU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100588; c=relaxed/simple; bh=oKLjK/NSBdKcNwwSIYxIn5RHUqqNednNrnl22/bEtE0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WOLdaqH+YlrjLqQ44iLkf6xRJSehom6+DeG1kwJC1sAR/iDC9YTXwdMZkx7VwkQYui4u8dJJqUjITwarMTNVIv39KfuVCOWeXNT81pCJolQkokYBtaaf62cgTTiC4l4v5PoKFixn5WhW9CEYIzRwZLAk2wRtdvXMGv4gXFb2+N0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=h3Kecrkk; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="h3Kecrkk" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00PY1cK8z1035; Sun, 2 Nov 2025 18:22:57 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100578; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9U/BbAjh/xn6PO3Jg0qRnrKxB7kTBCZUsPfq6R8y6zg=; b=h3KecrkkrkYJNilgncwKlqpFrnPBPYW7etgSm2ilKPg/N/G/RfWaeRMrK2i4kQ/I4Mfbi9 5y2+AOsySKb0n6uiuQGtIfm7IS5aQXCFAMJUap1lE4Jy1kxDE7JjUCojp1NnIaYe8n02LO 2vPHFB8bukmDZf13yFMw+zpxzfaBdgE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100578; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9U/BbAjh/xn6PO3Jg0qRnrKxB7kTBCZUsPfq6R8y6zg=; b=ODVtqh5dlPWkrTxnI9yr44mUlkIPUyS8o6eoN5w93U0l4vdUrQGpXogNwx1pQ2Uz1XM+mX R1y8F03PB4NL9r45TIZEo018nlzSzF+WbW8B4oNUes8yu+F6vD0nl+Q221sU26PBVL/Kp2 xFRMZIEI2Rk82cimdLC6hcgY6eHSHN4= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100578; a=rsa-sha256; cv=none; b=xsQDXlcF1OK532y0mfpHrBhr82MRqfeaWAzem4fCLEI0OPLzo9+d2YpWwSHQGDRhOJrI5t yBbjUphtAkQucNXHGi7LcJpMexRWo/oxG8TSRV9LgY8kmpnS4jlQkBeFgWdrztKvhhuhgc BQvpLuXaAbngnymC+xV+XrApPqwRIj0= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/8] Bluetooth: hci_conn: take hdev lock in set_cig_params_sync Date: Sun, 2 Nov 2025 18:19:34 +0200 Message-ID: X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Fixes: a091289218202 ("Bluetooth: hci_conn: Fix hci_le_set_cig_params") Signed-off-by: Pauli Virtanen --- Notes: v2: - no change net/bluetooth/hci_conn.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index d6162a95048e..d140e5740f92 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1825,9 +1825,13 @@ static int set_cig_params_sync(struct hci_dev *hdev,= void *data) u8 aux_num_cis =3D 0; u8 cis_id; =20 + hci_dev_lock(hdev); + conn =3D hci_conn_hash_lookup_cig(hdev, cig_id); - if (!conn) + if (!conn) { + hci_dev_unlock(hdev); return 0; + } =20 qos =3D &conn->iso_qos; pdu->cig_id =3D cig_id; @@ -1866,6 +1870,8 @@ static int set_cig_params_sync(struct hci_dev *hdev, = void *data) } pdu->num_cis =3D aux_num_cis; =20 + hci_dev_unlock(hdev); + if (!pdu->num_cis) return 0; =20 --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DF08238C3A; Sun, 2 Nov 2025 16:23:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100589; cv=pass; b=guWYTdSthZQdaZ5vPX7oBHxA4MPpHwbIyO95wiHZTbVHxDqfyIobFkeQXgieYIE3l37sW7NsKoI+qH9EbED05SCO9q1auquuW/yCOjveaK19B8DkwsE5G8h8HFGSy/VQmd6C3pHSFGvYBuOdmPS+H8Hok4yP2S26kep1t3UWogI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100589; c=relaxed/simple; bh=b1Bqvssg5Cc/l/cZnFZ8hmu68j1M45X9GPS34ss0NKk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eKQDGV7/Ozu267lUiEMu9v3ayEnTtbHWX2i82L6mD1gKyfHYcDlZ3Z/yPmaGxEjsC9i0Jn0zodGzM2kvTAJVt3qubSjzyFdoQnUMZ5alV2rPvc8XHxzhoRQeUyh+Yp1nbxuFhQwSZeVcrzN/I5LBjgGmQs3h1Tgx8pPzsN7FBjw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=JHK3vqs6; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="JHK3vqs6" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00PZ2h5Dz104J; Sun, 2 Nov 2025 18:22:58 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BRXtUfZ8HN2xVlwrSvzPOVXF2tdZAWQwGDdWKbCSI+8=; b=JHK3vqs6r7higKBWqTG0WO+ngTyu9G78Y6O+kES5O/f2hKG32gPa33lmPvQLil2IS33Iw9 SZqlzL64oXJNvjc9VNRfpXktZycqX5Srh+uXwALXmliBO0U1tKzcqzJmpS/J/quy+N23D3 DC1905cCCog0rP6m40FgZIHalnuV9e4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BRXtUfZ8HN2xVlwrSvzPOVXF2tdZAWQwGDdWKbCSI+8=; b=w8ItkKwFgLjwnYdhUEuzg2ms8tWvcatm7zP8LrXwAu1nSiJWGAjOQFwzaUYJJEcUD3qLd+ bWmmxZErSRP6tOmGw7OJUOJ+4Sp1QL9YIUE73PXxrg6AvScSAIfzlq74251k015l0LB3c/ rGK2QS/c0b/XJhSfn7HAEmCGLaoRw3o= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100579; a=rsa-sha256; cv=none; b=Gv7mTH+fKjrswdn1aVgEWf/C7eTzBefMUm84pNjHUCEWLIT/OUhkTciAeq8vq9xV6iHORa 6VdLhCcXdad065wgygXQGeVtDxClbyW/QN9TAbmnfGl5ltTk7uRkFmUB9dgvon508qDpU2 pgEsbSfACc6L1t5MlGGkCoHRm2pEqpc= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 3/8] Bluetooth: mgmt: take lock and hold reference when handling hci_conn Date: Sun, 2 Nov 2025 18:19:35 +0200 Message-ID: <1ac16b2d328ccef42d09e875c09232bd7f0e32da.1762100290.git.pav@iki.fi> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Take hdev/rcu lock to prevent concurrent deletion of the hci_conn we are handling. When using hci_conn* pointers across critical sections, always take refcount to keep the pointer valid. For hci_abort_conn() only hold refcount, as the function takes hdev->lock itself. Fixes: 227a0cdf4a028 ("Bluetooth: MGMT: Fix not generating command complete= for MGMT_OP_DISCONNECT") Signed-off-by: Pauli Virtanen --- Notes: v2: - no change net/bluetooth/mgmt.c | 42 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 78b7af8bf45f..535c475c2d25 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -3081,6 +3081,8 @@ static int unpair_device_sync(struct hci_dev *hdev, v= oid *data) struct mgmt_cp_unpair_device *cp =3D cmd->param; struct hci_conn *conn; =20 + rcu_read_lock(); + if (cp->addr.type =3D=3D BDADDR_BREDR) conn =3D hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr); @@ -3088,6 +3090,11 @@ static int unpair_device_sync(struct hci_dev *hdev, = void *data) conn =3D hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, le_addr_type(cp->addr.type)); =20 + if (conn) + hci_conn_get(conn); + + rcu_read_unlock(); + if (!conn) return 0; =20 @@ -3095,6 +3102,7 @@ static int unpair_device_sync(struct hci_dev *hdev, v= oid *data) * will clean up the connection no matter the error. */ hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); + hci_conn_put(conn); =20 return 0; } @@ -3242,6 +3250,8 @@ static int disconnect_sync(struct hci_dev *hdev, void= *data) struct mgmt_cp_disconnect *cp =3D cmd->param; struct hci_conn *conn; =20 + rcu_read_lock(); + if (cp->addr.type =3D=3D BDADDR_BREDR) conn =3D hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr); @@ -3249,6 +3259,11 @@ static int disconnect_sync(struct hci_dev *hdev, voi= d *data) conn =3D hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, le_addr_type(cp->addr.type)); =20 + if (conn) + hci_conn_get(conn); + + rcu_read_unlock(); + if (!conn) return -ENOTCONN; =20 @@ -3256,6 +3271,7 @@ static int disconnect_sync(struct hci_dev *hdev, void= *data) * will clean up the connection no matter the error. */ hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM); + hci_conn_put(conn); =20 return 0; } @@ -7372,6 +7388,9 @@ static void get_conn_info_complete(struct hci_dev *hd= ev, void *data, int err) rp.max_tx_power =3D HCI_TX_POWER_INVALID; } =20 + if (conn) + hci_conn_put(conn); + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, MGMT_OP_GET_CONN_INFO, status, &rp, sizeof(rp)); =20 @@ -7386,6 +7405,8 @@ static int get_conn_info_sync(struct hci_dev *hdev, v= oid *data) int err; __le16 handle; =20 + hci_dev_lock(hdev); + /* Make sure we are still connected */ if (cp->addr.type =3D=3D BDADDR_BREDR) conn =3D hci_conn_hash_lookup_ba(hdev, ACL_LINK, @@ -7393,12 +7414,16 @@ static int get_conn_info_sync(struct hci_dev *hdev,= void *data) else conn =3D hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr); =20 - if (!conn || conn->state !=3D BT_CONNECTED) + if (!conn || conn->state !=3D BT_CONNECTED) { + hci_dev_unlock(hdev); return MGMT_STATUS_NOT_CONNECTED; + } =20 - cmd->user_data =3D conn; + cmd->user_data =3D hci_conn_get(conn); handle =3D cpu_to_le16(conn->handle); =20 + hci_dev_unlock(hdev); + /* Refresh RSSI each time */ err =3D hci_read_rssi_sync(hdev, handle); =20 @@ -7532,6 +7557,9 @@ static void get_clock_info_complete(struct hci_dev *h= dev, void *data, int err) } =20 complete: + if (conn) + hci_conn_put(conn); + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status, &rp, sizeof(rp)); =20 @@ -7548,15 +7576,21 @@ static int get_clock_info_sync(struct hci_dev *hdev= , void *data) memset(&hci_cp, 0, sizeof(hci_cp)); hci_read_clock_sync(hdev, &hci_cp); =20 + hci_dev_lock(hdev); + /* Make sure connection still exists */ conn =3D hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr); - if (!conn || conn->state !=3D BT_CONNECTED) + if (!conn || conn->state !=3D BT_CONNECTED) { + hci_dev_unlock(hdev); return MGMT_STATUS_NOT_CONNECTED; + } =20 - cmd->user_data =3D conn; + cmd->user_data =3D hci_conn_get(conn); hci_cp.handle =3D cpu_to_le16(conn->handle); hci_cp.which =3D 0x01; /* Piconet clock */ =20 + hci_dev_unlock(hdev); + return hci_read_clock_sync(hdev, &hci_cp); } =20 --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06C8C239E97; Sun, 2 Nov 2025 16:23:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100589; cv=pass; b=bAWKTCb+M+JIGt3GVN4tikA9FCMnSEoeslAeINacvwqY8H2arTvFCNOozT1UkFGqQZlRLXEHPKeaUAdYQXl7hYWwexX6vr8KcYzk9zk0a8cabnfRfq8bihIMntkwM8/slWXqfXWD8a7vcSCGoRLnUvdJxnWtzBt6SEcxkZkI3/M= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100589; c=relaxed/simple; bh=s+d9EqsMCoNskUuFJGqnwPzvFFbP2gIzZxAbx9lsk1A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sZrAYtTFj/s9/2TlTXjE6m7FPPl27dr9BNZG01bZwyoUtDGVz1LL62v7Z8E0KOTUENYT2KUdgWV41zu5gFaDAQlUz5LrrQN3N1s1N8NZji2ei7D9V4MSdtNKGx7+a+tViiRYhJp7xirh155Ghmu/f8+YbSuepUmX6DfxehmF8ps= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=hMimndi5; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="hMimndi5" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00Pb2749z104b; Sun, 2 Nov 2025 18:22:59 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4zLYvhBtNrx8nC32PK2sDaxaMm+/LGI2WgZucL6TNoc=; b=hMimndi5U8FEreCzAmnZH0xUZBvcY/quZ+xAqTRcRiQkadyvVmJCVvT7tU+ZDccEixAt2K NGCCjvX5v1J5x9WvIs7p/n+FUdEMI1DSKnyYYJ+isiolCvC8Qo5r8sn2OYaxDtrpMQ5Pk7 EuVwOYTXWiC2QViB4GI8RJrUXNOhLxU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4zLYvhBtNrx8nC32PK2sDaxaMm+/LGI2WgZucL6TNoc=; b=hRSw1I5Oy7fwULLETwiyEqUZL7ctef7B/GgpRMuXTW9I7THOJnkcZoBw0cZ5gEQWdtZkG0 VdvLgUjcj0sNjdW8MXSuZqJtSdOiXQZCUu4NO2v94uO30OK73g5+pEVzh25a3MGXI0Pt4F CJR+D4KCPruSmiCB9q+uGjG79X8VC0E= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100579; a=rsa-sha256; cv=none; b=sHa1ZRYfjKnw0jQHfcu9Mqqo0ky9d/W1IhMynk5qD6Xn0jd/EqpQsuowuxj6A9do1MXmtQ 5fEfurS4jZbA61YRdgstWoSeN6SkkHDcYT4apthu7x8x9aju1XMiOYsyq7oyImRlQ3ZhYf MFHNF/36yW4FXTSHv9VGWavcpAeNX60= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 4/8] Bluetooth: hci_sync: extend conn_hash lookup RCU critical sections Date: Sun, 2 Nov 2025 18:19:36 +0200 Message-ID: X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Extend critical section to cover both hci_conn_hash lookup and use of the returned conn. Add separate function for when we are just checking if a conn exists. This avoids concurrent deletion of the conn before we are done dereferencing it. Fixes: 58ddd115fe063 ("Bluetooth: hci_conn: Fix not setting conn_timeout fo= r Broadcast Receiver") Fixes: cf75ad8b41d2a ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED") Fixes: c2994b008492d ("Bluetooth: hci_sync: Fix not setting Random Address = when required") Signed-off-by: Pauli Virtanen --- Notes: v2: - no change net/bluetooth/hci_sync.c | 49 +++++++++++++++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index a87ae23f7bbc..a71a1b7b2541 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1035,6 +1035,21 @@ static bool adv_use_rpa(struct hci_dev *hdev, uint32= _t flags) return true; } =20 +static bool hci_check_le_connect(struct hci_dev *hdev) +{ + bool found; + + rcu_read_lock(); + found =3D hci_lookup_le_connect(hdev); + rcu_read_unlock(); + + /* The return value may be wrong if the conn is modified concurrently, + * e.g. by HCI event. This function should be used only when this is OK + * (time of check doesn't matter or operation will be tried again). + */ + return found; +} + static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa) { /* If a random_addr has been set we're advertising or initiating an LE @@ -1049,7 +1064,7 @@ static int hci_set_random_addr_sync(struct hci_dev *h= dev, bdaddr_t *rpa) */ if (bacmp(&hdev->random_addr, BDADDR_ANY) && (hci_dev_test_flag(hdev, HCI_LE_ADV) || - hci_lookup_le_connect(hdev))) { + hci_check_le_connect(hdev))) { bt_dev_dbg(hdev, "Deferring random address update"); hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); return 0; @@ -2636,7 +2651,7 @@ static int hci_pause_addr_resolution(struct hci_dev *= hdev) * when initiating an LE connection. */ if (hci_dev_test_flag(hdev, HCI_LE_SCAN) || - hci_lookup_le_connect(hdev)) { + hci_check_le_connect(hdev)) { bt_dev_err(hdev, "Command not allowed when scan/LE connect"); return -EPERM; } @@ -2778,6 +2793,8 @@ static u8 hci_update_accept_list_sync(struct hci_dev = *hdev) if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) { struct hci_conn *conn; =20 + rcu_read_lock(); + conn =3D hci_conn_hash_lookup_create_pa_sync(hdev); if (conn) { struct conn_params pa; @@ -2787,6 +2804,8 @@ static u8 hci_update_accept_list_sync(struct hci_dev = *hdev) bacpy(&pa.addr, &conn->dst); pa.addr_type =3D conn->dst_type; =20 + rcu_read_unlock(); + /* Clear first since there could be addresses left * behind. */ @@ -2796,6 +2815,8 @@ static u8 hci_update_accept_list_sync(struct hci_dev = *hdev) err =3D hci_le_add_accept_list_sync(hdev, &pa, &num_entries); goto done; + } else { + rcu_read_unlock(); } } =20 @@ -2806,10 +2827,13 @@ static u8 hci_update_accept_list_sync(struct hci_de= v *hdev) * the controller. */ list_for_each_entry_safe(b, t, &hdev->le_accept_list, list) { - if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) - continue; + rcu_read_lock(); + + if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) { + rcu_read_unlock(); + continue; + } =20 - /* Pointers not dereferenced, no locks needed */ pend_conn =3D hci_pend_le_action_lookup(&hdev->pend_le_conns, &b->bdaddr, b->bdaddr_type); @@ -2817,6 +2841,8 @@ static u8 hci_update_accept_list_sync(struct hci_dev = *hdev) &b->bdaddr, b->bdaddr_type); =20 + rcu_read_unlock(); + /* If the device is not likely to connect or report, * remove it from the acceptlist. */ @@ -2943,6 +2969,8 @@ static int hci_le_set_ext_scan_param_sync(struct hci_= dev *hdev, u8 type, if (sent) { struct hci_conn *conn; =20 + rcu_read_lock(); + conn =3D hci_conn_hash_lookup_ba(hdev, PA_LINK, &sent->bdaddr); if (conn) { @@ -2967,8 +2995,12 @@ static int hci_le_set_ext_scan_param_sync(struct hci= _dev *hdev, u8 type, phy++; } =20 + rcu_read_unlock(); + if (num_phy) goto done; + } else { + rcu_read_unlock(); } } } @@ -3224,7 +3256,7 @@ int hci_update_passive_scan_sync(struct hci_dev *hdev) * since some controllers are not able to scan and connect at * the same time. */ - if (hci_lookup_le_connect(hdev)) + if (hci_check_le_connect(hdev)) return 0; =20 bt_dev_dbg(hdev, "start background scanning"); @@ -3479,12 +3511,17 @@ int hci_update_scan_sync(struct hci_dev *hdev) if (hdev->scanning_paused) return 0; =20 + /* If connection states change we update again, so lockless is OK */ + rcu_read_lock(); + if (hci_dev_test_flag(hdev, HCI_CONNECTABLE) || disconnected_accept_list_entries(hdev)) scan =3D SCAN_PAGE; else scan =3D SCAN_DISABLED; =20 + rcu_read_unlock(); + if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) scan |=3D SCAN_INQUIRY; =20 --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C34327FB35; Sun, 2 Nov 2025 16:23:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100591; cv=pass; b=bxHvLOnfUIgx8jkXN9WtSuQ5CjOYj2VkI1/PI4nHVnbyuZf4vXYRkOki0Y4mUhn7+PBx8aDTlMZ50XJ9vOPxsNu4CEAonMA3lFhzGlLy+tQjFR3+o4OprrAbWjs/xvhwzMzlJm7CMb3wqQ0nBjl/DLTkY/jmSIlXBQwVhIr9uKI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100591; c=relaxed/simple; bh=mWwceOnkIC5prK+OgjGAIcv+pEKuyl5rzWl2WLD2vRk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W7LjaFGfxVW+9pXss90Vr7c5uYJlsVqJG0XEl4IpXEbbOO78t+ctk2YpaDHSharMn5FcnJkLKWrEtj5z9i3mvyszrnIQt8UuAcAp5546U4MqJDsXldo/EExc4MNi1YkQisF1DtmZ9LYY4sa3JqHTBGI3GRYqUsfk9RbjmNacjeE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=ehfIzdyg; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="ehfIzdyg" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00Pc1bbtz104g; Sun, 2 Nov 2025 18:23:00 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100580; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=11ROlgv6b+Co/OXYSYtENy91jzr9hTxW8D8KiamrhIg=; b=ehfIzdyg/TKZSCAB/hjqaiikfPwqF7vYyGRlDyFspbjdNGP09i+L4sP8iByBpRqtoLQWJV qEpC6Yv30zQlnsiF/Imc5p8ki2iOE3vVySzRv5lP5bAZma02i/Yhx0KknRGqHn7UP8uQan jHeIB4UHR3uNnmZSaC8rjqhxw45VVmA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100580; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=11ROlgv6b+Co/OXYSYtENy91jzr9hTxW8D8KiamrhIg=; b=QpAqOxYjU6MXRldI5frVPKnVM3tR2R3FpLhIMHPyraWkLXsBHmN7l0XBfMj7XhumDGVGIA vDxWaBxkbep1WZLafqsl270grb2MnOFKnnBCIqtmupmy71tVPcySYYASQwGG6wkNvWj/ph yzIAT80T561T+X9HG/bVC0baJCVoZUQ= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100580; a=rsa-sha256; cv=none; b=DvyYlQYAhll6/KvqTBy0zxBQIWHK+03QsvDyb8jwLAUtJ4CLE8qVMAigDrVs/a0wPH9FlP jgvJdWZCwK8U9htT41B/X+9s0klRhD6lAh6YLv8rNiFZN0r79YFKF3/Eqe7jZ7UcYwxwr8 cg/1BQ8HvtlzTL/kZbcQ47Q6XVPE4OQ= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 5/8] Bluetooth: hci_sync: make hci_cmd_sync_run* return -EEXIST if not run Date: Sun, 2 Nov 2025 18:19:37 +0200 Message-ID: <6dc2473624e1d90f10b63371ec05940dc5d22395.1762100290.git.pav@iki.fi> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hci_cmd_sync_run_once() needs to indicate whether a queue item was added, so caller can know if callbacks are called, so it can avoid leaking resources. Change the function to return -EEXIST if queue item already exists. hci_cmd_sync_run() may run the work immediately. If so, make it behave as if item was queued successfully. Change it to call also destroy() and return 0. Modify all callsites vs. the changes. Signed-off-by: Pauli Virtanen --- Notes: v2: - no change net/bluetooth/hci_conn.c | 4 +++- net/bluetooth/hci_sync.c | 13 ++++++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index d140e5740f92..214fa6ec832b 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -2959,6 +2959,7 @@ static int abort_conn_sync(struct hci_dev *hdev, void= *data) int hci_abort_conn(struct hci_conn *conn, u8 reason) { struct hci_dev *hdev =3D conn->hdev; + int err; =20 /* If abort_reason has already been set it means the connection is * already being aborted so don't attempt to overwrite it. @@ -2995,7 +2996,8 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does * already queue its callback on cmd_sync_work. */ - return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL); + err =3D hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL); + return (err =3D=3D -EEXIST) ? 0 : err; } =20 void hci_setup_tx_timestamp(struct sk_buff *skb, size_t key_offset, diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index a71a1b7b2541..6c4c736cf93a 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -801,8 +801,15 @@ int hci_cmd_sync_run(struct hci_dev *hdev, hci_cmd_syn= c_work_func_t func, return -ENETDOWN; =20 /* If on cmd_sync_work then run immediately otherwise queue */ - if (current_work() =3D=3D &hdev->cmd_sync_work) - return func(hdev, data); + if (current_work() =3D=3D &hdev->cmd_sync_work) { + int err; + + err =3D func(hdev, data); + if (destroy) + destroy(hdev, data, err); + + return 0; + } =20 return hci_cmd_sync_submit(hdev, func, data, destroy); } @@ -818,7 +825,7 @@ int hci_cmd_sync_run_once(struct hci_dev *hdev, hci_cmd= _sync_work_func_t func, void *data, hci_cmd_sync_work_destroy_t destroy) { if (hci_cmd_sync_lookup_entry(hdev, func, data, destroy)) - return 0; + return -EEXIST; =20 return hci_cmd_sync_run(hdev, func, data, destroy); } --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C40327FB37; Sun, 2 Nov 2025 16:23:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100591; cv=pass; b=FeoebexS53p4ziqLov77ouhcVhmi+Pgdj3cHJg7tN6wWQ7Sg3IMA1vWj+s4gtLJmvgWHaNhBguLAHGkEHd69oqu46SKqWIkY2yL66+aXMQaSUUTf7HBZaS51KUPB8Sd/OVN6Y4qrywdn1N33SciwRuTBNDl29MFb6+ohC2GV9ns= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100591; c=relaxed/simple; bh=feCd1Rll9IOJWSQ4ff9DtjV6rbROULO5UoVlOec8REk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NXEkLA0xvDRdcN+1eh/V0WsOzRXpgZdMrffoZCyM9hK6BHe284pWXyGTRrSuijxDOQd6garFv4Ytf4K+VFWumLpwJRLquvS1lEgm/dtHj96iz9oDzWpsEcgrl0eApxr4mCM7mSd61rnr0s2KQhYQKButOJuXyEpfByzXSuU/E6k= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=i8KBa7In; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="i8KBa7In" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00Pd2VfSz105W; Sun, 2 Nov 2025 18:23:01 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3A8w4CxIAWNB9uOrOB/CxGjEbP+wZBMGlAPgjry/hHU=; b=i8KBa7In0tv8lICL3uIlOLNakxEMbNHVPuDgiP6qP0dbI9IjZxcsG8KavpdCuHQT5CEiBx yOVJWlK/7MMn9FmNXVw25IUhNP/JSCPlndS/1wbC5ofx0lZQ065gOYEDIWOIR7ssdDiUYV 69aA++fGpoIPCmBchPdHj0oSDoc+Nus= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3A8w4CxIAWNB9uOrOB/CxGjEbP+wZBMGlAPgjry/hHU=; b=I+egJTvYmrisybX/GlgvurRsmkC/dkt/bf8RT31gsk6/WukUoLrXSejOXmOOQPy9XzIOgT jke2WByk5VRE0rkHaw8FPmKjINO4fA+WweZj6XUnI9AWhffszlhhXcXlfHuzvEY7L5slhY 8Z5VXzBGaUPx45BJL2VOwW20w4EGnc0= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100582; a=rsa-sha256; cv=none; b=j3+AuEDNjCB/+jd0uFv+TBv04sSjsxFobKJu607lEd8SMoziLfycft0KyZMbsNRFzdnq9K IksVmYBCpe0jfgzaw4wguk822nK/YeY7musIZkjUy/GTxF+Gsq3poM8uiKWSlADJ9Z3xuc Dv7H2cZ3azq7M02EVcs7ftwNofpBvkQ= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 6/8] Bluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if exists Date: Sun, 2 Nov 2025 18:19:38 +0200 Message-ID: <5098558edc32358dc58ebf65964c6640b77d9e73.1762100290.git.pav@iki.fi> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hci_cmd_sync_queue_once() needs to indicate whether a queue item was added, so caller can know if callbacks are called, so it can avoid leaking resources. Change the function to return -EEXIST if queue item already exists. Modify all callsites to handle that. Fixes leak in hci_past_sync() if command already queued. Signed-off-by: Pauli Virtanen --- Notes: v2: - fix also hci_past_sync net/bluetooth/hci_sync.c | 39 +++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 6c4c736cf93a..dc95a1ebe65e 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -780,7 +780,7 @@ int hci_cmd_sync_queue_once(struct hci_dev *hdev, hci_c= md_sync_work_func_t func, void *data, hci_cmd_sync_work_destroy_t destroy) { if (hci_cmd_sync_lookup_entry(hdev, func, data, destroy)) - return 0; + return -EEXIST; =20 return hci_cmd_sync_queue(hdev, func, data, destroy); } @@ -3294,6 +3294,8 @@ static int update_passive_scan_sync(struct hci_dev *h= dev, void *data) =20 int hci_update_passive_scan(struct hci_dev *hdev) { + int err; + /* Only queue if it would have any effect */ if (!test_bit(HCI_UP, &hdev->flags) || test_bit(HCI_INIT, &hdev->flags) || @@ -3303,8 +3305,9 @@ int hci_update_passive_scan(struct hci_dev *hdev) hci_dev_test_flag(hdev, HCI_UNREGISTER)) return 0; =20 - return hci_cmd_sync_queue_once(hdev, update_passive_scan_sync, NULL, - NULL); + err =3D hci_cmd_sync_queue_once(hdev, update_passive_scan_sync, NULL, + NULL); + return (err =3D=3D -EEXIST) ? 0 : err; } =20 int hci_write_sc_support_sync(struct hci_dev *hdev, u8 val) @@ -6961,8 +6964,11 @@ static int hci_acl_create_conn_sync(struct hci_dev *= hdev, void *data) =20 int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn) { - return hci_cmd_sync_queue_once(hdev, hci_acl_create_conn_sync, conn, - NULL); + int err; + + err =3D hci_cmd_sync_queue_once(hdev, hci_acl_create_conn_sync, conn, + NULL); + return (err =3D=3D -EEXIST) ? 0 : err; } =20 static void create_le_conn_complete(struct hci_dev *hdev, void *data, int = err) @@ -6998,8 +7004,11 @@ static void create_le_conn_complete(struct hci_dev *= hdev, void *data, int err) =20 int hci_connect_le_sync(struct hci_dev *hdev, struct hci_conn *conn) { - return hci_cmd_sync_queue_once(hdev, hci_le_create_conn_sync, conn, - create_le_conn_complete); + int err; + + err =3D hci_cmd_sync_queue_once(hdev, hci_le_create_conn_sync, conn, + create_le_conn_complete); + return (err =3D=3D -EEXIST) ? 0 : err; } =20 int hci_cancel_connect_sync(struct hci_dev *hdev, struct hci_conn *conn) @@ -7206,8 +7215,11 @@ static int hci_le_pa_create_sync(struct hci_dev *hde= v, void *data) =20 int hci_connect_pa_sync(struct hci_dev *hdev, struct hci_conn *conn) { - return hci_cmd_sync_queue_once(hdev, hci_le_pa_create_sync, conn, - create_pa_complete); + int err; + + err =3D hci_cmd_sync_queue_once(hdev, hci_le_pa_create_sync, conn, + create_pa_complete); + return (err =3D=3D -EEXIST) ? 0 : err; } =20 static void create_big_complete(struct hci_dev *hdev, void *data, int err) @@ -7269,8 +7281,11 @@ static int hci_le_big_create_sync(struct hci_dev *hd= ev, void *data) =20 int hci_connect_big_sync(struct hci_dev *hdev, struct hci_conn *conn) { - return hci_cmd_sync_queue_once(hdev, hci_le_big_create_sync, conn, - create_big_complete); + int err; + + err =3D hci_cmd_sync_queue_once(hdev, hci_le_big_create_sync, conn, + create_big_complete); + return (err =3D=3D -EEXIST) ? 0 : err; } =20 struct past_data { @@ -7362,5 +7377,5 @@ int hci_past_sync(struct hci_conn *conn, struct hci_c= onn *le) if (err) kfree(data); =20 - return err; + return (err =3D=3D -EEXIST) ? 0 : err; } --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C18472D948F; Sun, 2 Nov 2025 16:23:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100592; cv=pass; b=NNl4YPynrKOJmusk2OXLzK3lIyfkJ5JN0/yzZkpEVeYo3xtY2xN5GwqFcuZPvbMnbRBxEzm803kMwWvcMfvBDD0jF+7FJfVyfNeEiIA/MsuvlyYYDWHeRITJx46iVQjapAMWYrY3Y5v0YRjCElbkysGVI3UcQGpVV0n+gNLz+I8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100592; c=relaxed/simple; bh=EI8nyFkNdAzKa7QP9/aX4Z9aNZKLosqPaqVUYHw6d+Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fmFUrksYFIVc66GnMV2+TBfs2/5q80+pyK0AWe2GAUt70hhc98AywHrks/7+2jaCRsHWNfha14kB+c9e9CR4lkB75Uts041J/OaUZcy+0t++YnOqJtZ32Q5QOiRquahVfmfMPv32ODBegiTMyQ9pF0uLmAZqAUbGyBCSoSlZqr4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=LAE6iOln; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="LAE6iOln" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00Pf246Sz105l; Sun, 2 Nov 2025 18:23:02 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mVE0LXmXYSdd0UYV2f1XCqgHhiUbio9FQUz6BG0KDiQ=; b=LAE6iOln3HkeVFGGBLScdcdSZCW6XmF5XAC3sxasxWtHvoJTr5R8w6MLWMz8XP7ytpT9Ph 11LoGdyaO3dqS2rtoxdiaG8CiqPRa+XIibmk5jHAz0YchhDnhuVAJtb9f7rxbWeVui36aV LD7nXOPBXRqw6lPYbDUl86lzBRLWpC4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mVE0LXmXYSdd0UYV2f1XCqgHhiUbio9FQUz6BG0KDiQ=; b=nkgcaxslpbicSkDJPcw4u2ETAwPaoDTU4LEFvXqKOUAyYftM5hiAYPHHoUZ+8TCwRXY6hr CZoRbvAYtQNX1d6PD3CubCAeILeYPaUISB30eJnVIXVz7A5NOEKp1JgIiRwxEMrNa98Enr AhoFOxHOU/IZjCtHfLDOcSx8oVHEej0= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100582; a=rsa-sha256; cv=none; b=B2YzjTq/5aR7y7WoPFC7DlP7O25XPWtJd1HXpbQwp8REXkTlvJGcnoeil7uM+j9DLEYrdC eiWluPrJUjFR67i8bQXLzArM4soGG/ntMEZDFP7NwunUySgoC2kLvlUD3ofmQaUuGlGvBd QXOtH7bi6yIWUBWdvH4lh/AczVwTDYk= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 7/8] Bluetooth: hci_conn: hold reference in abort_conn_sync Date: Sun, 2 Nov 2025 18:19:39 +0200 Message-ID: <0d75210630e1f71b18dfc5cd97610a41effb1789.1762100290.git.pav@iki.fi> X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hci_conn_valid() should not be used on potentially freed hci_conn pointers, as relying on kmalloc not reusing addresses is bad practice. Hold a hci_conn reference for the queue job so the pointer is not freed too early. This also avoids potential UAF during abort_conn_sync(). Signed-off-by: Pauli Virtanen --- Notes: v2: - no change net/bluetooth/hci_conn.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 214fa6ec832b..64066f6a0af8 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -2956,6 +2956,13 @@ static int abort_conn_sync(struct hci_dev *hdev, voi= d *data) return hci_abort_conn_sync(hdev, conn, conn->abort_reason); } =20 +static void abort_conn_destroy(struct hci_dev *hdev, void *data, int err) +{ + struct hci_conn *conn =3D data; + + hci_conn_put(conn); +} + int hci_abort_conn(struct hci_conn *conn, u8 reason) { struct hci_dev *hdev =3D conn->hdev; @@ -2996,7 +3003,10 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) * as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does * already queue its callback on cmd_sync_work. */ - err =3D hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL); + err =3D hci_cmd_sync_run_once(hdev, abort_conn_sync, hci_conn_get(conn), + abort_conn_destroy); + if (err) + hci_conn_put(conn); return (err =3D=3D -EEXIST) ? 0 : err; } =20 --=20 2.51.1 From nobody Sun Feb 8 05:27:39 2026 Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C17722D9482; Sun, 2 Nov 2025 16:23:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=195.140.195.201 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100592; cv=pass; b=MR+indJbdRkmYcJE8HkX7hcrMrvk2cRS0y8qm+495jpm4Acqd24Z4Xbd8ccWDqNq21SJz9Wj31bjOxeUHIwJDal1FzqghjgtODL+qSuWFAK3ToEIuQ0fPigvesjL+/21f0oqIJ0/U8WiKILozOm08v7OdNRq9u+VC1B37vpO5wg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762100592; c=relaxed/simple; bh=vqHSxlN8vW0IkYc9EJdmBchIKyWnN2BFQ2urrmra6ZI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Z9zZ0WkeOPoBi5WUJHKOuzmpslQRNLGiPxiCFRrLF/ngo8vy95sTSmAFgArWO2EL79Tau0GiY8d3rgWfCLYJVfMbp/wK4T5u5qovuNVgxQX6RUCWwO+nZ+A340S+zGGPfd96dc6xAreS2XWcIe8tRbiuJ+gdEtfazSw7RYfqNr8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi; spf=pass smtp.mailfrom=iki.fi; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b=ooPYsFBj; arc=pass smtp.client-ip=195.140.195.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iki.fi Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iki.fi Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=iki.fi header.i=@iki.fi header.b="ooPYsFBj" Received: from monolith.lan (unknown [IPv6:2a02:ed04:3581:1::d001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pav) by meesny.iki.fi (Postfix) with ESMTPSA id 4d00Pg1dVkz1064; Sun, 2 Nov 2025 18:23:03 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100583; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Bp0L8CrmTikzBpE/RQPCqJwcoGrZ9MB/Tpu/IkmyOiI=; b=ooPYsFBjXYBKBPevx7ySOJKLVRHr+0Ey3veZomA3VdYQZQlsghNrIbokARz4mc/xmGDSbL Zh0BP7ikFNRRItzKQNvsmemk4i/IBJnNuWccr5UTKQ5XSF4btlo2pP48tsxa8sIhqkR/Zb wJyvWx+scCBpB6JMkyEn2yeZPV72QYY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1762100583; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Bp0L8CrmTikzBpE/RQPCqJwcoGrZ9MB/Tpu/IkmyOiI=; b=aBBZSbSqKcotsgm7DPczOniUwJuQ89rsqxgY6yMHxSm42WHlnTq1VrGkbasU+UTfSEpO7R AP5fU033idhVw+c7Fi3JCj3mFFPy2meGHRl5+f6BgC+QhukOD5rNKAaa5JoyWGdym2MxvS s6Ac8DAvzx+DJU+Dji97IlzE9RlVaq0= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=pav smtp.mailfrom=pav@iki.fi ARC-Seal: i=1; s=meesny; d=iki.fi; t=1762100583; a=rsa-sha256; cv=none; b=wbc4d0UsTBtEJaa5gTLsqvJXVQc4tVy7WF8F14IKfBhp+eoPw7Dp9Gt+vqCm47o29Q7B4w CtqL/5eegG8ZOveCdwbdHiSqoLUI1oTFgN7ftsAQ9gepLZqFJv62UbmbK/CONe+FGQA40o KE+O/QvUSRzV9LBq37mkLFlQGlc3e7I= From: Pauli Virtanen To: linux-bluetooth@vger.kernel.org Cc: Pauli Virtanen , marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org Subject: [PATCH v2 8/8] Bluetooth: hci_sync: hold references in hci_sync callbacks Date: Sun, 2 Nov 2025 18:19:40 +0200 Message-ID: X-Mailer: git-send-email 2.51.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hci_conn_valid() should not be used on potentially freed hci_conn pointers, as relying on kmalloc not reusing addresses is bad practice. Hold a hci_conn reference for queued jobs so the pointers are not freed too early. This also avoids potential UAF if the conn would be freed while the jobs are running. Signed-off-by: Pauli Virtanen --- Notes: v2: - fix also hci_past_sync() net/bluetooth/hci_sync.c | 66 +++++++++++++++++++++++++++++++--------- 1 file changed, 51 insertions(+), 15 deletions(-) diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index dc95a1ebe65e..d4420d5882d6 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -6962,12 +6962,23 @@ static int hci_acl_create_conn_sync(struct hci_dev = *hdev, void *data) conn->conn_timeout, NULL); } =20 +static void hci_acl_create_conn_sync_complete(struct hci_dev *hdev, void *= data, + int err) +{ + struct hci_conn *conn =3D data; + + hci_conn_put(conn); +} + int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn) { int err; =20 - err =3D hci_cmd_sync_queue_once(hdev, hci_acl_create_conn_sync, conn, - NULL); + err =3D hci_cmd_sync_queue_once(hdev, hci_acl_create_conn_sync, + hci_conn_get(conn), + hci_acl_create_conn_sync_complete); + if (err) + hci_conn_put(conn); return (err =3D=3D -EEXIST) ? 0 : err; } =20 @@ -6978,36 +6989,41 @@ static void create_le_conn_complete(struct hci_dev = *hdev, void *data, int err) bt_dev_dbg(hdev, "err %d", err); =20 if (err =3D=3D -ECANCELED) - return; + goto done; =20 hci_dev_lock(hdev); =20 if (!hci_conn_valid(hdev, conn)) - goto done; + goto unlock; =20 if (!err) { hci_connect_le_scan_cleanup(conn, 0x00); - goto done; + goto unlock; } =20 /* Check if connection is still pending */ if (conn !=3D hci_lookup_le_connect(hdev)) - goto done; + goto unlock; =20 /* Flush to make sure we send create conn cancel command if needed */ flush_delayed_work(&conn->le_conn_timeout); hci_conn_failed(conn, bt_status(err)); =20 -done: +unlock: hci_dev_unlock(hdev); +done: + hci_conn_put(conn); } =20 int hci_connect_le_sync(struct hci_dev *hdev, struct hci_conn *conn) { int err; =20 - err =3D hci_cmd_sync_queue_once(hdev, hci_le_create_conn_sync, conn, + err =3D hci_cmd_sync_queue_once(hdev, hci_le_create_conn_sync, + hci_conn_get(conn), create_le_conn_complete); + if (err) + hci_conn_put(conn); return (err =3D=3D -EEXIST) ? 0 : err; } =20 @@ -7055,7 +7071,7 @@ static void create_pa_complete(struct hci_dev *hdev, = void *data, int err) bt_dev_dbg(hdev, "err %d", err); =20 if (err =3D=3D -ECANCELED) - return; + goto done; =20 hci_dev_lock(hdev); =20 @@ -7079,6 +7095,8 @@ static void create_pa_complete(struct hci_dev *hdev, = void *data, int err) =20 unlock: hci_dev_unlock(hdev); +done: + hci_conn_put(conn); } =20 static int hci_le_past_params_sync(struct hci_dev *hdev, struct hci_conn *= conn, @@ -7217,8 +7235,11 @@ int hci_connect_pa_sync(struct hci_dev *hdev, struct= hci_conn *conn) { int err; =20 - err =3D hci_cmd_sync_queue_once(hdev, hci_le_pa_create_sync, conn, + err =3D hci_cmd_sync_queue_once(hdev, hci_le_pa_create_sync, + hci_conn_get(conn), create_pa_complete); + if (err) + hci_conn_put(conn); return (err =3D=3D -EEXIST) ? 0 : err; } =20 @@ -7229,10 +7250,17 @@ static void create_big_complete(struct hci_dev *hde= v, void *data, int err) bt_dev_dbg(hdev, "err %d", err); =20 if (err =3D=3D -ECANCELED) - return; + goto done; + + hci_dev_lock(hdev); =20 if (hci_conn_valid(hdev, conn)) clear_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags); + + hci_dev_unlock(hdev); + +done: + hci_conn_put(conn); } =20 static int hci_le_big_create_sync(struct hci_dev *hdev, void *data) @@ -7283,8 +7311,11 @@ int hci_connect_big_sync(struct hci_dev *hdev, struc= t hci_conn *conn) { int err; =20 - err =3D hci_cmd_sync_queue_once(hdev, hci_le_big_create_sync, conn, + err =3D hci_cmd_sync_queue_once(hdev, hci_le_big_create_sync, + hci_conn_get(conn), create_big_complete); + if (err) + hci_conn_put(conn); return (err =3D=3D -EEXIST) ? 0 : err; } =20 @@ -7299,6 +7330,8 @@ static void past_complete(struct hci_dev *hdev, void = *data, int err) =20 bt_dev_dbg(hdev, "err %d", err); =20 + hci_conn_put(past->conn); + hci_conn_put(past->le); kfree(past); } =20 @@ -7363,8 +7396,8 @@ int hci_past_sync(struct hci_conn *conn, struct hci_c= onn *le) if (!data) return -ENOMEM; =20 - data->conn =3D conn; - data->le =3D le; + data->conn =3D hci_conn_get(conn); + data->le =3D hci_conn_get(le); =20 if (conn->role =3D=3D HCI_ROLE_MASTER) err =3D hci_cmd_sync_queue_once(conn->hdev, @@ -7374,8 +7407,11 @@ int hci_past_sync(struct hci_conn *conn, struct hci_= conn *le) err =3D hci_cmd_sync_queue_once(conn->hdev, hci_le_past_sync, data, past_complete); =20 - if (err) + if (err) { + hci_conn_put(data->conn); + hci_conn_put(data->le); kfree(data); + } =20 return (err =3D=3D -EEXIST) ? 0 : err; } --=20 2.51.1