This patch series contains six fixes related to hci_conn_unlink. The
purpose is to prevent merge conflicts between each other. I'm not
intentially linking them together. So if any patch is not suitable,
please just let me know (I'll be grateful if you can explain the
reason).
The first three patches are the most important, each fixing a
triggerable use-after-free bug (see the report URL for details). And the
fourth through sixth patches are a bit more minor, containing mostly
tweaks and refactorings.
Changes since v2:
* Put all fixes, adjustments, and refactorings about hci_conn_unlink
in one patch series.
Link to v2:
* https://lore.kernel.org/linux-bluetooth/20230430180535.168270-1-lrh2000@xxxxxxxxxx/
See also:
* https://lore.kernel.org/linux-bluetooth/20230430171847.156825-1-lrh2000@xxxxxxxxxx/
Changes since v1:
* Resolve merge conflicts.
Link to v1:
* https://lore.kernel.org/linux-bluetooth/20230430172937.157999-1-lrh2000@xxxxxxxxxx/
Ruihan Li (6):
Bluetooth: Fix potential double free caused by hci_conn_unlink
Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
Bluetooth: Fix UAF in hci_conn_hash_flush again
Bluetooth: Perform hci_conn_drop in hci_conn_unlink
Bluetooth: Unlink CISes when LE disconnects in hci_conn_del
Bluetooth: Avoid recursion in hci_conn_unlink
include/net/bluetooth/hci_core.h | 2 +-
net/bluetooth/hci_conn.c | 96 ++++++++++++++++++--------------
2 files changed, 54 insertions(+), 44 deletions(-)
--
2.40.0
