Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:
On Wed, 3 May 2023 21:39:34 +0800 you wrote:
> The hci_conn_unlink function is being called by hci_conn_del, which
> means it should not call hci_conn_del with the input parameter conn
> again. If it does, conn may have already been released when
> hci_conn_unlink returns, leading to potential UAF and double-free
> issues.
>
> This patch resolves the problem by modifying hci_conn_unlink to release
> only conn's child links when necessary, but never release conn itself.
>
> [...]
Here is the summary with links:
- [v4,1/4] Bluetooth: Fix potential double free caused by hci_conn_unlink
https://git.kernel.org/bluetooth/bluetooth-next/c/3214238e9dc7
- [v4,2/4] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink
https://git.kernel.org/bluetooth/bluetooth-next/c/38e9b45310de
- [v4,3/4] Bluetooth: Fix UAF in hci_conn_hash_flush again
https://git.kernel.org/bluetooth/bluetooth-next/c/29f883dcbfd0
- [v4,4/4] Bluetooth: Unlink CISes when LE disconnects in hci_conn_del
https://git.kernel.org/bluetooth/bluetooth-next/c/e6e576ec4e72
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
