mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 13:41:48 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
e4f6bc7f8222a9e40283d3fc6c4c4c656d79a48e
linux/net
History
Pauli Virtanen 5c7209a341 Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER 
When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls
hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm()
assumes it is held, and if conn is deleted concurrently -> UAF.

Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,
and HCI_EV_CONN_REQUEST is not generated for ISO.  In the non-deferred
listening socket code paths, hci_connect_cfm(conn) is called with
hdev->lock held.

Fix by holding the lock.

Fixes: 70c4642563 ("Bluetooth: Refactor connection request handling")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-04-13 09:18:16 -04:00
..
6lowpan
net: replace ND_PRINTK with dynamic debug
2025-07-10 15:27:32 -07:00
9p
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
802
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
8021q
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
appletalk
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
atm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-03-19 14:16:00 -07:00
ax25
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
batman-adv
Merge tag 'batadv-net-pullrequest-20260408' of https://git.open-mesh.org/linux-merge
2026-04-08 18:50:27 -07:00
bluetooth
Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
2026-04-13 09:18:16 -04:00
bpf
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
caif
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
can
can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
2026-03-19 17:16:02 +01:00
ceph
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
2026-03-11 10:18:56 +01:00
core
net: use get_random_u{16,32,64}() where appropriate
2026-04-09 19:27:43 -07:00
dcb
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
devlink
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
dns_resolver
net: Add SPDX ids to some source files
2026-03-09 18:32:45 -07:00
dsa
dsa: tag_mxl862xx: set dsa_default_offload_fwd_mark()
2026-04-06 18:30:33 -07:00
ethernet
bonding: prevent potential infinite loop in bond_header_parse()
2026-03-16 19:29:45 -07:00
ethtool
net, ethtool: Disallow leased real rxqs to be resized
2026-04-09 18:21:46 -07:00
handshake
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
hsr
net: hsr: emit notification for PRP slave2 changed hw addr on port deletion
2026-04-07 17:06:16 +02:00
ieee802154
net: remove addr_len argument of recvmsg() handlers
2026-03-02 18:17:17 -08:00
ife
ipv4
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
ipv6
ipv6: sit: remove redundant ret = 0 assignment
2026-04-09 20:37:40 -07:00
iucv
net/iucv: Add missing kernel-doc return value descriptions
2026-03-31 20:14:56 -07:00
kcm
kcm: fix zero-frag skb in frag_list on partial sendmsg error
2026-02-23 17:26:55 -08:00
key
net: af_key: zero aligned sockaddr tail in PF_KEY exports
2026-04-07 11:08:24 +02:00
l2tp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
l3mdev
net: fib_rules: Fix iif / oif matching on L3 master device
2025-04-15 17:54:56 -07:00
lapb
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
llc
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
mac80211
net: use get_random_u{16,32,64}() where appropriate
2026-04-09 19:27:43 -07:00
mac802154
bonding: prevent potential infinite loop in bond_header_parse()
2026-03-16 19:29:45 -07:00
mctp
net: mctp: defer creation of dst after source-address check
2026-04-06 18:06:47 -07:00
mpls
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-02 11:03:13 -07:00
mptcp
net: use get_random_u{16,32,64}() where appropriate
2026-04-09 19:27:43 -07:00
ncsi
net: ncsi: fix skb leak in error paths
2026-03-06 17:34:48 -08:00
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
netlabel
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
netlink
netlink: update outdated comment
2026-03-12 19:29:01 -07:00
netrom
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
nfc
nfc: nci: fix circular locking dependency in nci_close_device
2026-03-19 16:56:18 -07:00
nsh
openvswitch
net: use get_random_u{16,32,64}() where appropriate
2026-04-09 19:27:43 -07:00
packet
net: fix fanout UAF in packet_release() via NETDEV_UP race
2026-03-23 17:07:19 -07:00
phonet
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-03-19 14:16:00 -07:00
psample
treewide: Replace kmalloc with kmalloc_obj for non-scalar types
2026-02-21 01:02:28 -08:00
psp
net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros
2026-03-29 11:21:22 -07:00
qrtr
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-02 11:03:13 -07:00
rds
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-02 11:03:13 -07:00
rfkill
net: rfkill: prevent unlimited numbers of rfkill events from being created
2026-04-07 12:35:04 +02:00
rose
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
2026-03-12 19:23:59 -07:00
rxrpc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
sched
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
sctp
net: use get_random_u{16,32,64}() where appropriate
2026-04-09 19:27:43 -07:00
shaper
net: shaper: protect from late creation of hierarchy
2026-03-19 13:47:15 +01:00
smc
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
2026-03-20 18:59:30 -07:00
strparser
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2025-11-13 12:35:38 -08:00
sunrpc
Merge tag 'nfsd-7.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2026-03-18 14:27:11 -07:00
switchdev
bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign
2026-03-19 13:14:00 +01:00
tipc
net: use get_random_u{16,32,64}() where appropriate
2026-04-09 19:27:43 -07:00
tls
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
unix
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
vmw_vsock
vsock: avoid timeout for non-blocking accept() with empty backlog
2026-04-06 18:29:01 -07:00
wireless
Merge tag 'wireless-next-2026-03-26' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next
2026-03-26 18:17:14 -07:00
x25
net/x25: Fix overflow when accumulating packets
2026-04-02 13:36:08 +02:00
xdp
net: remove the netif_get_rx_queue_lease_locked() helpers
2026-04-09 18:26:28 -07:00
xfrm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-09 13:20:59 -07:00
compat.c
socket: Unify getsockname and getpeername implementation
2025-11-26 13:45:23 -07:00
devres.c
Kconfig
net: Kconfig: discourage drop_monitor enablement
2025-10-17 16:29:26 -07:00
Kconfig.debug
Makefile
psp: base PSP device support
2025-09-18 12:32:06 +02:00
socket.c
net: Convert move_addr_to_user() to scoped user access
2026-03-11 20:38:00 -07:00
sysctl_net.c