diff mbox series

[v2,4/4] Bluetooth: hci_conn: verify connection is to be aborted before doing it

Message ID 8e9dcf715fa1215545c1a01ad44b62d77a4edebe.1691352503.git.pav@iki.fi (mailing list archive)
State New, archived
Headers show
Series [v2,1/4] Bluetooth: hci_sync: fix canceling LE scanning / CIS create conn state | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch success CheckPatch PASS
tedd_an/GitLint success Gitlint PASS
tedd_an/SubjectPrefix success Gitlint PASS
tedd_an/IncrementalBuild success Incremental Build PASS

Commit Message

Pauli Virtanen Aug. 6, 2023, 8:18 p.m. UTC
When processing connections in abort_conn_sync, also check the
connection handle still refers to a connection that should be aborted.

There is a theoretical race condition where a connection handle is
reused, after hci_abort_conn but before abort_conn_sync is processed in
hci_sync. This change should avoid terminating a wrong connection in
this case.

Signed-off-by: Pauli Virtanen <pav@iki.fi>
---

Notes:
    v2: no change

 net/bluetooth/hci_conn.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index ae206eb551f7..b65a1e9b178b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2861,7 +2861,7 @@  static int abort_conn_sync(struct hci_dev *hdev, void *data)
 	u16 handle = PTR_ERR(data);
 
 	conn = hci_conn_hash_lookup_handle(hdev, handle);
-	if (!conn)
+	if (!conn || !conn->abort_reason)
 		return 0;
 
 	return hci_abort_conn_sync(hdev, conn, conn->abort_reason);
@@ -2876,6 +2876,8 @@  int hci_abort_conn(struct hci_conn *conn, u8 reason)
 	 */
 	if (conn->abort_reason)
 		return 0;
+	if (!reason)
+		return -EINVAL;
 
 	bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);