Message ID | b49f9428a680a77613b8452a5664d09593a5966e.1691331800.git.pav@iki.fi |
---|---|
State | New |
Headers | show |
Series | [1/3] Bluetooth: hci_sync: fix canceling LE scanning / CIS create conn state | expand |
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index ae206eb551f7..b65a1e9b178b 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -2861,7 +2861,7 @@ static int abort_conn_sync(struct hci_dev *hdev, void *data) u16 handle = PTR_ERR(data); conn = hci_conn_hash_lookup_handle(hdev, handle); - if (!conn) + if (!conn || !conn->abort_reason) return 0; return hci_abort_conn_sync(hdev, conn, conn->abort_reason); @@ -2876,6 +2876,8 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason) */ if (conn->abort_reason) return 0; + if (!reason) + return -EINVAL; bt_dev_dbg(hdev, "handle 0x%2.2x reason 0x%2.2x", conn->handle, reason);
When processing connections in abort_conn_sync, also check the connection handle still refers to a connection that should be aborted. There is a theoretical race condition where a connection handle is reused, after hci_abort_conn but before abort_conn_sync is processed in hci_sync. This change should avoid terminating a wrong connection in this case. Signed-off-by: Pauli Virtanen <pav@iki.fi> --- net/bluetooth/hci_conn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)