diff --git a/patches.kernel.org/6.2.12-016-Bluetooth-Free-potentially-unfreed-SCO-connect.patch b/patches.kernel.org/6.2.12-016-Bluetooth-Free-potentially-unfreed-SCO-connect.patch new file mode 100644 index 0000000..ab7d67d --- /dev/null +++ b/patches.kernel.org/6.2.12-016-Bluetooth-Free-potentially-unfreed-SCO-connect.patch @@ -0,0 +1,56 @@ +From: Archie Pusaka +Date: Fri, 3 Feb 2023 17:30:55 +0800 +Subject: [PATCH] Bluetooth: Free potentially unfreed SCO connection +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: 0f00cd322d22d4441de51aa80bcce5bb6a8cbb44 + +commit 0f00cd322d22d4441de51aa80bcce5bb6a8cbb44 upstream. + +It is possible to initiate a SCO connection while deleting the +corresponding ACL connection, e.g. in below scenario: + +(1) < hci setup sync connect command +(2) > hci disconn complete event (for the acl connection) +(3) > hci command complete event (for(1), failure) + +When it happens, hci_cs_setup_sync_conn won't be able to obtain the +reference to the SCO connection, so it will be stuck and potentially +hinder subsequent connections to the same device. + +This patch prevents that by also deleting the SCO connection if it is +still not established when the corresponding ACL connection is deleted. + +Signed-off-by: Archie Pusaka +Reviewed-by: Ying Hsu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/bluetooth/hci_conn.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 61a34801..838f51c2 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1061,8 +1061,15 @@ int hci_conn_del(struct hci_conn *conn) + + if (conn->type == ACL_LINK) { + struct hci_conn *sco = conn->link; +- if (sco) ++ if (sco) { + sco->link = NULL; ++ /* Due to race, SCO connection might be not established ++ * yet at this point. Delete it now, otherwise it is ++ * possible for it to be stuck and can't be deleted. ++ */ ++ if (sco->handle == HCI_CONN_HANDLE_UNSET) ++ hci_conn_del(sco); ++ } + + /* Unacked frames */ + hdev->acl_cnt += conn->sent; +-- +2.35.3 + diff --git a/series.conf b/series.conf index 8606d2e..5f81e23 100644 --- a/series.conf +++ b/series.conf @@ -2243,6 +2243,7 @@ patches.kernel.org/6.2.12-013-Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_di.patch patches.kernel.org/6.2.12-014-Bluetooth-Fix-race-condition-in-hidp_session_t.patch patches.kernel.org/6.2.12-015-bluetooth-btbcm-Fix-logic-error-in-forming-the.patch + patches.kernel.org/6.2.12-016-Bluetooth-Free-potentially-unfreed-SCO-connect.patch ######################################################## # Build fixes that apply to the vanilla kernel too.