From: Pauli Virtanen <pav@iki.fi> mainline inclusion from mainline-v7.0-rc7 commit a2639a7f0f5bf7d73f337f8f077c19415c62ed2c category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14551 CVE: CVE-2026-43019 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ---------------------------------------------------------------------- hci_conn lookup and field access must be covered by hdev lock in set_cig_params_sync, otherwise it's possible it is freed concurrently. Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration. Fixes: a091289218202 ("Bluetooth: hci_conn: Fix hci_le_set_cig_params") Signed-off-by: Pauli Virtanen <pav@iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Conflicts: net/bluetooth/hci_conn.c [context conflicts] Signed-off-by: Chen Jinghuang <chenjinghuang2@huawei.com> --- net/bluetooth/hci_conn.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 6c0ae4131b0f..34fe2f7486d7 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1757,9 +1757,13 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data) struct iso_cig_params pdu; u8 cis_id; + hci_dev_lock(hdev); + conn = hci_conn_hash_lookup_cig(hdev, cig_id); - if (!conn) + if (!conn) { + hci_dev_unlock(hdev); return 0; + } memset(&pdu, 0, sizeof(pdu)); @@ -1799,6 +1803,8 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data) cis->p_rtn = qos->ucast.in.rtn; } + hci_dev_unlock(hdev); + if (!pdu.cp.num_cis) return 0; -- 2.34.1