From 5800249484347624696349cd739876bd1bf898de Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 8 Apr 2026 16:56:38 +0100 Subject: [PATCH] Bluetooth: hci_conn: validate connection before BIG creation Add missing hci_conn_valid() check in create_big_sync() to prevent a potential use-after-free. The connection object passed via hci_cmd_sync_queue() could be freed before the async callback executes, leading to a dereference of stale memory. All other async callbacks using the same pattern already validate the connection (e.g. hci_le_big_create_sync, hci_acl_create_conn_sync, hci_le_create_conn_sync, abort_conn_sync). Signed-off-by: David Carlier --- net/bluetooth/hci_conn.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 3a05925990861..5ba8db2b9991e 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -2130,6 +2130,9 @@ static int create_big_sync(struct hci_dev *hdev, void *data) u32 flags = 0; int err; + if (!hci_conn_valid(hdev, conn)) + return -ECANCELED; + if (qos->bcast.out.phys == BIT(1)) flags |= MGMT_ADV_FLAG_SEC_2M;