[PW_SID:1078865] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers by BluezTestBot · Pull Request #3465 · BluezTestBot/bluetooth-next

BluezTestBot · 2026-04-08T19:48:24Z

hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.

Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.

Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.

Cc: stable@vger.kernel.org
Signed-off-by: Shuvam Pandey shuvampandey1@gmail.com

net/bluetooth/hci_event.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)

hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path. Cc: stable@vger.kernel.org Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>

github-actions · 2026-04-08T19:51:59Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.49 seconds
Result: PENDING

github-actions · 2026-04-08T19:52:00Z

GitLint
Desc: Run gitlint
Duration: 0.28 seconds
Result: PENDING

github-actions · 2026-04-08T19:52:01Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.26 seconds
Result: PASS

github-actions · 2026-04-08T19:52:31Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.88 seconds
Result: PASS

github-actions · 2026-04-08T19:53:04Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 28.13 seconds
Result: PASS

github-actions · 2026-04-08T19:53:36Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 27.57 seconds
Result: PASS

github-actions · 2026-04-08T19:54:05Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.83 seconds
Result: PASS

github-actions · 2026-04-08T20:03:34Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 567.22 seconds
Result: PASS

github-actions · 2026-04-08T20:04:02Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 27.70 seconds
Result: PASS

github-actions · 2026-04-08T20:04:41Z

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 37.67 seconds
Result: PASS

github-actions · 2026-04-08T20:04:48Z

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.40 seconds
Result: PASS

github-actions · 2026-04-08T20:06:42Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 113.44 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.107 seconds

github-actions · 2026-04-08T20:06:52Z

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.37 seconds
Result: PASS

github-actions · 2026-04-08T20:07:07Z

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.29 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

github-actions · 2026-04-08T20:07:18Z

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.35 seconds
Result: PASS

github-actions · 2026-04-08T20:07:30Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 11.48 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.860 seconds
Mesh - Send cancel - 2                               Timed out    1.992 seconds

github-actions · 2026-04-08T20:07:40Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.62 seconds
Result: PASS

github-actions · 2026-04-08T20:07:48Z

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.77 seconds
Result: PASS

github-actions · 2026-04-08T20:07:49Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.64 seconds
Result: PENDING

Conversation

BluezTestBot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants