[PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

[PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

[Alva Lan]

From: Pauli Virtanen <pav@iki.fi>

[ Upstream commit a2639a7f0f5bf7d73f337f8f077c19415c62ed2c ]

hci_conn lookup and field access must be covered by hdev lock in
set_cig_params_sync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified
concurrently.  Just RCU lock is not suitable here, as we also want to
avoid "tearing" in the configuration.

Fixes: a091289218202 ("Bluetooth: hci_conn: Fix hci_le_set_cig_params")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Minor context conflict resolved. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
---
 net/bluetooth/hci_conn.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index f51c530a3c45..ab86cc4a5e3f 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1734,9 +1734,13 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
 	struct iso_cig_params pdu;
 	u8 cis_id;
 
+	hci_dev_lock(hdev);
+
 	conn = hci_conn_hash_lookup_cig(hdev, cig_id);
-	if (!conn)
+	if (!conn) {
+		hci_dev_unlock(hdev);
 		return 0;
+	}
 
 	memset(&pdu, 0, sizeof(pdu));
 
@@ -1776,6 +1780,8 @@ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
 		cis->p_rtn  = qos->ucast.in.rtn;
 	}
 
+	hci_dev_unlock(hdev);
+
 	if (!pdu.cp.num_cis)
 		return 0;
 
-- 
2.43.0

Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

[Sasha Levin]

> [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

Queued for 6.6, thanks.

--
Thanks,
Sasha

Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

[XIAO WU]

Hi,

I came across a Sashiko AI code review [1] that flagged a related
use-after-free in `get_l2cap_conn()` — it has the same lock-dropping
pattern that your patch fixes in `set_cig_params_sync()`.

I was able to trigger it in QEMU with KASAN on a 6.6.y kernel. Writing
to the 6lowpan debugfs control file races against connection teardown.

On Sun, Jun 8, 2026 at 5:56:55PM +0300, Pauli Virtanen wrote:
 > This commit adds hci_dev_lock() around the hci_conn lookup and field
 > accesses in set_cig_params_sync(). This prevents a potential
 > use-after-free if the connection is concurrently freed.

The same pattern in `get_l2cap_conn()` still drops the lock before
accessing the returned hcon pointer:

```c
// net/bluetooth/6lowpan.c: get_l2cap_conn()
hci_dev_lock(hdev);
hcon = hci_conn_hash_lookup_le(hdev, addr, le_addr_type);
hci_dev_unlock(hdev);                  // lock dropped
hci_dev_put(hdev);

if (!hcon)
     return -ENOENT;

*conn = (struct l2cap_conn *)hcon->l2cap_data;  // UAF if freed
```

The connection is returned without a reference count.  If a concurrent
disconnect event frees it via `hci_conn_del()`, the subsequent
dereference of `hcon->l2cap_data` hits freed memory.

[KASAN report — kernel 6.6.142, CONFIG_KASAN=y]

   ==================================================================
   BUG: KASAN: slab-use-after-free in get_l2cap_conn.constprop.0+0x73f/0x750
   Read of size 8 at addr ffff888106514ab8 by task poc/9349

   CPU: 1 PID: 9349 Comm: poc Not tainted 6.6.142-g1ab6d2b45d08 #1

   Call Trace:
    <TASK>
    dump_stack_lvl+0xd9/0x1b0
    print_report+0xce/0x630
    kasan_report+0xd4/0x110
    get_l2cap_conn.constprop.0+0x73f/0x750
    lowpan_control_write+0x574/0x740
    full_proxy_write+0x12f/0x1a0
    vfs_write+0x2ba/0xe60
    ksys_write+0x134/0x260
    do_syscall_64+0x39/0xc0
    entry_SYSCALL_64_after_hwframe+0x79/0xe3

   Allocated by task 56:
    __hci_conn_add+0x136/0x1ac0
    hci_conn_add_unset+0x72/0x100
    le_conn_complete_evt+0x667/0x2180
    hci_le_conn_complete_evt+0x241/0x370

   Freed by task 56:
    __kmem_cache_free+0xb6/0x2e0
    hci_conn_del+0x.../...

[1] 
https://sashiko.dev/#/patchset/tencent_42D87A0C871AE6AF019BF6AB46F003577205%40qq.com
     (Sashiko AI code review — "Use-After-Free", Severity: High)

Thanks,
XIAO

Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

[Greg KH]

On Sun, Jun 21, 2026 at 09:57:51AM +0800, XIAO WU wrote:
> Hi,
> 
> I came across a Sashiko AI code review [1] that flagged a related
> use-after-free in `get_l2cap_conn()` — it has the same lock-dropping
> pattern that your patch fixes in `set_cig_params_sync()`.
> 
> I was able to trigger it in QEMU with KASAN on a 6.6.y kernel. Writing
> to the 6lowpan debugfs control file races against connection teardown.

That's a very old kernel version, can you try 7.1.1 please?  Also, can
you just send a fix for it if it is an issue there?

thanks,

greg k-h