[PATCH] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work

[PATCH] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work

[Szymon Wilczek]

syzbot reported a slab-use-after-free in hci_cmd_work.
The issue is that hci_send_cmd_sync() consumes the skb reference
(either by passing it to the driver which frees it, or by calling
kfree_skb() on error), but the skb might be accessed after the call
in certain configurations or due to race conditions with the freeing
process (e.g. vhci_read).

Explicitly hold a reference to the skb using skb_get() before calling
hci_send_cmd_sync() and release it with kfree_skb() afterwards. This
ensures the skb object remains valid throughout the function call,
regardless of how hci_send_cmd_sync() handles the original reference.

Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
 net/bluetooth/hci_core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 8ccec73dce45..af4ef31295c4 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4149,7 +4149,10 @@ static void hci_cmd_work(struct work_struct *work)
 		if (!skb)
 			return;
 
+		skb_get(skb);
 		err = hci_send_cmd_sync(hdev, skb);
+		kfree_skb(skb);
+
 		if (err)
 			return;
 
-- 
2.52.0

RE: Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3277 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1036498

---Test result---

Test Summary:
CheckPatch                    PENDING   0.35 seconds
GitLint                       PENDING   0.26 seconds
SubjectPrefix                 PASS      0.11 seconds
BuildKernel                   PASS      25.01 seconds
CheckAllWarning               PASS      27.27 seconds
CheckSparse                   WARNING   30.42 seconds
BuildKernel32                 PASS      24.45 seconds
TestRunnerSetup               PASS      547.75 seconds
TestRunner_l2cap-tester       PASS      27.98 seconds
TestRunner_iso-tester         PASS      84.99 seconds
TestRunner_bnep-tester        PASS      6.19 seconds
TestRunner_mgmt-tester        FAIL      116.22 seconds
TestRunner_rfcomm-tester      PASS      9.28 seconds
TestRunner_sco-tester         FAIL      14.26 seconds
TestRunner_ioctl-tester       PASS      10.12 seconds
TestRunner_mesh-tester        FAIL      11.41 seconds
TestRunner_smp-tester         PASS      8.39 seconds
TestRunner_userchan-tester    PASS      6.48 seconds
IncrementalBuild              PENDING   0.72 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_core.c:85:9: warning: context imbalance in '__hci_dev_get' - different lock contexts for basic blocknet/bluetooth/hci_core.c: note: in included file (through include/linux/notifier.h, include/linux/memory_hotplug.h, include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, include/linux/radix-tree.h, ...):
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 486 (98.4%), Failed: 4, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.106 seconds
LL Privacy - Add Device 3 (AL is full)               Failed       0.196 seconds
LL Privacy - Set Flags 3 (2 Devices to RL)           Failed       0.193 seconds
LL Privacy - Start Discovery 2 (Disable RL)          Failed       0.184 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.052 seconds
Mesh - Send cancel - 2                               Timed out    1.992 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work

[Hillf Danton]

On Thu, 25 Dec 2025 00:54:07 +0100 Szymon Wilczek wrote:
> syzbot reported a slab-use-after-free in hci_cmd_work.
> The issue is that hci_send_cmd_sync() consumes the skb reference
> (either by passing it to the driver which frees it, or by calling
> kfree_skb() on error), but the skb might be accessed after the call
> in certain configurations or due to race conditions with the freeing
> process (e.g. vhci_read).
> 
> Explicitly hold a reference to the skb using skb_get() before calling
> hci_send_cmd_sync() and release it with kfree_skb() afterwards. This
> ensures the skb object remains valid throughout the function call,
> regardless of how hci_send_cmd_sync() handles the original reference.
> 
> Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
> Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
> ---
>  net/bluetooth/hci_core.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 8ccec73dce45..af4ef31295c4 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -4149,7 +4149,10 @@ static void hci_cmd_work(struct work_struct *work)
>  		if (!skb)
>  			return;
>  
> +		skb_get(skb);
>  		err = hci_send_cmd_sync(hdev, skb);
> +		kfree_skb(skb);
> +
>  		if (err)
>  			return;
>  
> -- 
> 2.52.0
> 
Given skb_dequeue() in both vhci_read() and hci_cmd_work(), what is
missed is the root cause of the issue.

[PATCH v2] Bluetooth: vhci: Fix slab-use-after-free by cloning skb

[Szymon Wilczek]

Hillf Danton pointed out that the root cause of the UAF issue is the
lack of isolation between hci_core and vhci driver consumers.

vhci_send_frame() modifies the skb (via skb_push) and queues the
original skb to the readq for userspace consumption. This means the
hci_core caller sees a modified skb (corrupted headers/data pointer)
if it retains any reference. Furthermore, if vhci_read() frees the
skb immediately, hci_core might hit a Use-After-Free.

Other drivers (like btusb) create a new URB and context, isolating
the skb lifetime.

Fix this by cloning the skb in vhci_send_frame() before queueing.
The clone is modified and queued. The original skb is freed
immediately, satisfying the HCI driver contract to consume the skb
while ensuring the queued object is distinct from the one passed by
hci_core.

Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
 drivers/bluetooth/hci_vhci.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..f2901a4b5b3a 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -74,13 +74,20 @@ static int vhci_flush(struct hci_dev *hdev)
 static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct vhci_data *data = hci_get_drvdata(hdev);
+	struct sk_buff *nskb;
 
-	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
+	nskb = skb_clone(skb, GFP_ATOMIC);
+	if (!nskb)
+		return -ENOMEM;
+
+	memcpy(skb_push(nskb, 1), &hci_skb_pkt_type(skb), 1);
 
-	skb_queue_tail(&data->readq, skb);
+	skb_queue_tail(&data->readq, nskb);
 
 	if (atomic_read(&data->initialized))
 		wake_up_interruptible(&data->read_wait);
+
+	kfree_skb(skb);
 	return 0;
 }
 
-- 
2.52.0

RE: [v2] Bluetooth: vhci: Fix slab-use-after-free by cloning skb

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3101 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1036540

---Test result---

Test Summary:
CheckPatch                    PENDING   0.25 seconds
GitLint                       PENDING   0.24 seconds
SubjectPrefix                 PASS      0.11 seconds
BuildKernel                   PASS      25.11 seconds
CheckAllWarning               PASS      27.54 seconds
CheckSparse                   PASS      30.84 seconds
BuildKernel32                 PASS      24.56 seconds
TestRunnerSetup               PASS      543.65 seconds
TestRunner_l2cap-tester       FAIL      28.02 seconds
TestRunner_iso-tester         PASS      76.34 seconds
TestRunner_bnep-tester        PASS      6.21 seconds
TestRunner_mgmt-tester        FAIL      124.10 seconds
TestRunner_rfcomm-tester      PASS      9.28 seconds
TestRunner_sco-tester         FAIL      14.46 seconds
TestRunner_ioctl-tester       PASS      10.21 seconds
TestRunner_mesh-tester        FAIL      11.46 seconds
TestRunner_smp-tester         PASS      8.60 seconds
TestRunner_userchan-tester    PASS      6.58 seconds
IncrementalBuild              PENDING   0.62 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0

Failed Test Cases
L2CAP BR/EDR Client - Set PHY 3M                     Failed       0.112 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 486 (98.4%), Failed: 4, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.110 seconds
LL Privacy - Add Device 2 (2 Devices to AL)          Failed       0.178 seconds
LL Privacy - Set Flags 2 (Enable RL)                 Failed       0.155 seconds
LL Privacy - Set Device Flag 1 (Device Privacy)      Failed       0.158 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.927 seconds
Mesh - Send cancel - 2                               Timed out    1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

[PATCH v3] Bluetooth: vhci: Fix slab-use-after-free by cloning skb

[Szymon Wilczek]

Hillf Danton pointed out that the root cause of the UAF issue is the
lack of isolation between hci_core and vhci driver consumers.

vhci_send_frame() modifies the skb (via skb_push) and queues the
original skb to the readq for userspace consumption. This means the
hci_core caller sees a modified skb (corrupted headers/data pointer)
if it retains any reference. Furthermore, if vhci_read() frees the
skb immediately, hci_core might hit a Use-After-Free.

Other drivers (like btusb) create a new URB and context, isolating
the skb lifetime.

Fix this by cloning the skb in vhci_send_frame() before queueing.
The clone is modified and queued. The original skb is freed using
dev_consume_skb_any() which is safe in atomic context, satisfying
the HCI driver contract to consume the skb while ensuring the queued
object is distinct from the one passed by hci_core.

Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
v3: Replaced kfree_skb() with dev_consume_skb_any() to fix sleeping
    in atomic context warning reported by CI.
v2: Moved fix to vhci driver, using skb_clone to isolate ownership.
---
 drivers/bluetooth/hci_vhci.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..7c72c635965c 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -74,13 +74,20 @@ static int vhci_flush(struct hci_dev *hdev)
 static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct vhci_data *data = hci_get_drvdata(hdev);
+	struct sk_buff *nskb;
 
-	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
+	nskb = skb_clone(skb, GFP_ATOMIC);
+	if (!nskb)
+		return -ENOMEM;
+
+	memcpy(skb_push(nskb, 1), &hci_skb_pkt_type(skb), 1);
 
-	skb_queue_tail(&data->readq, skb);
+	skb_queue_tail(&data->readq, nskb);
 
 	if (atomic_read(&data->initialized))
 		wake_up_interruptible(&data->read_wait);
+
+	dev_consume_skb_any(skb);
 	return 0;
 }
 
-- 
2.52.0

Re: [PATCH] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work

[Pauli Virtanen]

Hi,

to, 2025-12-25 kello 00:54 +0100, Szymon Wilczek kirjoitti:
> syzbot reported a slab-use-after-free in hci_cmd_work.
> The issue is that hci_send_cmd_sync() consumes the skb reference
> (either by passing it to the driver which frees it, or by calling
> 
> 
> kfree_skb() on error), but the skb might be accessed after the call
> in certain configurations or due to race conditions with the freeing
> process (e.g. vhci_read).
> 
> Explicitly hold a reference to the skb using skb_get() before calling
> hci_send_cmd_sync() and release it with kfree_skb() afterwards. This
> ensures the skb object remains valid throughout the function call,
> regardless of how hci_send_cmd_sync() handles the original reference.
> 
> Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
> Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>

IIRC this was already fixed by 275ddfeb3fdc274050c2173ffd985b1e80a9aa37

Indeed, syzkaller has no crashes on this since 2025-11-19.

> ---
>  net/bluetooth/hci_core.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 8ccec73dce45..af4ef31295c4 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -4149,7 +4149,10 @@ static void hci_cmd_work(struct work_struct *work)
>  		if (!skb)
>  			return;
>  
> +		skb_get(skb);
>  		err = hci_send_cmd_sync(hdev, skb);
> +		kfree_skb(skb);
> +
>  		if (err)
>  			return;
>  

-- 
Pauli Virtanen