From: syzbot <syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: Re: [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
Date: Wed, 25 Mar 2026 09:11:21 -0700 [thread overview]
Message-ID: <69c40929.a70a0220.234938.0053.GAE@google.com> (raw)
In-Reply-To: <69365d0c.a70a0220.38f243.0085.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
Author: luiz.dentz@gmail.com
#syz test
On Wed, Mar 25, 2026 at 11:43 AM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> ---------- Forwarded message ---------
> From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
> Date: Wed, Mar 25, 2026 at 11:18 AM
> Subject: [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
> To: <linux-bluetooth@vger.kernel.org>
>
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following backtrace caused by hci_conn being freed
> before le_read_features_complete but after
> hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue
> is not able to prevent it:
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in instrument_atomic_read_write
> include/linux/instrumented.h:96 [inline]
> BUG: KASAN: slab-use-after-free in atomic_dec_and_test
> include/linux/atomic/atomic-instrumented.h:1383 [inline]
> BUG: KASAN: slab-use-after-free in hci_conn_drop
> include/net/bluetooth/hci_core.h:1688 [inline]
> BUG: KASAN: slab-use-after-free in
> le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52
>
> CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 10/25/2025
> Workqueue: hci0 hci_cmd_sync_work
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xcd/0x630 mm/kasan/report.c:482
> kasan_report+0xe0/0x110 mm/kasan/report.c:595
> check_region_inline mm/kasan/generic.c:194 [inline]
> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334
> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> process_scheduled_works kernel/workqueue.c:3340 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> </TASK>
>
> Allocated by task 5932:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963
> hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084
> le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714
> hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861
> hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408
> hci_event_func net/bluetooth/hci_event.c:7716 [inline]
> hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773
> hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> process_scheduled_works kernel/workqueue.c:3340 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
>
> Freed by task 5932:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
> kasan_save_free_info mm/kasan/kasan.h:406 [inline]
> poison_slab_object mm/kasan/common.c:252 [inline]
> __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
> kasan_slab_free include/linux/kasan.h:234 [inline]
> slab_free_hook mm/slub.c:2540 [inline]
> slab_free mm/slub.c:6663 [inline]
> kfree+0x2f8/0x6e0 mm/slub.c:6871
> device_release+0xa4/0x240 drivers/base/core.c:2565
> kobject_cleanup lib/kobject.c:689 [inline]
> kobject_release lib/kobject.c:720 [inline]
> kref_put include/linux/kref.h:65 [inline]
> kobject_put+0x1e7/0x590 lib/kobject.c:737
> put_device drivers/base/core.c:3797 [inline]
> device_unregister+0x2f/0xc0 drivers/base/core.c:3920
> hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79
> hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
> hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234
> hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451
> hci_event_func net/bluetooth/hci_event.c:7719 [inline]
> hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773
> hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> process_scheduled_works kernel/workqueue.c:3340 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
>
> The buggy address belongs to the object at ffff8880796b0000
> which belongs to the cache kmalloc-8k of size 8192
> The buggy address is located 16 bytes inside of
> freed 8192-byte region [ffff8880796b0000, ffff8880796b2000)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0
> head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> head: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp_mask
> 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
> pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts
> 79814310558
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845
> prep_new_page mm/page_alloc.c:1853 [inline]
> get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879
> __alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183
> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> alloc_slab_page mm/slub.c:3075 [inline]
> allocate_slab mm/slub.c:3248 [inline]
> new_slab+0x2c3/0x430 mm/slub.c:3302
> ___slab_alloc+0xe18/0x1c90 mm/slub.c:4651
> __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774
> __slab_alloc_node mm/slub.c:4850 [inline]
> slab_alloc_node mm/slub.c:5246 [inline]
> __kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
> tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264
> tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> tomoyo_environ security/tomoyo/domain.c:672 [inline]
> tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> security_bprm_check+0x1b9/0x1e0 security/security.c:794
> search_binary_handler fs/exec.c:1659 [inline]
> exec_binprm fs/exec.c:1701 [inline]
> bprm_execve fs/exec.c:1753 [inline]
> bprm_execve+0x81e/0x1620 fs/exec.c:1729
> do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> page last free pid 5657 tgid 5657 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1394 [inline]
> __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901
> discard_slab mm/slub.c:3346 [inline]
> __put_partials+0x130/0x170 mm/slub.c:3886
> qlink_free mm/kasan/quarantine.c:163 [inline]
> qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179
> kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
> __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352
> kasan_slab_alloc include/linux/kasan.h:252 [inline]
> slab_post_alloc_hook mm/slub.c:4948 [inline]
> slab_alloc_node mm/slub.c:5258 [inline]
> __kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766
> kmalloc_noprof include/linux/slab.h:957 [inline]
> tomoyo_print_header security/tomoyo/audit.c:156 [inline]
> tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255
> tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> tomoyo_environ security/tomoyo/domain.c:672 [inline]
> tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> security_bprm_check+0x1b9/0x1e0 security/security.c:794
> search_binary_handler fs/exec.c:1659 [inline]
> exec_binprm fs/exec.c:1701 [inline]
> bprm_execve fs/exec.c:1753 [inline]
> bprm_execve+0x81e/0x1620 fs/exec.c:1729
> do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> do_execve fs/exec.c:1933 [inline]
> __do_sys_execve fs/exec.c:2009 [inline]
> __se_sys_execve fs/exec.c:2004 [inline]
> __x64_sys_execve+0x8e/0xb0 fs/exec.c:2004
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
>
> Memory state around the buggy address:
> ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> Fixes: a106e50be74b ("Bluetooth: HCI: Add support for LL Extended Feature Set")
> Reported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com
> Closes: https://syzbot.org/bug?extid=87badbb9094e008e0685
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_sync.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 45d16639874a..f67a32c1451e 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -7371,7 +7371,7 @@ static void le_read_features_complete(struct
> hci_dev *hdev, void *data, int err)
> if (err == -ECANCELED)
> return;
>
> - hci_conn_drop(conn);
> + hci_conn_put(conn);
> }
>
> static int hci_le_read_all_remote_features_sync(struct hci_dev *hdev,
> @@ -7441,7 +7441,7 @@ int hci_le_read_remote_features(struct hci_conn *conn)
> if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
> err = hci_cmd_sync_queue_once(hdev,
> hci_le_read_remote_features_sync,
> - hci_conn_hold(conn),
> + hci_conn_get(conn),
> le_read_features_complete);
> else
> err = -EOPNOTSUPP;
> --
> 2.53.0
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
prev parent reply other threads:[~2026-03-25 16:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-08 5:07 [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in le_read_features_complete syzbot
2025-12-16 12:41 ` Forwarded: Bluetooth: hci: fix LE remote feature read refcount lifetime syzbot
2025-12-22 15:22 ` Forwarded: KASAN: slab-use-after-free Write in le_read_features_complete syzbot
2025-12-22 15:37 ` Forwarded: " syzbot
2026-03-25 16:11 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69c40929.a70a0220.234938.0053.GAE@google.com \
--to=syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.