[PATCH RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout

[PATCH RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout

[Sungwoo Kim]

RFC only.

The hci_conn_timeout() function dereferences hdev->sent_cmd when handling
connection timeouts. However, an HCI_EV_HARDWARE_ERROR can trigger an
asynchronous reset sequence that sets hdev->sent_cmd to NULL via
hci_dev_close_sync().

hdev->sent_cmd is dereferenced when conn->disc_work timeout:

hci_conn_timeout()
  hci_abort_conn()
    switch (hci_skb_event(hdev->sent_cmd)) {
      ...

However, an HCI hardware error event (HCI_EV_HARDWARE_ERROR) resets the
hci device, setting hdev->sent_cmd = NULL asynchornously:

hci_hardware_error_evt()
  hci_error_reset() (async)
    hci_dev_do_close()
      hci_dev_close_sync()
        hdev->sent_cmd = NULL;

As a result, a race condition exists between conn->disc_work execution
and the reset path, which can lead to a NULL pointer dereference when
hci_abort_conn() accesses hdev->sent_cmd.

To fix this, this patch ensures that all pending conn->disc_work
instances are canceled and completed before hdev->sent_cmd is cleared
during the reset path.
This is a provisional fix. Better design suggestions are welcome.

Oops:

Bluetooth: hci4: hardware error 0x00
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
CPU: 2 UID: 0 PID: 408 Comm: kworker/u17:4 Not tainted 7.1.0-dirty #96 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
Workqueue: hci1 hci_conn_timeout
RIP: 0010:hci_abort_conn+0x291/0x350 net/bluetooth/hci_conn.c:3196

Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages")
Acked-by: Dave Tian <daveti@purdue.edu>
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/hci_sync.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index df23245d6ccd..dab709448a02 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5419,6 +5419,14 @@ int hci_dev_close_sync(struct hci_dev *hdev)
 
 	/* Drop last sent command */
 	if (hdev->sent_cmd) {
+		struct hci_conn *c;
+
+		rcu_read_lock();
+		list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
+			cancel_delayed_work_sync(&c->disc_work);
+		}
+		rcu_read_unlock();
+
 		cancel_delayed_work_sync(&hdev->cmd_timer);
 		kfree_skb(hdev->sent_cmd);
 		hdev->sent_cmd = NULL;
-- 
2.47.3

RE: [RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3953 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1112652

---Test result---

Test Summary:
CheckPatch                    FAIL      0.51 seconds
VerifyFixes                   PASS      0.07 seconds
VerifySignedoff               PASS      0.06 seconds
GitLint                       FAIL      0.18 seconds
SubjectPrefix                 FAIL      0.05 seconds
BuildKernel                   PASS      26.51 seconds
CheckAllWarning               PASS      29.50 seconds
CheckSparse                   PASS      27.67 seconds
BuildKernel32                 PASS      25.72 seconds
CheckKernelLLVM               SKIP      0.00 seconds
TestRunnerSetup               PASS      574.33 seconds
TestRunner_l2cap-tester       PASS      57.14 seconds
TestRunner_iso-tester         PASS      76.29 seconds
TestRunner_bnep-tester        PASS      18.68 seconds
TestRunner_mgmt-tester        FAIL      205.98 seconds
TestRunner_rfcomm-tester      PASS      25.72 seconds
TestRunner_sco-tester         PASS      31.21 seconds
TestRunner_ioctl-tester       PASS      25.32 seconds
TestRunner_mesh-tester        FAIL      25.80 seconds
TestRunner_smp-tester         PASS      22.85 seconds
TestRunner_userchan-tester    PASS      19.58 seconds
TestRunner_6lowpan-tester     PASS      23.13 seconds
IncrementalBuild              PASS      24.93 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#119: 
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI

total: 0 errors, 1 warnings, 0 checks, 14 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14632510.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout

38: B1 Line exceeds max length (112>80): "Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI"
40: B1 Line exceeds max length (84>80): "CPU: 2 UID: 0 PID: 408 Comm: kworker/u17:4 Not tainted 7.1.0-dirty #96 PREEMPT(lazy)"
41: B1 Line exceeds max length (115>80): "Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.238 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.584 seconds
Mesh - Send cancel - 2                               Timed out    1.980 seconds


https://github.com/bluez/bluetooth-next/pull/322

---
Regards,
Linux Bluetooth

Re: [PATCH RFC] bluetooth: hci: Fix null-ptr-deref in hci_conn_timeout

[Sungwoo Kim]

On Tue, Jun 16, 2026 at 11:55 PM Sungwoo Kim <iam@sung-woo.kim> wrote:
>
> RFC only.
>
> The hci_conn_timeout() function dereferences hdev->sent_cmd when handling
> connection timeouts. However, an HCI_EV_HARDWARE_ERROR can trigger an
> asynchronous reset sequence that sets hdev->sent_cmd to NULL via
> hci_dev_close_sync().
>
> hdev->sent_cmd is dereferenced when conn->disc_work timeout:
>
> hci_conn_timeout()
>   hci_abort_conn()
>     switch (hci_skb_event(hdev->sent_cmd)) {
>       ...
>
> However, an HCI hardware error event (HCI_EV_HARDWARE_ERROR) resets the
> hci device, setting hdev->sent_cmd = NULL asynchornously:
>
> hci_hardware_error_evt()
>   hci_error_reset() (async)
>     hci_dev_do_close()
>       hci_dev_close_sync()
>         hdev->sent_cmd = NULL;
>
> As a result, a race condition exists between conn->disc_work execution
> and the reset path, which can lead to a NULL pointer dereference when
> hci_abort_conn() accesses hdev->sent_cmd.

The Sashiko review[1] looks correct.
The race window is invalid because hci_conn_hash_flush() synchronously
disables all conn->disc_work, so hci_abort_conn() cannot execute
concurrently with hdev->sent_cmd being cleared.

[1] https://sashiko.dev/#/patchset/20260617035421.341457-2-iam%40sung-woo.kim

[snip]