* [PATCH] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
@ 2025-07-07 19:28 Kuniyuki Iwashima
2025-07-07 19:57 ` bluez.test.bot
2025-07-08 21:00 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Kuniyuki Iwashima @ 2025-07-07 19:28 UTC (permalink / raw)
To: Marcel Holtmann ', Johan Hedberg, Luiz Augusto von Dentz
Cc: Kuniyuki Iwashima, Kuniyuki Iwashima, linux-bluetooth,
syzbot+e4d73b165c3892852d22
syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]
l2cap_sock_resume_cb() has a similar problem that was fixed by commit
1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()").
Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed
under l2cap_sock_resume_cb(), we can avoid the issue simply by checking
if chan->data is NULL.
Let's not access to the killed socket in l2cap_sock_resume_cb().
[0]:
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci0 hci_rx_work
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_report+0x58/0x84 mm/kasan/report.c:524
kasan_report+0xb0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
__kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
instrument_atomic_write include/linux/instrumented.h:82 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357
hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]
hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514
hci_event_func net/bluetooth/hci_event.c:7511 [inline]
hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565
hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070
process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3402
kthread+0x5fc/0x75c kernel/kthread.c:464
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
Fixes: d97c899bde33 ("Bluetooth: Introduce L2CAP channel callback for resuming")
Reported-by: syzbot+e4d73b165c3892852d22@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/686c12bd.a70a0220.29fe6c.0b13.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 5aa55fa69594..82d943c4cb50 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1703,6 +1703,9 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
{
struct sock *sk = chan->data;
+ if (!sk)
+ return;
+
if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
sk->sk_state = BT_CONNECTED;
chan->state = BT_CONNECTED;
--
2.50.0.727.gbf7dc18ff4-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
2025-07-07 19:28 [PATCH] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Kuniyuki Iwashima
@ 2025-07-07 19:57 ` bluez.test.bot
2025-07-08 21:00 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-07-07 19:57 UTC (permalink / raw)
To: linux-bluetooth, kuniyu
[-- Attachment #1: Type: text/plain, Size: 2375 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=979801
---Test result---
Test Summary:
CheckPatch PENDING 0.30 seconds
GitLint PENDING 0.26 seconds
SubjectPrefix PASS 0.10 seconds
BuildKernel PASS 23.94 seconds
CheckAllWarning PASS 26.39 seconds
CheckSparse PASS 29.65 seconds
BuildKernel32 PASS 23.90 seconds
TestRunnerSetup PASS 465.98 seconds
TestRunner_l2cap-tester PASS 25.07 seconds
TestRunner_iso-tester PASS 35.76 seconds
TestRunner_bnep-tester PASS 5.84 seconds
TestRunner_mgmt-tester FAIL 133.92 seconds
TestRunner_rfcomm-tester PASS 9.22 seconds
TestRunner_sco-tester PASS 14.65 seconds
TestRunner_ioctl-tester PASS 9.93 seconds
TestRunner_mesh-tester FAIL 11.34 seconds
TestRunner_smp-tester PASS 8.46 seconds
TestRunner_userchan-tester PASS 6.20 seconds
IncrementalBuild PENDING 0.48 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 484 (98.8%), Failed: 2, Not Run: 4
Failed Test Cases
LL Privacy - Add Device 3 (AL is full) Failed 0.221 seconds
LL Privacy - Set Flags 3 (2 Devices to RL) Failed 0.203 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.180 seconds
Mesh - Send cancel - 2 Timed out 2.001 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
2025-07-07 19:28 [PATCH] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Kuniyuki Iwashima
2025-07-07 19:57 ` bluez.test.bot
@ 2025-07-08 21:00 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2025-07-08 21:00 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: marcel, johan.hedberg, luiz.dentz, kuni1840, linux-bluetooth,
syzbot+e4d73b165c3892852d22
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 7 Jul 2025 19:28:29 +0000 you wrote:
> syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]
>
> l2cap_sock_resume_cb() has a similar problem that was fixed by commit
> 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()").
>
> Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed
> under l2cap_sock_resume_cb(), we can avoid the issue simply by checking
> if chan->data is NULL.
>
> [...]
Here is the summary with links:
- Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
https://git.kernel.org/bluetooth/bluetooth-next/c/3092dfdfc57c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-08 20:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-07 19:28 [PATCH] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Kuniyuki Iwashima
2025-07-07 19:57 ` bluez.test.bot
2025-07-08 21:00 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox