From: patchwork-bot+bluetooth@kernel.org
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
Date: Fri, 06 Mar 2026 18:40:04 +0000 [thread overview]
Message-ID: <177282240479.8285.6260187669488887341.git-patchwork-notify@kernel.org> (raw)
In-Reply-To: <20260306023155.554597-1-luiz.dentz@gmail.com>
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 5 Mar 2026 21:31:55 -0500 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following trace caused by not dropping l2cap_conn
> reference when user->remove callback is called:
>
> [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 97.809947] Call Trace:
> [ 97.809954] <TASK>
> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> [ 97.810404] __fput (fs/file_table.c:470)
> [ 97.810430] task_work_run (kernel/task_work.c:235)
> [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> [ 97.810527] do_exit (kernel/exit.c:972)
> [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 97.810721] do_group_exit (kernel/exit.c:1093)
> [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810826] ? vfs_read (fs/read_write.c:555)
> [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811078] ? ksys_read (fs/read_write.c:707)
> [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 97.811338] RIP: 0033:0x445cfe
> [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
>
> [...]
Here is the summary with links:
- [v1] Bluetooth: HIDP: Fix possible UAF
https://git.kernel.org/bluetooth/bluetooth-next/c/708efc5f2338
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
next prev parent reply other threads:[~2026-03-06 18:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
2026-03-06 18:40 ` patchwork-bot+bluetooth [this message]
2026-03-06 18:49 ` [PATCH v1] " Pauli Virtanen
2026-03-06 19:23 ` Luiz Augusto von Dentz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177282240479.8285.6260187669488887341.git-patchwork-notify@kernel.org \
--to=patchwork-bot+bluetooth@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox