[PATCH v1] gatt-client: Fix use-after-free caused by reentrant client teardown

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH v1] gatt-client: Fix use-after-free caused by reentrant client teardown
@ 2026-04-29 11:48 Jinwang Li
  2026-04-29 12:41 ` [v1] " bluez.test.bot
  2026-04-30 19:00 ` [PATCH v1] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Jinwang Li @ 2026-04-29 11:48 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: cheng.jiang, quic_chezhou, wei.deng, shuai.zhang, mengshi.wu,
	jinwang.li

btd_gatt_client_service_removed() can be called reentrantly via
bt_gatt_client_unref() after the services queue has already been freed,
resulting in a use-after-free.

Reset client->ready to false before destroying the services queue to
prevent reentrant calls from dereferencing freed memory.

This was found with the following backtrace:

    #0  match_service_handle ()
    #1  queue_remove_if ()
    #2  queue_remove_all ()
    #3  btd_gatt_client_service_removed ()
    #4  gatt_service_removed ()
    #5  handle_notify ()
    #6  queue_foreach ()
    #7  notify_service_changed ()
    #8  gatt_db_service_destroy ()
    #9  queue_remove_all ()
    #10 gatt_db_clear_range ()
    #11 service_changed_failure ()
    #12 discovery_op_unref ()
    #13 bt_gatt_request_unref ()
    #14 bt_gatt_client_cancel_all ()
    #15 bt_gatt_client_free ()
    #16 bt_gatt_client_unref ()
    #17 bt_gatt_client_free ()
    #18 bt_gatt_client_unref ()
    #19 btd_gatt_client_destroy ()
    #20 device_free ()

Signed-off-by: Jinwang Li <jinwang.li@oss.qualcomm.com>
---
 src/gatt-client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/gatt-client.c b/src/gatt-client.c
index 374e67c34..3baf95c4f 100644
--- a/src/gatt-client.c
+++ b/src/gatt-client.c
@@ -2261,6 +2261,8 @@ void btd_gatt_client_destroy(struct btd_gatt_client *client)
 	if (!client)
 		return;
 
+	client->ready = false;
+
 	queue_destroy(client->services, unregister_service);
 	queue_destroy(client->all_notify_clients, NULL);
 	queue_destroy(client->ios, NULL);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [v1] gatt-client: Fix use-after-free caused by reentrant client teardown
  2026-04-29 11:48 [PATCH v1] gatt-client: Fix use-after-free caused by reentrant client teardown Jinwang Li
@ 2026-04-29 12:41 ` bluez.test.bot
  2026-04-30 19:00 ` [PATCH v1] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-04-29 12:41 UTC (permalink / raw)
  To: linux-bluetooth, jinwang.li

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1087435

---Test result---

Test Summary:
CheckPatch                    PASS      0.39 seconds
GitLint                       PASS      0.32 seconds
BuildEll                      PASS      20.12 seconds
BluezMake                     PASS      587.78 seconds
CheckSmatch                   PASS      319.98 seconds
bluezmakeextell               PASS      163.68 seconds
IncrementalBuild              PASS      595.61 seconds
ScanBuild                     PASS      903.06 seconds



https://github.com/bluez/bluez/pull/2084

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v1] gatt-client: Fix use-after-free caused by reentrant client teardown
  2026-04-29 11:48 [PATCH v1] gatt-client: Fix use-after-free caused by reentrant client teardown Jinwang Li
  2026-04-29 12:41 ` [v1] " bluez.test.bot
@ 2026-04-30 19:00 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-04-30 19:00 UTC (permalink / raw)
  To: Jinwang Li
  Cc: linux-bluetooth, cheng.jiang, quic_chezhou, wei.deng, shuai.zhang,
	mengshi.wu

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 29 Apr 2026 19:48:06 +0800 you wrote:
> btd_gatt_client_service_removed() can be called reentrantly via
> bt_gatt_client_unref() after the services queue has already been freed,
> resulting in a use-after-free.
> 
> Reset client->ready to false before destroying the services queue to
> prevent reentrant calls from dereferencing freed memory.
> 
> [...]

Here is the summary with links:
  - [v1] gatt-client: Fix use-after-free caused by reentrant client teardown
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=d01616f0c276

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-30 19:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-29 11:48 [PATCH v1] gatt-client: Fix use-after-free caused by reentrant client teardown Jinwang Li
2026-04-29 12:41 ` [v1] " bluez.test.bot
2026-04-30 19:00 ` [PATCH v1] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox