[PATCH BlueZ 1/2] gatt-client: fix use-after-free

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ 1/2] gatt-client: fix use-after-free
@ 2026-01-08 10:01 Lasse Dalegaard
  2026-01-08 10:01 ` [PATCH BlueZ 2/2] device: fix memory leak Lasse Dalegaard
                   ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Lasse Dalegaard @ 2026-01-08 10:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Lasse Dalegaard

Clients with an acquired characteristic subscription would free the
client during disconnect. When notify_io_destroy then tries to remove
the client, it'll use-after-free.

Add another reference when allocating the notify_io and unref it again
in notify_io_destroy.
---
 src/gatt-client.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gatt-client.c b/src/gatt-client.c
index 44ec95db0..374e67c34 100644
--- a/src/gatt-client.c
+++ b/src/gatt-client.c
@@ -1566,6 +1566,7 @@ static void notify_io_destroy(void *data)
 
 	if (queue_remove(client->chrc->notify_clients, client))
 		notify_client_unref(client);
+	notify_client_unref(client);
 }
 
 static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
@@ -1607,7 +1608,7 @@ static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
 	queue_push_tail(chrc->notify_clients, client);
 
 	chrc->notify_io = new0(struct sock_io, 1);
-	chrc->notify_io->data = client;
+	chrc->notify_io->data = notify_client_ref(client);
 	chrc->notify_io->msg = dbus_message_ref(msg);
 	chrc->notify_io->destroy = notify_io_destroy;
 
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH BlueZ 2/2] device: fix memory leak
  2026-01-08 10:01 [PATCH BlueZ 1/2] gatt-client: fix use-after-free Lasse Dalegaard
@ 2026-01-08 10:01 ` Lasse Dalegaard
  2026-01-08 15:27   ` Luiz Augusto von Dentz
  2026-01-08 11:10 ` [BlueZ,1/2] gatt-client: fix use-after-free bluez.test.bot
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 10+ messages in thread
From: Lasse Dalegaard @ 2026-01-08 10:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Lasse Dalegaard

device_add_eir_uuids creates a list of added UUIDs, but it was never
freed.
---
 src/device.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/device.c b/src/device.c
index c8aaf042f..0842becde 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2453,6 +2453,7 @@ void device_add_eir_uuids(struct btd_device *dev, GSList *uuids)
 	}
 
 	device_probe_profiles(dev, added);
+	g_slist_free(added);
 }
 
 static void add_manufacturer_data(void *data, void *user_data)
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 2/2] device: fix memory leak
  2026-01-08 10:01 ` [PATCH BlueZ 2/2] device: fix memory leak Lasse Dalegaard
@ 2026-01-08 15:27   ` Luiz Augusto von Dentz
  2026-01-08 18:50     ` Lasse Dalegaard
  0 siblings, 1 reply; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-01-08 15:27 UTC (permalink / raw)
  To: Lasse Dalegaard; +Cc: linux-bluetooth

Hi Lasse,

On Thu, Jan 8, 2026 at 7:29 AM Lasse Dalegaard <dalegaard@gmail.com> wrote:
>
> device_add_eir_uuids creates a list of added UUIDs, but it was never
> freed.

This seems valid, how did you find it though, I don't recall seeing it
with the likes of valgrind, anyway it would be great to have the
information how this was detected.

> ---
>  src/device.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/src/device.c b/src/device.c
> index c8aaf042f..0842becde 100644
> --- a/src/device.c
> +++ b/src/device.c
> @@ -2453,6 +2453,7 @@ void device_add_eir_uuids(struct btd_device *dev, GSList *uuids)
>         }
>
>         device_probe_profiles(dev, added);
> +       g_slist_free(added);
>  }
>
>  static void add_manufacturer_data(void *data, void *user_data)
> --
> 2.52.0
>
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 2/2] device: fix memory leak
  2026-01-08 15:27   ` Luiz Augusto von Dentz
@ 2026-01-08 18:50     ` Lasse Dalegaard
  2026-01-08 19:08       ` Luiz Augusto von Dentz
  0 siblings, 1 reply; 10+ messages in thread
From: Lasse Dalegaard @ 2026-01-08 18:50 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hi Luiz,

On Thu, Jan 8, 2026 at 4:28 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Lasse,
>
> On Thu, Jan 8, 2026 at 7:29 AM Lasse Dalegaard <dalegaard@gmail.com> wrote:
> >
> > device_add_eir_uuids creates a list of added UUIDs, but it was never
> > freed.
>
> This seems valid, how did you find it though, I don't recall seeing it
> with the likes of valgrind, anyway it would be great to have the
> information how this was detected.

This was detected with the address sanitizer leak checker.

>
> > ---
> >  src/device.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/src/device.c b/src/device.c
> > index c8aaf042f..0842becde 100644
> > --- a/src/device.c
> > +++ b/src/device.c
> > @@ -2453,6 +2453,7 @@ void device_add_eir_uuids(struct btd_device *dev, GSList *uuids)
> >         }
> >
> >         device_probe_profiles(dev, added);
> > +       g_slist_free(added);
> >  }
> >
> >  static void add_manufacturer_data(void *data, void *user_data)
> > --
> > 2.52.0
> >
> >
>
>
> --
> Luiz Augusto von Dentz

Best regards,
Lasse

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 2/2] device: fix memory leak
  2026-01-08 18:50     ` Lasse Dalegaard
@ 2026-01-08 19:08       ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-01-08 19:08 UTC (permalink / raw)
  To: Lasse Dalegaard; +Cc: linux-bluetooth

Hi Lasse,

On Thu, Jan 8, 2026 at 1:50 PM Lasse Dalegaard <dalegaard@gmail.com> wrote:
>
> Hi Luiz,
>
> On Thu, Jan 8, 2026 at 4:28 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Lasse,
> >
> > On Thu, Jan 8, 2026 at 7:29 AM Lasse Dalegaard <dalegaard@gmail.com> wrote:
> > >
> > > device_add_eir_uuids creates a list of added UUIDs, but it was never
> > > freed.
> >
> > This seems valid, how did you find it though, I don't recall seeing it
> > with the likes of valgrind, anyway it would be great to have the
> > information how this was detected.
>
> This was detected with the address sanitizer leak checker.

Interesting, Ive haven't seen it although I have the sanitizer
enabled, I think, but anyway it seem to be correct, do add its output
though so in case someone e.g google for it it shows up in the git
commit message.

> >
> > > ---
> > >  src/device.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/src/device.c b/src/device.c
> > > index c8aaf042f..0842becde 100644
> > > --- a/src/device.c
> > > +++ b/src/device.c
> > > @@ -2453,6 +2453,7 @@ void device_add_eir_uuids(struct btd_device *dev, GSList *uuids)
> > >         }
> > >
> > >         device_probe_profiles(dev, added);
> > > +       g_slist_free(added);
> > >  }
> > >
> > >  static void add_manufacturer_data(void *data, void *user_data)
> > > --
> > > 2.52.0
> > >
> > >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
> Best regards,
> Lasse



-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 10+ messages in thread

* RE: [BlueZ,1/2] gatt-client: fix use-after-free
  2026-01-08 10:01 [PATCH BlueZ 1/2] gatt-client: fix use-after-free Lasse Dalegaard
  2026-01-08 10:01 ` [PATCH BlueZ 2/2] device: fix memory leak Lasse Dalegaard
@ 2026-01-08 11:10 ` bluez.test.bot
  2026-01-08 15:23 ` [PATCH BlueZ 1/2] " Luiz Augusto von Dentz
  2026-01-09 22:40 ` patchwork-bot+bluetooth
  3 siblings, 0 replies; 10+ messages in thread
From: bluez.test.bot @ 2026-01-08 11:10 UTC (permalink / raw)
  To: linux-bluetooth, dalegaard

[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1039830

---Test result---

Test Summary:
CheckPatch                    PENDING   0.38 seconds
GitLint                       PENDING   0.33 seconds
BuildEll                      PASS      17.55 seconds
BluezMake                     PASS      600.91 seconds
MakeCheck                     PASS      21.64 seconds
MakeDistcheck                 PASS      218.34 seconds
CheckValgrind                 PASS      287.53 seconds
CheckSmatch                   PASS      313.91 seconds
bluezmakeextell               PASS      167.39 seconds
IncrementalBuild              PENDING   0.40 seconds
ScanBuild                     PASS      921.61 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 1/2] gatt-client: fix use-after-free
  2026-01-08 10:01 [PATCH BlueZ 1/2] gatt-client: fix use-after-free Lasse Dalegaard
  2026-01-08 10:01 ` [PATCH BlueZ 2/2] device: fix memory leak Lasse Dalegaard
  2026-01-08 11:10 ` [BlueZ,1/2] gatt-client: fix use-after-free bluez.test.bot
@ 2026-01-08 15:23 ` Luiz Augusto von Dentz
  2026-01-08 18:46   ` Lasse Dalegaard
  2026-01-09 22:40 ` patchwork-bot+bluetooth
  3 siblings, 1 reply; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-01-08 15:23 UTC (permalink / raw)
  To: Lasse Dalegaard; +Cc: linux-bluetooth

Hi Lasse,

On Thu, Jan 8, 2026 at 5:56 AM Lasse Dalegaard <dalegaard@gmail.com> wrote:
>
> Clients with an acquired characteristic subscription would free the
> client during disconnect. When notify_io_destroy then tries to remove
> the client, it'll use-after-free.
>
> Add another reference when allocating the notify_io and unref it again
> in notify_io_destroy.

Please add a backtrace to the patch description.

> ---
>  src/gatt-client.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/gatt-client.c b/src/gatt-client.c
> index 44ec95db0..374e67c34 100644
> --- a/src/gatt-client.c
> +++ b/src/gatt-client.c
> @@ -1566,6 +1566,7 @@ static void notify_io_destroy(void *data)
>
>         if (queue_remove(client->chrc->notify_clients, client))
>                 notify_client_unref(client);
> +       notify_client_unref(client);
>  }
>
>  static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
> @@ -1607,7 +1608,7 @@ static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
>         queue_push_tail(chrc->notify_clients, client);
>
>         chrc->notify_io = new0(struct sock_io, 1);
> -       chrc->notify_io->data = client;
> +       chrc->notify_io->data = notify_client_ref(client);
>         chrc->notify_io->msg = dbus_message_ref(msg);
>         chrc->notify_io->destroy = notify_io_destroy;
>
> --
> 2.52.0
>
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 1/2] gatt-client: fix use-after-free
  2026-01-08 15:23 ` [PATCH BlueZ 1/2] " Luiz Augusto von Dentz
@ 2026-01-08 18:46   ` Lasse Dalegaard
  2026-01-08 19:06     ` Luiz Augusto von Dentz
  0 siblings, 1 reply; 10+ messages in thread
From: Lasse Dalegaard @ 2026-01-08 18:46 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hi Luiz,

On Thu, Jan 8, 2026 at 4:23 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Lasse,
>
> On Thu, Jan 8, 2026 at 5:56 AM Lasse Dalegaard <dalegaard@gmail.com> wrote:
> >
> > Clients with an acquired characteristic subscription would free the
> > client during disconnect. When notify_io_destroy then tries to remove
> > the client, it'll use-after-free.
> >
> > Add another reference when allocating the notify_io and unref it again
> > in notify_io_destroy.
>
> Please add a backtrace to the patch description.

Are you looking for backtraces on how this was discovered or something else?
There could be multiple paths that cause the use-after-free.

>
> > ---
> >  src/gatt-client.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/gatt-client.c b/src/gatt-client.c
> > index 44ec95db0..374e67c34 100644
> > --- a/src/gatt-client.c
> > +++ b/src/gatt-client.c
> > @@ -1566,6 +1566,7 @@ static void notify_io_destroy(void *data)
> >
> >         if (queue_remove(client->chrc->notify_clients, client))
> >                 notify_client_unref(client);
> > +       notify_client_unref(client);
> >  }
> >
> >  static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
> > @@ -1607,7 +1608,7 @@ static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
> >         queue_push_tail(chrc->notify_clients, client);
> >
> >         chrc->notify_io = new0(struct sock_io, 1);
> > -       chrc->notify_io->data = client;
> > +       chrc->notify_io->data = notify_client_ref(client);
> >         chrc->notify_io->msg = dbus_message_ref(msg);
> >         chrc->notify_io->destroy = notify_io_destroy;
> >
> > --
> > 2.52.0
> >
> >
>
>
> --
> Luiz Augusto von Dentz

Best regards,
Lasse

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 1/2] gatt-client: fix use-after-free
  2026-01-08 18:46   ` Lasse Dalegaard
@ 2026-01-08 19:06     ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-01-08 19:06 UTC (permalink / raw)
  To: Lasse Dalegaard; +Cc: linux-bluetooth

Hi Lasse,

On Thu, Jan 8, 2026 at 1:46 PM Lasse Dalegaard <dalegaard@gmail.com> wrote:
>
> Hi Luiz,
>
> On Thu, Jan 8, 2026 at 4:23 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Lasse,
> >
> > On Thu, Jan 8, 2026 at 5:56 AM Lasse Dalegaard <dalegaard@gmail.com> wrote:
> > >
> > > Clients with an acquired characteristic subscription would free the
> > > client during disconnect. When notify_io_destroy then tries to remove
> > > the client, it'll use-after-free.
> > >
> > > Add another reference when allocating the notify_io and unref it again
> > > in notify_io_destroy.
> >
> > Please add a backtrace to the patch description.
>
> Are you looking for backtraces on how this was discovered or something else?
> There could be multiple paths that cause the use-after-free.

How you discovered it

> >
> > > ---
> > >  src/gatt-client.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/src/gatt-client.c b/src/gatt-client.c
> > > index 44ec95db0..374e67c34 100644
> > > --- a/src/gatt-client.c
> > > +++ b/src/gatt-client.c
> > > @@ -1566,6 +1566,7 @@ static void notify_io_destroy(void *data)
> > >
> > >         if (queue_remove(client->chrc->notify_clients, client))
> > >                 notify_client_unref(client);
> > > +       notify_client_unref(client);
> > >  }
> > >
> > >  static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
> > > @@ -1607,7 +1608,7 @@ static DBusMessage *characteristic_acquire_notify(DBusConnection *conn,
> > >         queue_push_tail(chrc->notify_clients, client);
> > >
> > >         chrc->notify_io = new0(struct sock_io, 1);
> > > -       chrc->notify_io->data = client;
> > > +       chrc->notify_io->data = notify_client_ref(client);
> > >         chrc->notify_io->msg = dbus_message_ref(msg);
> > >         chrc->notify_io->destroy = notify_io_destroy;
> > >
> > > --
> > > 2.52.0
> > >
> > >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
> Best regards,
> Lasse



-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH BlueZ 1/2] gatt-client: fix use-after-free
  2026-01-08 10:01 [PATCH BlueZ 1/2] gatt-client: fix use-after-free Lasse Dalegaard
                   ` (2 preceding siblings ...)
  2026-01-08 15:23 ` [PATCH BlueZ 1/2] " Luiz Augusto von Dentz
@ 2026-01-09 22:40 ` patchwork-bot+bluetooth
  3 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+bluetooth @ 2026-01-09 22:40 UTC (permalink / raw)
  To: Lasse Dalegaard; +Cc: linux-bluetooth

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu,  8 Jan 2026 11:01:35 +0100 you wrote:
> Clients with an acquired characteristic subscription would free the
> client during disconnect. When notify_io_destroy then tries to remove
> the client, it'll use-after-free.
> 
> Add another reference when allocating the notify_io and unref it again
> in notify_io_destroy.
> 
> [...]

Here is the summary with links:
  - [BlueZ,1/2] gatt-client: fix use-after-free
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=a94f994201a6
  - [BlueZ,2/2] device: fix memory leak
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=024b148d73ae

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2026-01-09 22:43 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-08 10:01 [PATCH BlueZ 1/2] gatt-client: fix use-after-free Lasse Dalegaard
2026-01-08 10:01 ` [PATCH BlueZ 2/2] device: fix memory leak Lasse Dalegaard
2026-01-08 15:27   ` Luiz Augusto von Dentz
2026-01-08 18:50     ` Lasse Dalegaard
2026-01-08 19:08       ` Luiz Augusto von Dentz
2026-01-08 11:10 ` [BlueZ,1/2] gatt-client: fix use-after-free bluez.test.bot
2026-01-08 15:23 ` [PATCH BlueZ 1/2] " Luiz Augusto von Dentz
2026-01-08 18:46   ` Lasse Dalegaard
2026-01-08 19:06     ` Luiz Augusto von Dentz
2026-01-09 22:40 ` patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox