From: Siwei Zhang <oss@fourdim.xyz>
To: Marcel Holtmann <marcel@holtmann.org>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org,
"Safa Karakuş" <safa.karakus@secunnix.com>,
"Siwei Zhang" <oss@fourdim.xyz>
Subject: [PATCH v7 RESEND 0/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen()
Date: Wed, 20 May 2026 12:38:16 -0400 [thread overview]
Message-ID: <20260520163859.2859782-1-oss@fourdim.xyz> (raw)
Hi Bluetooth maintainers,
A public patch covering the same UAF in l2cap_sock_cleanup_listen() was posted to linux-bluetooth on April 28
by Safa Karakuş. v4 is here:
https://lore.kernel.org/linux-bluetooth/AS8P250MB079109F82C16BEDC4F9FE584EB372@AS8P250MB0791.EURP250.PROD.OUTLOOK.COM/
I thanks for Safa's report and patch. I already reported the same issue privately to the maintainers in
April 11th. The public patch breaks the embargo and I would like to resend my patch here.
Safa's v4 closes the sk-lifetime hole (sock_hold inside bt_accept_dequeue) but does not take conn->lock around
l2cap_chan_close, so the conn->chan_l list-corruption race in my report is still open after it.
My patch closes both: it drops the parent sk_lock, acquires conn->lock → chan->lock in the established order
to serialize the chan_l mutation, and re-takes the parent sk_lock before returning.
Crash stack and C reproducers are available upon request, only for the maintainers.
Maintainers can also refer to the email thread [Bug] KASAN: slab-use-after-free Read in l2cap_security_cfm
sent to security@kernel.org on April 11th for more details.
Detailed Timeline:
April 11th: I privately reported the issue to the maintainers and security@kernel.org
April 12th: Patch v1
April 13th: Patch v2
April 13th: Patch v3
April 14th: Patch v4
April 15th: Patch v5
May 2nd: Patch v6
May 2nd: Patch v7
May 20th: Resend v7 with a cover letter
Best,
Siwei
Siwei Zhang (1):
Bluetooth: L2CAP: Fix slab-use-after-free in
l2cap_sock_cleanup_listen()
net/bluetooth/l2cap_sock.c | 57 ++++++++++++++++++++++++++++++++------
1 file changed, 49 insertions(+), 8 deletions(-)
--
2.54.0
next reply other threads:[~2026-05-20 16:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 16:38 Siwei Zhang [this message]
2026-05-20 16:38 ` [PATCH v7 RESEND 1/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen() Siwei Zhang
2026-05-20 18:08 ` bluez.test.bot
2026-05-20 18:26 ` [PATCH v7 RESEND 0/1] " Luiz Augusto von Dentz
2026-05-20 18:56 ` Siwei Zhang
2026-05-20 19:40 ` Luiz Augusto von Dentz
2026-05-20 20:08 ` Siwei Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520163859.2859782-1-oss@fourdim.xyz \
--to=oss@fourdim.xyz \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=safa.karakus@secunnix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox