Linux bluetooth development
 help / color / mirror / Atom feed
From: Siwei Zhang <oss@fourdim.xyz>
To: Marcel Holtmann <marcel@holtmann.org>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org,
	"Safa Karakuş" <safa.karakus@secunnix.com>,
	"Siwei Zhang" <oss@fourdim.xyz>
Subject: [PATCH v7 RESEND 0/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen()
Date: Wed, 20 May 2026 12:38:16 -0400	[thread overview]
Message-ID: <20260520163859.2859782-1-oss@fourdim.xyz> (raw)

Hi Bluetooth maintainers,

A public patch covering the same UAF in l2cap_sock_cleanup_listen() was posted to linux-bluetooth on April 28 
by Safa Karakuş. v4 is here:

https://lore.kernel.org/linux-bluetooth/AS8P250MB079109F82C16BEDC4F9FE584EB372@AS8P250MB0791.EURP250.PROD.OUTLOOK.COM/

I thanks for Safa's report and patch. I already reported the same issue privately to the maintainers in 
April 11th. The public patch breaks the embargo and I would like to resend my patch here.

Safa's v4 closes the sk-lifetime hole (sock_hold inside bt_accept_dequeue) but does not take conn->lock around
l2cap_chan_close, so the conn->chan_l list-corruption race in my report is still open after it.

My patch closes both: it drops the parent sk_lock, acquires conn->lock → chan->lock in the established order
to serialize the chan_l mutation, and re-takes the parent sk_lock before returning.

Crash stack and C reproducers are available upon request, only for the maintainers.

Maintainers can also refer to the email thread [Bug] KASAN: slab-use-after-free Read in l2cap_security_cfm
sent to security@kernel.org on April 11th for more details.

Detailed Timeline:

April 11th: I privately reported the issue to the maintainers and security@kernel.org
April 12th: Patch v1
April 13th: Patch v2
April 13th: Patch v3
April 14th: Patch v4
April 15th: Patch v5
May 2nd: Patch v6
May 2nd: Patch v7
May 20th: Resend v7 with a cover letter

Best,
Siwei

Siwei Zhang (1):
  Bluetooth: L2CAP: Fix slab-use-after-free in
    l2cap_sock_cleanup_listen()

 net/bluetooth/l2cap_sock.c | 57 ++++++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 8 deletions(-)

-- 
2.54.0


             reply	other threads:[~2026-05-20 16:39 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20 16:38 Siwei Zhang [this message]
2026-05-20 16:38 ` [PATCH v7 RESEND 1/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen() Siwei Zhang
2026-05-20 18:08   ` bluez.test.bot
2026-05-20 18:26 ` [PATCH v7 RESEND 0/1] " Luiz Augusto von Dentz
2026-05-20 18:56   ` Siwei Zhang
2026-05-20 19:40     ` Luiz Augusto von Dentz
2026-05-20 20:08       ` Siwei Zhang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520163859.2859782-1-oss@fourdim.xyz \
    --to=oss@fourdim.xyz \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    --cc=safa.karakus@secunnix.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox