Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH v7 RESEND 0/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen()
@ 2026-05-20 16:38 Siwei Zhang
  2026-05-20 16:38 ` [PATCH v7 RESEND 1/1] " Siwei Zhang
  2026-05-20 18:26 ` [PATCH v7 RESEND 0/1] " Luiz Augusto von Dentz
  0 siblings, 2 replies; 7+ messages in thread
From: Siwei Zhang @ 2026-05-20 16:38 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: linux-bluetooth, Safa Karakuş, Siwei Zhang

Hi Bluetooth maintainers,

A public patch covering the same UAF in l2cap_sock_cleanup_listen() was posted to linux-bluetooth on April 28 
by Safa Karakuş. v4 is here:

https://lore.kernel.org/linux-bluetooth/AS8P250MB079109F82C16BEDC4F9FE584EB372@AS8P250MB0791.EURP250.PROD.OUTLOOK.COM/

I thanks for Safa's report and patch. I already reported the same issue privately to the maintainers in 
April 11th. The public patch breaks the embargo and I would like to resend my patch here.

Safa's v4 closes the sk-lifetime hole (sock_hold inside bt_accept_dequeue) but does not take conn->lock around
l2cap_chan_close, so the conn->chan_l list-corruption race in my report is still open after it.

My patch closes both: it drops the parent sk_lock, acquires conn->lock → chan->lock in the established order
to serialize the chan_l mutation, and re-takes the parent sk_lock before returning.

Crash stack and C reproducers are available upon request, only for the maintainers.

Maintainers can also refer to the email thread [Bug] KASAN: slab-use-after-free Read in l2cap_security_cfm
sent to security@kernel.org on April 11th for more details.

Detailed Timeline:

April 11th: I privately reported the issue to the maintainers and security@kernel.org
April 12th: Patch v1
April 13th: Patch v2
April 13th: Patch v3
April 14th: Patch v4
April 15th: Patch v5
May 2nd: Patch v6
May 2nd: Patch v7
May 20th: Resend v7 with a cover letter

Best,
Siwei

Siwei Zhang (1):
  Bluetooth: L2CAP: Fix slab-use-after-free in
    l2cap_sock_cleanup_listen()

 net/bluetooth/l2cap_sock.c | 57 ++++++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 8 deletions(-)

-- 
2.54.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-05-20 20:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 16:38 [PATCH v7 RESEND 0/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen() Siwei Zhang
2026-05-20 16:38 ` [PATCH v7 RESEND 1/1] " Siwei Zhang
2026-05-20 18:08   ` bluez.test.bot
2026-05-20 18:26 ` [PATCH v7 RESEND 0/1] " Luiz Augusto von Dentz
2026-05-20 18:56   ` Siwei Zhang
2026-05-20 19:40     ` Luiz Augusto von Dentz
2026-05-20 20:08       ` Siwei Zhang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox