From: Xiang Mei <xmei5@asu.edu>
To: Marcel Holtmann <marcel@holtmann.org>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Weiming Shi <bestswngs@gmail.com>, Xiang Mei <xmei5@asu.edu>
Subject: [PATCH bluetooth] Bluetooth: hci_sync: take hci_dev_lock in hci_clear_adv_instance_sync
Date: Fri, 3 Jul 2026 16:43:50 -0700 [thread overview]
Message-ID: <20260703234350.225221-1-xmei5@asu.edu> (raw)
hci_clear_adv_instance_sync() runs on the cmd_sync worker without
hdev->lock, yet walks hdev->adv_instances and calls
hci_remove_adv_instance()/hci_find_adv_instance()/hci_get_next_instance(),
all of which require hdev->lock. The list is otherwise serialized by
hdev->lock (add/remove_advertising mutate it, read_adv_features()
traverses it), so a concurrent holder can list_del()+kfree() or list_add()
an adv_info node mid-traversal, causing a use-after-free and list
corruption. Reachable by racing MGMT_OP_SET_LE(off) or advertising timeout
expiry against MGMT add/remove/read advertising:
BUG: KASAN: slab-use-after-free in read_adv_features+0x44b/0x500
Read of size 8 at addr ffff888013878000 by task exploit/150
...
Call Trace:
read_adv_features (net/bluetooth/mgmt.c:8546)
hci_sock_sendmsg (net/bluetooth/hci_sock.c:1719)
sock_write_iter (net/socket.c:1241)
vfs_write (fs/read_write.c:687)
ksys_write (fs/read_write.c:739)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
...
Freed by task 52:
...
Oops: general protection fault, probably for non-canonical address
RIP: 0010:read_adv_features (net/bluetooth/mgmt.c:8548)
Hold hdev->lock around the traversal. Both callers run on the worker
without hdev->lock, so this cannot deadlock.
Fixes: c249ea9b4309 ("Bluetooth: Move Adv Instance timer to hci_sync")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
net/bluetooth/hci_sync.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 3be8c3581c6c..6b566c67ee98 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -487,6 +487,8 @@ int hci_clear_adv_instance_sync(struct hci_dev *hdev, struct sock *sk,
int err;
u8 rem_inst;
+ hci_dev_lock(hdev);
+
/* Cancel any timeout concerning the removed instance(s). */
if (!instance || hdev->cur_adv_instance == instance)
cancel_adv_timeout(hdev);
@@ -525,6 +527,8 @@ int hci_clear_adv_instance_sync(struct hci_dev *hdev, struct sock *sk,
}
}
+ hci_dev_unlock(hdev);
+
if (!hdev_is_powered(hdev) || hci_dev_test_flag(hdev, HCI_ADVERTISING))
return 0;
--
2.43.0
next reply other threads:[~2026-07-03 23:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 23:43 Xiang Mei [this message]
2026-07-04 0:37 ` Bluetooth: hci_sync: take hci_dev_lock in hci_clear_adv_instance_sync bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703234350.225221-1-xmei5@asu.edu \
--to=xmei5@asu.edu \
--cc=bestswngs@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox