Linux bluetooth development
 help / color / mirror / Atom feed
From: Xiang Mei <xmei5@asu.edu>
To: Marcel Holtmann <marcel@holtmann.org>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
	Weiming Shi <bestswngs@gmail.com>, Xiang Mei <xmei5@asu.edu>
Subject: [PATCH bluetooth] Bluetooth: hci_sync: take hci_dev_lock in hci_clear_adv_instance_sync
Date: Fri,  3 Jul 2026 16:43:50 -0700	[thread overview]
Message-ID: <20260703234350.225221-1-xmei5@asu.edu> (raw)

hci_clear_adv_instance_sync() runs on the cmd_sync worker without
hdev->lock, yet walks hdev->adv_instances and calls
hci_remove_adv_instance()/hci_find_adv_instance()/hci_get_next_instance(),
all of which require hdev->lock. The list is otherwise serialized by
hdev->lock (add/remove_advertising mutate it, read_adv_features()
traverses it), so a concurrent holder can list_del()+kfree() or list_add()
an adv_info node mid-traversal, causing a use-after-free and list
corruption. Reachable by racing MGMT_OP_SET_LE(off) or advertising timeout
expiry against MGMT add/remove/read advertising:

  BUG: KASAN: slab-use-after-free in read_adv_features+0x44b/0x500
  Read of size 8 at addr ffff888013878000 by task exploit/150
  ...
  Call Trace:
   read_adv_features (net/bluetooth/mgmt.c:8546)
   hci_sock_sendmsg (net/bluetooth/hci_sock.c:1719)
   sock_write_iter (net/socket.c:1241)
   vfs_write (fs/read_write.c:687)
   ksys_write (fs/read_write.c:739)
   do_syscall_64 (arch/x86/entry/syscall_64.c:94)
  ...
  Freed by task 52:
  ...
  Oops: general protection fault, probably for non-canonical address
  RIP: 0010:read_adv_features (net/bluetooth/mgmt.c:8548)

Hold hdev->lock around the traversal. Both callers run on the worker
without hdev->lock, so this cannot deadlock.

Fixes: c249ea9b4309 ("Bluetooth: Move Adv Instance timer to hci_sync")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
 net/bluetooth/hci_sync.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 3be8c3581c6c..6b566c67ee98 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -487,6 +487,8 @@ int hci_clear_adv_instance_sync(struct hci_dev *hdev, struct sock *sk,
 	int err;
 	u8 rem_inst;
 
+	hci_dev_lock(hdev);
+
 	/* Cancel any timeout concerning the removed instance(s). */
 	if (!instance || hdev->cur_adv_instance == instance)
 		cancel_adv_timeout(hdev);
@@ -525,6 +527,8 @@ int hci_clear_adv_instance_sync(struct hci_dev *hdev, struct sock *sk,
 		}
 	}
 
+	hci_dev_unlock(hdev);
+
 	if (!hdev_is_powered(hdev) || hci_dev_test_flag(hdev, HCI_ADVERTISING))
 		return 0;
 
-- 
2.43.0


             reply	other threads:[~2026-07-03 23:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 23:43 Xiang Mei [this message]
2026-07-04  0:37 ` Bluetooth: hci_sync: take hci_dev_lock in hci_clear_adv_instance_sync bluez.test.bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703234350.225221-1-xmei5@asu.edu \
    --to=xmei5@asu.edu \
    --cc=bestswngs@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox