* [PATCH RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF
@ 2025-12-08 9:55 Cen Zhang
2025-12-08 10:40 ` [RESEND] " bluez.test.bot
0 siblings, 1 reply; 5+ messages in thread
From: Cen Zhang @ 2025-12-08 9:55 UTC (permalink / raw)
To: luiz.dentz, johan.hedberg, marcel
Cc: linux-kernel, linux-bluetooth, baijiaju1990, r33s3n6, gality369,
zhenghaoran154, Cen Zhang
Concurrent sco_sock_connect() calls could race on the same socket since the
state checks (BT_OPEN/BT_BOUND) were done without holding the socket lock.
This allowed two parallel connects to proceed and end up binding two
separate sco_conn objects to the same sk. Later, when sk->conn had been
updated to point to the second conn, closing the socket could free the
second conn and the socket, while the first conn's connect confirm path
still referenced the stale sk/conn, triggering a KASAN use-after-free.
Fix by taking lock_sock(sk) before checking sk->sk_state and sk->sk_type,
performing the destination address assignment under the lock, and releasing
it before invoking sco_connect() (which will acquire the lock as needed).
This serializes concurrent connect attempts for the same sk and prevents the
interleaving that caused the double-attachment and subsequent UAF.
Thread 1: Thread 2: Thread3:
check sk_state check sk_state
sco_sock_connect(sk) sco_sock_connect(sk) sco_connect_cfm(sk->conn)
conn1->sk = sk
conn2->sk = sk
sk->conn = conn1
sk->conn = conn2
sco_sock_release
free conn2 and sk
sco_connect_cfm
sco_conn_del
sco_conn_free
UAF on sk
The representative KASAN report excerpt:
BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:94
...
Write of size 8 at addr ffff88810d2be350 by task kworker/u25:1/88
...
Call Trace:
sco_conn_free net/bluetooth/sco.c:94 [inline]
kref_put include/linux/kref.h:65 [inline]
sco_conn_put+0x49d/0xfc0 net/bluetooth/sco.c:115
sco_conn_del+0x46d/0x8d0 net/bluetooth/sco.c:280
sco_connect_cfm+0x83d/0x1ee0 net/bluetooth/sco.c:1468
hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
...
Allocated by task 294:
...
sco_sock_create+0x22d/0xc00 net/bluetooth/sco.c:616
...
Freed by task 295:
__sk_destruct+0x4b0/0x630 net/core/sock.c:2373
sock_put include/net/sock.h:1962 [inline]
sco_sock_kill+0x64d/0x9b0 net/bluetooth/sco.c:526
sco_sock_release+0x770/0xa50 net/bluetooth/sco.c:1359
...
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
net/bluetooth/sco.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 87ba90336..e065390a8 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -298,7 +298,7 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
int err = 0;
sco_conn_lock(conn);
- if (conn->sk)
+ if (conn->sk || sco_pi(sk)->conn)
err = -EBUSY;
else
__sco_chan_add(conn, sk, parent);
@@ -356,6 +356,7 @@ static int sco_connect(struct sock *sk)
err = sco_chan_add(conn, sk, NULL);
if (err) {
release_sock(sk);
+ hci_conn_drop(hcon);
goto unlock;
}
@@ -651,13 +652,17 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr_unsized *addr,
addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
- if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
- return -EBADFD;
+ lock_sock(sk);
- if (sk->sk_type != SOCK_SEQPACKET)
+ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND){
+ release_sock(sk);
+ return -EBADFD;
+ }
+ if (sk->sk_type != SOCK_SEQPACKET){
+ release_sock(sk);
err = -EINVAL;
-
- lock_sock(sk);
+ }
+
/* Set destination address and psm */
bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
release_sock(sk);
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* RE: [RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF
2025-12-08 9:55 [PATCH RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF Cen Zhang
@ 2025-12-08 10:40 ` bluez.test.bot
2025-12-08 15:41 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 5+ messages in thread
From: bluez.test.bot @ 2025-12-08 10:40 UTC (permalink / raw)
To: linux-bluetooth, zzzccc427
[-- Attachment #1: Type: text/plain, Size: 2825 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1031328
---Test result---
Test Summary:
CheckPatch PENDING 0.32 seconds
GitLint PENDING 0.24 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 25.46 seconds
CheckAllWarning PASS 28.37 seconds
CheckSparse WARNING 31.94 seconds
BuildKernel32 PASS 25.61 seconds
TestRunnerSetup PASS 558.74 seconds
TestRunner_l2cap-tester PASS 24.64 seconds
TestRunner_iso-tester PASS 88.68 seconds
TestRunner_bnep-tester PASS 6.29 seconds
TestRunner_mgmt-tester FAIL 125.65 seconds
TestRunner_rfcomm-tester PASS 9.38 seconds
TestRunner_sco-tester FAIL 14.61 seconds
TestRunner_ioctl-tester PASS 10.26 seconds
TestRunner_mesh-tester FAIL 11.58 seconds
TestRunner_smp-tester PASS 8.61 seconds
TestRunner_userchan-tester PASS 6.69 seconds
IncrementalBuild PENDING 0.70 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:153:35: warning: array of flexible structures
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.111 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.792 seconds
Mesh - Send cancel - 2 Timed out 1.997 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF
2025-12-08 10:40 ` [RESEND] " bluez.test.bot
@ 2025-12-08 15:41 ` Luiz Augusto von Dentz
2025-12-08 16:15 ` Pauli Virtanen
0 siblings, 1 reply; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2025-12-08 15:41 UTC (permalink / raw)
To: linux-bluetooth; +Cc: zzzccc427
Hi,
On Mon, Dec 8, 2025 at 5:40 AM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1031328
>
> ---Test result---
>
> Test Summary:
> CheckPatch PENDING 0.32 seconds
> GitLint PENDING 0.24 seconds
> SubjectPrefix PASS 0.11 seconds
> BuildKernel PASS 25.46 seconds
> CheckAllWarning PASS 28.37 seconds
> CheckSparse WARNING 31.94 seconds
> BuildKernel32 PASS 25.61 seconds
> TestRunnerSetup PASS 558.74 seconds
> TestRunner_l2cap-tester PASS 24.64 seconds
> TestRunner_iso-tester PASS 88.68 seconds
> TestRunner_bnep-tester PASS 6.29 seconds
> TestRunner_mgmt-tester FAIL 125.65 seconds
> TestRunner_rfcomm-tester PASS 9.38 seconds
> TestRunner_sco-tester FAIL 14.61 seconds
> TestRunner_ioctl-tester PASS 10.26 seconds
> TestRunner_mesh-tester FAIL 11.58 seconds
> TestRunner_smp-tester PASS 8.61 seconds
> TestRunner_userchan-tester PASS 6.69 seconds
> IncrementalBuild PENDING 0.70 seconds
>
> Details
> ##############################
> Test: CheckPatch - PENDING
> Desc: Run checkpatch.pl script
> Output:
>
> ##############################
> Test: GitLint - PENDING
> Desc: Run gitlint
> Output:
>
> ##############################
> Test: CheckSparse - WARNING
> Desc: Run sparse tool with linux kernel
> Output:
> net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:153:35: warning: array of flexible structures
> ##############################
> Test: TestRunner_mgmt-tester - FAIL
> Desc: Run mgmt-tester with test-runner
> Output:
> Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
>
> Failed Test Cases
> Read Exp Feature - Success Failed 0.111 seconds
> ##############################
> Test: TestRunner_sco-tester - FAIL
> Desc: Run sco-tester with test-runner
> Output:
> WARNING: possible circular locking dependency detected
> BUG: sleeping function called from invalid context at net/core/sock.c:3782
The above seems new to me, might need to check with the likes of
sco-tester if you didn't already.
> Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
> ##############################
> Test: TestRunner_mesh-tester - FAIL
> Desc: Run mesh-tester with test-runner
> Output:
> Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
>
> Failed Test Cases
> Mesh - Send cancel - 1 Timed out 1.792 seconds
> Mesh - Send cancel - 2 Timed out 1.997 seconds
> ##############################
> Test: IncrementalBuild - PENDING
> Desc: Incremental build with the patches in the series
> Output:
>
>
>
> ---
> Regards,
> Linux Bluetooth
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF
2025-12-08 15:41 ` Luiz Augusto von Dentz
@ 2025-12-08 16:15 ` Pauli Virtanen
2025-12-09 4:55 ` Cen Zhang
0 siblings, 1 reply; 5+ messages in thread
From: Pauli Virtanen @ 2025-12-08 16:15 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth; +Cc: zzzccc427
Hi,
ma, 2025-12-08 kello 10:41 -0500, Luiz Augusto von Dentz kirjoitti:
> Hi,
>
> On Mon, Dec 8, 2025 at 5:40 AM <bluez.test.bot@gmail.com> wrote:
> >
> > This is automated email and please do not reply to this email!
> >
> > Dear submitter,
> >
> > Thank you for submitting the patches to the linux bluetooth mailing list.
> > This is a CI test results with your patch series:
> > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1031328
> >
> > ---Test result---
> >
> > Test Summary:
> > CheckPatch PENDING 0.32 seconds
> > GitLint PENDING 0.24 seconds
> > SubjectPrefix PASS 0.11 seconds
> > BuildKernel PASS 25.46 seconds
> > CheckAllWarning PASS 28.37 seconds
> > CheckSparse WARNING 31.94 seconds
> > BuildKernel32 PASS 25.61 seconds
> > TestRunnerSetup PASS 558.74 seconds
> > TestRunner_l2cap-tester PASS 24.64 seconds
> > TestRunner_iso-tester PASS 88.68 seconds
> > TestRunner_bnep-tester PASS 6.29 seconds
> > TestRunner_mgmt-tester FAIL 125.65 seconds
> > TestRunner_rfcomm-tester PASS 9.38 seconds
> > TestRunner_sco-tester FAIL 14.61 seconds
> > TestRunner_ioctl-tester PASS 10.26 seconds
> > TestRunner_mesh-tester FAIL 11.58 seconds
> > TestRunner_smp-tester PASS 8.61 seconds
> > TestRunner_userchan-tester PASS 6.69 seconds
> > IncrementalBuild PENDING 0.70 seconds
> >
> > Details
> > ##############################
> > Test: CheckPatch - PENDING
> > Desc: Run checkpatch.pl script
> > Output:
> >
> > ##############################
> > Test: GitLint - PENDING
> > Desc: Run gitlint
> > Output:
> >
> > ##############################
> > Test: CheckSparse - WARNING
> > Desc: Run sparse tool with linux kernel
> > Output:
> > net/bluetooth/sco.c: note: in included file:./include/net/bluetooth/hci_core.h:153:35: warning: array of flexible structures
> > ##############################
> > Test: TestRunner_mgmt-tester - FAIL
> > Desc: Run mgmt-tester with test-runner
> > Output:
> > Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
> >
> > Failed Test Cases
> > Read Exp Feature - Success Failed 0.111 seconds
> > ##############################
> > Test: TestRunner_sco-tester - FAIL
> > Desc: Run sco-tester with test-runner
> > Output:
> > WARNING: possible circular locking dependency detected
> > BUG: sleeping function called from invalid context at net/core/sock.c:3782
>
> The above seems new to me, might need to check with the likes of
> sco-tester if you didn't already.
These ones are from the newly added SCO Listen tests.
They're a pre-existing issue, the code lockdep is not happy about is
how conn->lock is used in sco_conn_ready() and this appears to date
back a long time.
> > Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
> > ##############################
> > Test: TestRunner_mesh-tester - FAIL
> > Desc: Run mesh-tester with test-runner
> > Output:
> > Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
> >
> > Failed Test Cases
> > Mesh - Send cancel - 1 Timed out 1.792 seconds
> > Mesh - Send cancel - 2 Timed out 1.997 seconds
> > ##############################
> > Test: IncrementalBuild - PENDING
> > Desc: Incremental build with the patches in the series
> > Output:
> >
> >
> >
> > ---
> > Regards,
> > Linux Bluetooth
> >
>
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF
2025-12-08 16:15 ` Pauli Virtanen
@ 2025-12-09 4:55 ` Cen Zhang
0 siblings, 0 replies; 5+ messages in thread
From: Cen Zhang @ 2025-12-09 4:55 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: Luiz Augusto von Dentz, linux-bluetooth
Hi,
For additional context, I tried submitting another patch:
https://patchwork.kernel.org/project/bluetooth/patch/20251209025945.3555605-1-zzzccc427@gmail.com/
but that did not change the CI behavior.
I also reviewed a couple of other recent patches:
https://patchwork.kernel.org/project/bluetooth/patch/9e5172cb82b9d4d130d83d9fc6beac9e496227c1.1764875787.git.pav@iki.fi/
https://patchwork.kernel.org/project/bluetooth/patch/20251205175324.619870-1-katharasasikumar007@gmail.com/
and they appear to trigger the same lockdep warnings in the SCO Listen tests.
This suggests the warnings are pre-existing and not introduced by this
UAF fix.
Thanks,
Cen Zhang
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-12-09 4:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-08 9:55 [PATCH RESEND] Bluetooth: sco: Serialize state check in sco_sock_connect to fix UAF Cen Zhang
2025-12-08 10:40 ` [RESEND] " bluez.test.bot
2025-12-08 15:41 ` Luiz Augusto von Dentz
2025-12-08 16:15 ` Pauli Virtanen
2025-12-09 4:55 ` Cen Zhang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox