* [PATCH v1] Bluetooth: HIDP: Fix possible UAF
@ 2026-03-06 2:31 Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-06 2:31 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This fixes the following trace caused by not dropping l2cap_conn
reference when user->remove callback is called:
[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 97.809947] Call Trace:
[ 97.809954] <TASK>
[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
[ 97.810404] __fput (fs/file_table.c:470)
[ 97.810430] task_work_run (kernel/task_work.c:235)
[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
[ 97.810527] do_exit (kernel/exit.c:972)
[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 97.810721] do_group_exit (kernel/exit.c:1093)
[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810826] ? vfs_read (fs/read_write.c:555)
[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811078] ? ksys_read (fs/read_write.c:707)
[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 97.811338] RIP: 0033:0x445cfe
[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
Code starting with the faulting instruction
===========================================
[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
[ 97.811453] </TASK>
[ 98.402453] ==================================================================
[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
[ 98.405361]
[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 98.405600] Call Trace:
[ 98.405607] <TASK>
[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.406323] ? kthread (kernel/kthread.c:433)
[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406523] ? kthread (kernel/kthread.c:433)
[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406565] ? kthread (kernel/kthread.c:433)
[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.406610] kthread (kernel/kthread.c:467)
[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[ 98.406774] </TASK>
[ 98.406780]
[ 98.433693] The buggy address belongs to the physical page:
[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
[ 98.438115] page dumped because: kasan: bad access detected
[ 98.438951]
[ 98.439211] Memory state around the buggy address:
[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.442458] ^
[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.444768] ==================================================================
[ 98.445719] Disabling lock debugging due to kernel taint
[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 98.450040] Tainted: [B]=BAD_PAGE
[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 98.450059] Call Trace:
[ 98.450065] <TASK>
[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.450271] ? kthread (kernel/kthread.c:433)
[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450528] ? kthread (kernel/kthread.c:433)
[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450578] ? kthread (kernel/kthread.c:433)
[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.450637] kthread (kernel/kthread.c:467)
[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[ 98.450836] </TASK>
Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
Reported-by: soufiane el hachmi <kilwa10@gmail.com>
Tested-by: soufiane el hachmi <kilwa10@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hidp/core.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6724adce615b..e0e400381550 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
skb_queue_purge(&session->intr_transmit);
fput(session->intr_sock->file);
fput(session->ctrl_sock->file);
- l2cap_conn_put(session->conn);
+ if (session->conn)
+ l2cap_conn_put(session->conn);
kfree(session);
}
@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
down_write(&hidp_session_sem);
+ /* Drop L2CAP reference immediately to indicate that
+ * l2cap_unregister_user() shall not be called as it is already
+ * considered removed.
+ */
+ if (session->conn) {
+ l2cap_conn_put(session->conn);
+ session->conn = NULL;
+ }
+
hidp_session_terminate(session);
cancel_work_sync(&session->dev_init);
@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
* Instead, this call has the same semantics as if user-space tried to
* delete the session.
*/
- l2cap_unregister_user(session->conn, &session->user);
+ if (session->conn)
+ l2cap_unregister_user(session->conn, &session->user);
+
hidp_session_put(session);
module_put_and_kthread_exit(0);
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* RE: [v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
@ 2026-03-06 4:27 ` bluez.test.bot
2026-03-06 18:40 ` [PATCH v1] " patchwork-bot+bluetooth
2026-03-06 18:49 ` Pauli Virtanen
2 siblings, 0 replies; 5+ messages in thread
From: bluez.test.bot @ 2026-03-06 4:27 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3149 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1062284
---Test result---
Test Summary:
CheckPatch PENDING 0.33 seconds
GitLint PENDING 0.26 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 26.03 seconds
CheckAllWarning PASS 28.99 seconds
CheckSparse WARNING 32.97 seconds
BuildKernel32 PASS 25.60 seconds
TestRunnerSetup PASS 566.00 seconds
TestRunner_l2cap-tester PASS 28.89 seconds
TestRunner_iso-tester PASS 94.23 seconds
TestRunner_bnep-tester PASS 6.47 seconds
TestRunner_mgmt-tester FAIL 118.14 seconds
TestRunner_rfcomm-tester PASS 9.63 seconds
TestRunner_sco-tester FAIL 14.71 seconds
TestRunner_ioctl-tester PASS 10.26 seconds
TestRunner_mesh-tester FAIL 12.43 seconds
TestRunner_smp-tester PASS 8.67 seconds
TestRunner_userchan-tester PASS 6.76 seconds
IncrementalBuild PENDING 0.79 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hidp/core.c:1486:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1487:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1488:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1489:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1490:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1490:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1491:1: error: bad constant expression
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.112 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.607 seconds
Mesh - Send cancel - 2 Timed out 1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
@ 2026-03-06 18:40 ` patchwork-bot+bluetooth
2026-03-06 18:49 ` Pauli Virtanen
2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-06 18:40 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 5 Mar 2026 21:31:55 -0500 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following trace caused by not dropping l2cap_conn
> reference when user->remove callback is called:
>
> [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 97.809947] Call Trace:
> [ 97.809954] <TASK>
> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> [ 97.810404] __fput (fs/file_table.c:470)
> [ 97.810430] task_work_run (kernel/task_work.c:235)
> [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> [ 97.810527] do_exit (kernel/exit.c:972)
> [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 97.810721] do_group_exit (kernel/exit.c:1093)
> [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810826] ? vfs_read (fs/read_write.c:555)
> [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811078] ? ksys_read (fs/read_write.c:707)
> [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 97.811338] RIP: 0033:0x445cfe
> [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
>
> [...]
Here is the summary with links:
- [v1] Bluetooth: HIDP: Fix possible UAF
https://git.kernel.org/bluetooth/bluetooth-next/c/708efc5f2338
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
2026-03-06 18:40 ` [PATCH v1] " patchwork-bot+bluetooth
@ 2026-03-06 18:49 ` Pauli Virtanen
2026-03-06 19:23 ` Luiz Augusto von Dentz
2 siblings, 1 reply; 5+ messages in thread
From: Pauli Virtanen @ 2026-03-06 18:49 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
Hi,
to, 2026-03-05 kello 21:31 -0500, Luiz Augusto von Dentz kirjoitti:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following trace caused by not dropping l2cap_conn
> reference when user->remove callback is called:
>
> [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 97.809947] Call Trace:
> [ 97.809954] <TASK>
> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> [ 97.810404] __fput (fs/file_table.c:470)
> [ 97.810430] task_work_run (kernel/task_work.c:235)
> [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> [ 97.810527] do_exit (kernel/exit.c:972)
> [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 97.810721] do_group_exit (kernel/exit.c:1093)
> [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810826] ? vfs_read (fs/read_write.c:555)
> [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811078] ? ksys_read (fs/read_write.c:707)
> [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 97.811338] RIP: 0033:0x445cfe
> [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
>
> Code starting with the faulting instruction
> ===========================================
> [ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> [ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
> [ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
> [ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
> [ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
> [ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
> [ 97.811453] </TASK>
> [ 98.402453] ==================================================================
> [ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
> [ 98.405361]
> [ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 98.405600] Call Trace:
> [ 98.405607] <TASK>
> [ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
> [ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> [ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
> [ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
> [ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> [ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
> [ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
> [ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
> [ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
> [ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
> [ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> [ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> [ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
> [ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.406323] ? kthread (kernel/kthread.c:433)
> [ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> [ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406523] ? kthread (kernel/kthread.c:433)
> [ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406565] ? kthread (kernel/kthread.c:433)
> [ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.406610] kthread (kernel/kthread.c:467)
> [ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
> [ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> [ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> [ 98.406774] </TASK>
> [ 98.406780]
> [ 98.433693] The buggy address belongs to the physical page:
> [ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
> [ 98.435557] flags: 0x200000000000000(node=0|zone=2)
> [ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
> [ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
> [ 98.438115] page dumped because: kasan: bad access detected
> [ 98.438951]
> [ 98.439211] Memory state around the buggy address:
> [ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.442458] ^
> [ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.444768] ==================================================================
> [ 98.445719] Disabling lock debugging due to kernel taint
> [ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
> [ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 98.450040] Tainted: [B]=BAD_PAGE
> [ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 98.450059] Call Trace:
> [ 98.450065] <TASK>
> [ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
> [ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
> [ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
> [ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
> [ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.450271] ? kthread (kernel/kthread.c:433)
> [ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> [ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450528] ? kthread (kernel/kthread.c:433)
> [ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450578] ? kthread (kernel/kthread.c:433)
> [ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.450637] kthread (kernel/kthread.c:467)
> [ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
> [ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> [ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> [ 98.450836] </TASK>
>
> Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
> Reported-by: soufiane el hachmi <kilwa10@gmail.com>
> Tested-by: soufiane el hachmi <kilwa10@gmail.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hidp/core.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6724adce615b..e0e400381550 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
> skb_queue_purge(&session->intr_transmit);
> fput(session->intr_sock->file);
> fput(session->ctrl_sock->file);
> - l2cap_conn_put(session->conn);
> + if (session->conn)
> + l2cap_conn_put(session->conn);
> kfree(session);
> }
>
> @@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
>
> down_write(&hidp_session_sem);
>
> + /* Drop L2CAP reference immediately to indicate that
> + * l2cap_unregister_user() shall not be called as it is already
> + * considered removed.
> + */
> + if (session->conn) {
> + l2cap_conn_put(session->conn);
> + session->conn = NULL;
> + }
> +
> hidp_session_terminate(session);
>
> cancel_work_sync(&session->dev_init);
> @@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
> * Instead, this call has the same semantics as if user-space tried to
> * delete the session.
> */
> - l2cap_unregister_user(session->conn, &session->user);
> + if (session->conn)
> + l2cap_unregister_user(session->conn, &session->user);
Does this TOCTOU on session->conn:
[Task 1] [Task 2]
hci_dev_lock()
l2cap_disconn_cfm()
l2cap_conn_del()
if (session->conn)
hidp_session_remove()
l2cap_conn_free()
l2cap_unregister_user()
hdev = conn->hcon->hdev <UAF>
I wonder if it is same issue as
https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
and I remember the earlier patch that tries to address the race via
changing the locking:
https://lore.kernel.org/all/20251106182016.26508-1-ssranevjti@gmail.com/
AFAICS, done that way the call to l2cap_unregister_user() in
hidp_session_thread() should be noop via the !list_empty(&user->list)
branch, as the hidp_session_remove() already ran. session->conn would
remain until it is put when session->ref refcount goes to zero.
> +
> hidp_session_put(session);
>
> module_put_and_kthread_exit(0);
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 18:49 ` Pauli Virtanen
@ 2026-03-06 19:23 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-06 19:23 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Fri, Mar 6, 2026 at 1:49 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi,
>
> to, 2026-03-05 kello 21:31 -0500, Luiz Augusto von Dentz kirjoitti:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > This fixes the following trace caused by not dropping l2cap_conn
> > reference when user->remove callback is called:
> >
> > [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> > [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> > [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > [ 97.809947] Call Trace:
> > [ 97.809954] <TASK>
> > [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> > [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> > [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> > [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> > [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> > [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> > [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> > [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> > [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> > [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> > [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> > [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> > [ 97.810404] __fput (fs/file_table.c:470)
> > [ 97.810430] task_work_run (kernel/task_work.c:235)
> > [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> > [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> > [ 97.810527] do_exit (kernel/exit.c:972)
> > [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> > [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> > [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> > [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 97.810721] do_group_exit (kernel/exit.c:1093)
> > [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> > [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> > [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810826] ? vfs_read (fs/read_write.c:555)
> > [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> > [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> > [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> > [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> > [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811078] ? ksys_read (fs/read_write.c:707)
> > [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> > [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> > [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> > [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> > [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> > [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> > [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> > [ 97.811338] RIP: 0033:0x445cfe
> > [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
> >
> > Code starting with the faulting instruction
> > ===========================================
> > [ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> > [ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
> > [ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
> > [ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
> > [ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
> > [ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
> > [ 97.811453] </TASK>
> > [ 98.402453] ==================================================================
> > [ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
> > [ 98.405361]
> > [ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> > [ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > [ 98.405600] Call Trace:
> > [ 98.405607] <TASK>
> > [ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> > [ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
> > [ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
> > [ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> > [ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> > [ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
> > [ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
> > [ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> > [ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
> > [ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
> > [ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
> > [ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> > [ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> > [ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
> > [ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.406323] ? kthread (kernel/kthread.c:433)
> > [ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> > [ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406523] ? kthread (kernel/kthread.c:433)
> > [ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406565] ? kthread (kernel/kthread.c:433)
> > [ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.406610] kthread (kernel/kthread.c:467)
> > [ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
> > [ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> > [ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> > [ 98.406774] </TASK>
> > [ 98.406780]
> > [ 98.433693] The buggy address belongs to the physical page:
> > [ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
> > [ 98.435557] flags: 0x200000000000000(node=0|zone=2)
> > [ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
> > [ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
> > [ 98.438115] page dumped because: kasan: bad access detected
> > [ 98.438951]
> > [ 98.439211] Memory state around the buggy address:
> > [ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.442458] ^
> > [ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.444768] ==================================================================
> > [ 98.445719] Disabling lock debugging due to kernel taint
> > [ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
> > [ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> > [ 98.450040] Tainted: [B]=BAD_PAGE
> > [ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > [ 98.450059] Call Trace:
> > [ 98.450065] <TASK>
> > [ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> > [ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
> > [ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
> > [ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
> > [ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.450271] ? kthread (kernel/kthread.c:433)
> > [ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> > [ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450528] ? kthread (kernel/kthread.c:433)
> > [ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450578] ? kthread (kernel/kthread.c:433)
> > [ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.450637] kthread (kernel/kthread.c:467)
> > [ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
> > [ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> > [ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> > [ 98.450836] </TASK>
> >
> > Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
> > Reported-by: soufiane el hachmi <kilwa10@gmail.com>
> > Tested-by: soufiane el hachmi <kilwa10@gmail.com>
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > net/bluetooth/hidp/core.c | 16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> > index 6724adce615b..e0e400381550 100644
> > --- a/net/bluetooth/hidp/core.c
> > +++ b/net/bluetooth/hidp/core.c
> > @@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
> > skb_queue_purge(&session->intr_transmit);
> > fput(session->intr_sock->file);
> > fput(session->ctrl_sock->file);
> > - l2cap_conn_put(session->conn);
> > + if (session->conn)
> > + l2cap_conn_put(session->conn);
> > kfree(session);
> > }
> >
> > @@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
> >
> > down_write(&hidp_session_sem);
> >
> > + /* Drop L2CAP reference immediately to indicate that
> > + * l2cap_unregister_user() shall not be called as it is already
> > + * considered removed.
> > + */
> > + if (session->conn) {
> > + l2cap_conn_put(session->conn);
> > + session->conn = NULL;
> > + }
> > +
> > hidp_session_terminate(session);
> >
> > cancel_work_sync(&session->dev_init);
> > @@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
> > * Instead, this call has the same semantics as if user-space tried to
> > * delete the session.
> > */
> > - l2cap_unregister_user(session->conn, &session->user);
> > + if (session->conn)
> > + l2cap_unregister_user(session->conn, &session->user);
>
> Does this TOCTOU on session->conn:
>
> [Task 1] [Task 2]
> hci_dev_lock()
> l2cap_disconn_cfm()
> l2cap_conn_del()
> if (session->conn)
> hidp_session_remove()
> l2cap_conn_free()
> l2cap_unregister_user()
> hdev = conn->hcon->hdev <UAF>
>
> I wonder if it is same issue as
> https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
>
> and I remember the earlier patch that tries to address the race via
> changing the locking:
>
> https://lore.kernel.org/all/20251106182016.26508-1-ssranevjti@gmail.com/
Interesting, this one might have slipped through. It seems valid and
looks like it would address the TOCTOU, let me check with the reporter
if the above fix the problem as well then we migh just drop the change
setting the l2cap_conn to NULL.
>
> AFAICS, done that way the call to l2cap_unregister_user() in
> hidp_session_thread() should be noop via the !list_empty(&user->list)
> branch, as the hidp_session_remove() already ran. session->conn would
> remain until it is put when session->ref refcount goes to zero.
>
>
> > +
> > hidp_session_put(session);
> >
> > module_put_and_kthread_exit(0);
>
> --
> Pauli Virtanen
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-06 19:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
2026-03-06 18:40 ` [PATCH v1] " patchwork-bot+bluetooth
2026-03-06 18:49 ` Pauli Virtanen
2026-03-06 19:23 ` Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox