* [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
@ 2026-03-25 15:18 Luiz Augusto von Dentz
2026-03-25 15:56 ` Pauli Virtanen
2026-03-25 16:05 ` [v1] " bluez.test.bot
0 siblings, 2 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-25 15:18 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This fixes the following backtrace caused by hci_conn being freed
before le_read_features_complete but after
hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue
is not able to prevent it:
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52
CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:194 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 5932:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
__hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963
hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084
le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714
hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861
hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408
hci_event_func net/bluetooth/hci_event.c:7716 [inline]
hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773
hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Freed by task 5932:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6663 [inline]
kfree+0x2f8/0x6e0 mm/slub.c:6871
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x590 lib/kobject.c:737
put_device drivers/base/core.c:3797 [inline]
device_unregister+0x2f/0xc0 drivers/base/core.c:3920
hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234
hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451
hci_event_func net/bluetooth/hci_event.c:7719 [inline]
hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773
hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff8880796b0000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 16 bytes inside of
freed 8192-byte region [ffff8880796b0000, ffff8880796b2000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts 79814310558
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab mm/slub.c:3248 [inline]
new_slab+0x2c3/0x430 mm/slub.c:3302
___slab_alloc+0xe18/0x1c90 mm/slub.c:4651
__slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774
__slab_alloc_node mm/slub.c:4850 [inline]
slab_alloc_node mm/slub.c:5246 [inline]
__kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264
tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve fs/exec.c:1753 [inline]
bprm_execve+0x81e/0x1620 fs/exec.c:1729
do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
page last free pid 5657 tgid 5657 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x130/0x170 mm/slub.c:3886
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4948 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255
tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve fs/exec.c:1753 [inline]
bprm_execve+0x81e/0x1620 fs/exec.c:1729
do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
do_execve fs/exec.c:1933 [inline]
__do_sys_execve fs/exec.c:2009 [inline]
__se_sys_execve fs/exec.c:2004 [inline]
__x64_sys_execve+0x8e/0xb0 fs/exec.c:2004
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
Memory state around the buggy address:
ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: a106e50be74b ("Bluetooth: HCI: Add support for LL Extended Feature Set")
Reported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com
Closes: https://syzbot.org/bug?extid=87badbb9094e008e0685
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_sync.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 45d16639874a..f67a32c1451e 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7371,7 +7371,7 @@ static void le_read_features_complete(struct hci_dev *hdev, void *data, int err)
if (err == -ECANCELED)
return;
- hci_conn_drop(conn);
+ hci_conn_put(conn);
}
static int hci_le_read_all_remote_features_sync(struct hci_dev *hdev,
@@ -7441,7 +7441,7 @@ int hci_le_read_remote_features(struct hci_conn *conn)
if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
err = hci_cmd_sync_queue_once(hdev,
hci_le_read_remote_features_sync,
- hci_conn_hold(conn),
+ hci_conn_get(conn),
le_read_features_complete);
else
err = -EOPNOTSUPP;
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
2026-03-25 15:18 [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete Luiz Augusto von Dentz
@ 2026-03-25 15:56 ` Pauli Virtanen
2026-03-25 16:00 ` Luiz Augusto von Dentz
2026-03-25 16:05 ` [v1] " bluez.test.bot
1 sibling, 1 reply; 5+ messages in thread
From: Pauli Virtanen @ 2026-03-25 15:56 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
ke, 2026-03-25 kello 11:18 -0400, Luiz Augusto von Dentz kirjoitti:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following backtrace caused by hci_conn being freed
> before le_read_features_complete but after
> hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue
> is not able to prevent it:
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52
>
> CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
> Workqueue: hci0 hci_cmd_sync_work
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xcd/0x630 mm/kasan/report.c:482
> kasan_report+0xe0/0x110 mm/kasan/report.c:595
> check_region_inline mm/kasan/generic.c:194 [inline]
> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334
> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> process_scheduled_works kernel/workqueue.c:3340 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> </TASK>
>
> Allocated by task 5932:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963
> hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084
> le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714
> hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861
> hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408
> hci_event_func net/bluetooth/hci_event.c:7716 [inline]
> hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773
> hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> process_scheduled_works kernel/workqueue.c:3340 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
>
> Freed by task 5932:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
> kasan_save_free_info mm/kasan/kasan.h:406 [inline]
> poison_slab_object mm/kasan/common.c:252 [inline]
> __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
> kasan_slab_free include/linux/kasan.h:234 [inline]
> slab_free_hook mm/slub.c:2540 [inline]
> slab_free mm/slub.c:6663 [inline]
> kfree+0x2f8/0x6e0 mm/slub.c:6871
> device_release+0xa4/0x240 drivers/base/core.c:2565
> kobject_cleanup lib/kobject.c:689 [inline]
> kobject_release lib/kobject.c:720 [inline]
> kref_put include/linux/kref.h:65 [inline]
> kobject_put+0x1e7/0x590 lib/kobject.c:737
> put_device drivers/base/core.c:3797 [inline]
> device_unregister+0x2f/0xc0 drivers/base/core.c:3920
> hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79
> hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
> hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234
> hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451
> hci_event_func net/bluetooth/hci_event.c:7719 [inline]
> hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773
> hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> process_scheduled_works kernel/workqueue.c:3340 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
>
> The buggy address belongs to the object at ffff8880796b0000
> which belongs to the cache kmalloc-8k of size 8192
> The buggy address is located 16 bytes inside of
> freed 8192-byte region [ffff8880796b0000, ffff8880796b2000)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0
> head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> head: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts 79814310558
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845
> prep_new_page mm/page_alloc.c:1853 [inline]
> get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879
> __alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183
> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> alloc_slab_page mm/slub.c:3075 [inline]
> allocate_slab mm/slub.c:3248 [inline]
> new_slab+0x2c3/0x430 mm/slub.c:3302
> ___slab_alloc+0xe18/0x1c90 mm/slub.c:4651
> __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774
> __slab_alloc_node mm/slub.c:4850 [inline]
> slab_alloc_node mm/slub.c:5246 [inline]
> __kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
> tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264
> tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> tomoyo_environ security/tomoyo/domain.c:672 [inline]
> tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> security_bprm_check+0x1b9/0x1e0 security/security.c:794
> search_binary_handler fs/exec.c:1659 [inline]
> exec_binprm fs/exec.c:1701 [inline]
> bprm_execve fs/exec.c:1753 [inline]
> bprm_execve+0x81e/0x1620 fs/exec.c:1729
> do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> page last free pid 5657 tgid 5657 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1394 [inline]
> __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901
> discard_slab mm/slub.c:3346 [inline]
> __put_partials+0x130/0x170 mm/slub.c:3886
> qlink_free mm/kasan/quarantine.c:163 [inline]
> qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179
> kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
> __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352
> kasan_slab_alloc include/linux/kasan.h:252 [inline]
> slab_post_alloc_hook mm/slub.c:4948 [inline]
> slab_alloc_node mm/slub.c:5258 [inline]
> __kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766
> kmalloc_noprof include/linux/slab.h:957 [inline]
> tomoyo_print_header security/tomoyo/audit.c:156 [inline]
> tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255
> tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> tomoyo_environ security/tomoyo/domain.c:672 [inline]
> tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> security_bprm_check+0x1b9/0x1e0 security/security.c:794
> search_binary_handler fs/exec.c:1659 [inline]
> exec_binprm fs/exec.c:1701 [inline]
> bprm_execve fs/exec.c:1753 [inline]
> bprm_execve+0x81e/0x1620 fs/exec.c:1729
> do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> do_execve fs/exec.c:1933 [inline]
> __do_sys_execve fs/exec.c:2009 [inline]
> __se_sys_execve fs/exec.c:2004 [inline]
> __x64_sys_execve+0x8e/0xb0 fs/exec.c:2004
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
>
> Memory state around the buggy address:
> ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > ffff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> Fixes: a106e50be74b ("Bluetooth: HCI: Add support for LL Extended Feature Set")
> Reported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com
> Closes: https://syzbot.org/bug?extid=87badbb9094e008e0685
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_sync.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 45d16639874a..f67a32c1451e 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -7371,7 +7371,7 @@ static void le_read_features_complete(struct hci_dev *hdev, void *data, int err)
> if (err == -ECANCELED)
> return;
>
> - hci_conn_drop(conn);
> + hci_conn_put(conn);
> }
>
> static int hci_le_read_all_remote_features_sync(struct hci_dev *hdev,
> @@ -7441,7 +7441,7 @@ int hci_le_read_remote_features(struct hci_conn *conn)
> if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
> err = hci_cmd_sync_queue_once(hdev,
> hci_le_read_remote_features_sync,
> - hci_conn_hold(conn),
> + hci_conn_get(conn),
> le_read_features_complete);
> else
> err = -EOPNOTSUPP;
This looks like it leaks conn refcount if it can happen that the item
is already queued, or on queue error.
The hci_cmd_sync_queue_once() and hci_cmd_sync_run_once() API probably
should indicate to caller whether an item was queued:
https://lore.kernel.org/linux-bluetooth/e18591f264c50e15917cb8b9e5f9798d9880979d.1762100290.git.pav@iki.fi/T/#m66b153015dc461c5dacc9f4c9ec2805b1197d149
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
2026-03-25 15:56 ` Pauli Virtanen
@ 2026-03-25 16:00 ` Luiz Augusto von Dentz
2026-03-25 16:09 ` Pauli Virtanen
0 siblings, 1 reply; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-25 16:00 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Wed, Mar 25, 2026 at 11:56 AM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi Luiz,
>
> ke, 2026-03-25 kello 11:18 -0400, Luiz Augusto von Dentz kirjoitti:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > This fixes the following backtrace caused by hci_conn being freed
> > before le_read_features_complete but after
> > hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue
> > is not able to prevent it:
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> > BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> > BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> > BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> > Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52
> >
> > CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
> > Workqueue: hci0 hci_cmd_sync_work
> > Call Trace:
> > <TASK>
> > __dump_stack lib/dump_stack.c:94 [inline]
> > dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> > print_address_description mm/kasan/report.c:378 [inline]
> > print_report+0xcd/0x630 mm/kasan/report.c:482
> > kasan_report+0xe0/0x110 mm/kasan/report.c:595
> > check_region_inline mm/kasan/generic.c:194 [inline]
> > kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
> > instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> > atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> > hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> > le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> > hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334
> > process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> > process_scheduled_works kernel/workqueue.c:3340 [inline]
> > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> > kthread+0x3c5/0x780 kernel/kthread.c:463
> > ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> > </TASK>
> >
> > Allocated by task 5932:
> > kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> > kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> > poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> > __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> > kmalloc_noprof include/linux/slab.h:957 [inline]
> > kzalloc_noprof include/linux/slab.h:1094 [inline]
> > __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963
> > hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084
> > le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714
> > hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861
> > hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408
> > hci_event_func net/bluetooth/hci_event.c:7716 [inline]
> > hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773
> > hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> > process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> > process_scheduled_works kernel/workqueue.c:3340 [inline]
> > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> > kthread+0x3c5/0x780 kernel/kthread.c:463
> > ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> >
> > Freed by task 5932:
> > kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> > kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> > __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
> > kasan_save_free_info mm/kasan/kasan.h:406 [inline]
> > poison_slab_object mm/kasan/common.c:252 [inline]
> > __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
> > kasan_slab_free include/linux/kasan.h:234 [inline]
> > slab_free_hook mm/slub.c:2540 [inline]
> > slab_free mm/slub.c:6663 [inline]
> > kfree+0x2f8/0x6e0 mm/slub.c:6871
> > device_release+0xa4/0x240 drivers/base/core.c:2565
> > kobject_cleanup lib/kobject.c:689 [inline]
> > kobject_release lib/kobject.c:720 [inline]
> > kref_put include/linux/kref.h:65 [inline]
> > kobject_put+0x1e7/0x590 lib/kobject.c:737
> > put_device drivers/base/core.c:3797 [inline]
> > device_unregister+0x2f/0xc0 drivers/base/core.c:3920
> > hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79
> > hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
> > hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234
> > hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451
> > hci_event_func net/bluetooth/hci_event.c:7719 [inline]
> > hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773
> > hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> > process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> > process_scheduled_works kernel/workqueue.c:3340 [inline]
> > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> > kthread+0x3c5/0x780 kernel/kthread.c:463
> > ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> >
> > The buggy address belongs to the object at ffff8880796b0000
> > which belongs to the cache kmalloc-8k of size 8192
> > The buggy address is located 16 bytes inside of
> > freed 8192-byte region [ffff8880796b0000, ffff8880796b2000)
> >
> > The buggy address belongs to the physical page:
> > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0
> > head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> > anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> > page_type: f5(slab)
> > raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> > raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> > head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> > head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> > head: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff
> > head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
> > page dumped because: kasan: bad access detected
> > page_owner tracks the page as allocated
> > page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts 79814310558
> > set_page_owner include/linux/page_owner.h:32 [inline]
> > post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845
> > prep_new_page mm/page_alloc.c:1853 [inline]
> > get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879
> > __alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183
> > alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> > alloc_slab_page mm/slub.c:3075 [inline]
> > allocate_slab mm/slub.c:3248 [inline]
> > new_slab+0x2c3/0x430 mm/slub.c:3302
> > ___slab_alloc+0xe18/0x1c90 mm/slub.c:4651
> > __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774
> > __slab_alloc_node mm/slub.c:4850 [inline]
> > slab_alloc_node mm/slub.c:5246 [inline]
> > __kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766
> > kmalloc_noprof include/linux/slab.h:957 [inline]
> > kzalloc_noprof include/linux/slab.h:1094 [inline]
> > tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
> > tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264
> > tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> > tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> > tomoyo_environ security/tomoyo/domain.c:672 [inline]
> > tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> > tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> > security_bprm_check+0x1b9/0x1e0 security/security.c:794
> > search_binary_handler fs/exec.c:1659 [inline]
> > exec_binprm fs/exec.c:1701 [inline]
> > bprm_execve fs/exec.c:1753 [inline]
> > bprm_execve+0x81e/0x1620 fs/exec.c:1729
> > do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> > page last free pid 5657 tgid 5657 stack trace:
> > reset_page_owner include/linux/page_owner.h:25 [inline]
> > free_pages_prepare mm/page_alloc.c:1394 [inline]
> > __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901
> > discard_slab mm/slub.c:3346 [inline]
> > __put_partials+0x130/0x170 mm/slub.c:3886
> > qlink_free mm/kasan/quarantine.c:163 [inline]
> > qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179
> > kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
> > __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352
> > kasan_slab_alloc include/linux/kasan.h:252 [inline]
> > slab_post_alloc_hook mm/slub.c:4948 [inline]
> > slab_alloc_node mm/slub.c:5258 [inline]
> > __kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766
> > kmalloc_noprof include/linux/slab.h:957 [inline]
> > tomoyo_print_header security/tomoyo/audit.c:156 [inline]
> > tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255
> > tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> > tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> > tomoyo_environ security/tomoyo/domain.c:672 [inline]
> > tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> > tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> > security_bprm_check+0x1b9/0x1e0 security/security.c:794
> > search_binary_handler fs/exec.c:1659 [inline]
> > exec_binprm fs/exec.c:1701 [inline]
> > bprm_execve fs/exec.c:1753 [inline]
> > bprm_execve+0x81e/0x1620 fs/exec.c:1729
> > do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> > do_execve fs/exec.c:1933 [inline]
> > __do_sys_execve fs/exec.c:2009 [inline]
> > __se_sys_execve fs/exec.c:2004 [inline]
> > __x64_sys_execve+0x8e/0xb0 fs/exec.c:2004
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
> >
> > Memory state around the buggy address:
> > ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > ffff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> > Fixes: a106e50be74b ("Bluetooth: HCI: Add support for LL Extended Feature Set")
> > Reported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com
> > Closes: https://syzbot.org/bug?extid=87badbb9094e008e0685
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > net/bluetooth/hci_sync.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index 45d16639874a..f67a32c1451e 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -7371,7 +7371,7 @@ static void le_read_features_complete(struct hci_dev *hdev, void *data, int err)
> > if (err == -ECANCELED)
> > return;
> >
> > - hci_conn_drop(conn);
> > + hci_conn_put(conn);
> > }
> >
> > static int hci_le_read_all_remote_features_sync(struct hci_dev *hdev,
> > @@ -7441,7 +7441,7 @@ int hci_le_read_remote_features(struct hci_conn *conn)
> > if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
> > err = hci_cmd_sync_queue_once(hdev,
> > hci_le_read_remote_features_sync,
> > - hci_conn_hold(conn),
> > + hci_conn_get(conn),
> > le_read_features_complete);
> > else
> > err = -EOPNOTSUPP;
>
> This looks like it leaks conn refcount if it can happen that the item
> is already queued, or on queue error.
>
> The hci_cmd_sync_queue_once() and hci_cmd_sync_run_once() API probably
> should indicate to caller whether an item was queued:
>
> https://lore.kernel.org/linux-bluetooth/e18591f264c50e15917cb8b9e5f9798d9880979d.1762100290.git.pav@iki.fi/T/#m66b153015dc461c5dacc9f4c9ec2805b1197d149
Interesting. Is there a chance to resend this change? It's a little
intrusive since we need to verify all call sites handle -EEXIST but I
guess there is no better option.
> --
> Pauli Virtanen
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
2026-03-25 15:18 [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete Luiz Augusto von Dentz
2026-03-25 15:56 ` Pauli Virtanen
@ 2026-03-25 16:05 ` bluez.test.bot
1 sibling, 0 replies; 5+ messages in thread
From: bluez.test.bot @ 2026-03-25 16:05 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2913 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1072392
---Test result---
Test Summary:
CheckPatch PENDING 0.34 seconds
GitLint PENDING 0.29 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 26.76 seconds
CheckAllWarning PASS 28.63 seconds
CheckSparse PASS 27.73 seconds
BuildKernel32 PASS 25.46 seconds
TestRunnerSetup PASS 569.47 seconds
TestRunner_l2cap-tester PASS 27.56 seconds
TestRunner_iso-tester PASS 42.16 seconds
TestRunner_bnep-tester PASS 6.35 seconds
TestRunner_mgmt-tester FAIL 112.16 seconds
TestRunner_rfcomm-tester PASS 9.25 seconds
TestRunner_sco-tester FAIL 14.23 seconds
TestRunner_ioctl-tester PASS 13.19 seconds
TestRunner_mesh-tester FAIL 11.56 seconds
TestRunner_smp-tester PASS 8.51 seconds
TestRunner_userchan-tester PASS 6.56 seconds
IncrementalBuild PENDING 0.66 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 485 (98.2%), Failed: 5, Not Run: 4
Failed Test Cases
Adv. connectable & connected (central) - Success Failed 0.132 seconds
Adv. non-connectable & connected (central) - Success Failed 0.128 seconds
Ext Adv. connectable & connected (central) Failed 0.174 seconds
Ext Adv. non-connectable & connected (central) Failed 0.178 seconds
Read Exp Feature - Success Failed 0.110 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.958 seconds
Mesh - Send cancel - 2 Timed out 1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete
2026-03-25 16:00 ` Luiz Augusto von Dentz
@ 2026-03-25 16:09 ` Pauli Virtanen
0 siblings, 0 replies; 5+ messages in thread
From: Pauli Virtanen @ 2026-03-25 16:09 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi,
ke, 2026-03-25 kello 12:00 -0400, Luiz Augusto von Dentz kirjoitti:
> Hi Pauli,
>
> On Wed, Mar 25, 2026 at 11:56 AM Pauli Virtanen <pav@iki.fi> wrote:
> >
> > Hi Luiz,
> >
> > ke, 2026-03-25 kello 11:18 -0400, Luiz Augusto von Dentz kirjoitti:
> > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > >
> > > This fixes the following backtrace caused by hci_conn being freed
> > > before le_read_features_complete but after
> > > hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue
> > > is not able to prevent it:
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> > > BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> > > BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> > > BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> > > Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52
> > >
> > > CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
> > > Workqueue: hci0 hci_cmd_sync_work
> > > Call Trace:
> > > <TASK>
> > > __dump_stack lib/dump_stack.c:94 [inline]
> > > dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> > > print_address_description mm/kasan/report.c:378 [inline]
> > > print_report+0xcd/0x630 mm/kasan/report.c:482
> > > kasan_report+0xe0/0x110 mm/kasan/report.c:595
> > > check_region_inline mm/kasan/generic.c:194 [inline]
> > > kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
> > > instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> > > atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> > > hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
> > > le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
> > > hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334
> > > process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> > > process_scheduled_works kernel/workqueue.c:3340 [inline]
> > > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> > > kthread+0x3c5/0x780 kernel/kthread.c:463
> > > ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> > > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> > > </TASK>
> > >
> > > Allocated by task 5932:
> > > kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> > > kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> > > poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> > > __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> > > kmalloc_noprof include/linux/slab.h:957 [inline]
> > > kzalloc_noprof include/linux/slab.h:1094 [inline]
> > > __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963
> > > hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084
> > > le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714
> > > hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861
> > > hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408
> > > hci_event_func net/bluetooth/hci_event.c:7716 [inline]
> > > hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773
> > > hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> > > process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> > > process_scheduled_works kernel/workqueue.c:3340 [inline]
> > > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> > > kthread+0x3c5/0x780 kernel/kthread.c:463
> > > ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> > > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> > >
> > > Freed by task 5932:
> > > kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> > > kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> > > __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
> > > kasan_save_free_info mm/kasan/kasan.h:406 [inline]
> > > poison_slab_object mm/kasan/common.c:252 [inline]
> > > __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
> > > kasan_slab_free include/linux/kasan.h:234 [inline]
> > > slab_free_hook mm/slub.c:2540 [inline]
> > > slab_free mm/slub.c:6663 [inline]
> > > kfree+0x2f8/0x6e0 mm/slub.c:6871
> > > device_release+0xa4/0x240 drivers/base/core.c:2565
> > > kobject_cleanup lib/kobject.c:689 [inline]
> > > kobject_release lib/kobject.c:720 [inline]
> > > kref_put include/linux/kref.h:65 [inline]
> > > kobject_put+0x1e7/0x590 lib/kobject.c:737
> > > put_device drivers/base/core.c:3797 [inline]
> > > device_unregister+0x2f/0xc0 drivers/base/core.c:3920
> > > hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79
> > > hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
> > > hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234
> > > hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451
> > > hci_event_func net/bluetooth/hci_event.c:7719 [inline]
> > > hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773
> > > hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
> > > process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
> > > process_scheduled_works kernel/workqueue.c:3340 [inline]
> > > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
> > > kthread+0x3c5/0x780 kernel/kthread.c:463
> > > ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
> > > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
> > >
> > > The buggy address belongs to the object at ffff8880796b0000
> > > which belongs to the cache kmalloc-8k of size 8192
> > > The buggy address is located 16 bytes inside of
> > > freed 8192-byte region [ffff8880796b0000, ffff8880796b2000)
> > >
> > > The buggy address belongs to the physical page:
> > > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0
> > > head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> > > anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> > > page_type: f5(slab)
> > > raw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> > > raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> > > head: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001
> > > head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
> > > head: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff
> > > head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
> > > page dumped because: kasan: bad access detected
> > > page_owner tracks the page as allocated
> > > page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts 79814310558
> > > set_page_owner include/linux/page_owner.h:32 [inline]
> > > post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845
> > > prep_new_page mm/page_alloc.c:1853 [inline]
> > > get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879
> > > __alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183
> > > alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> > > alloc_slab_page mm/slub.c:3075 [inline]
> > > allocate_slab mm/slub.c:3248 [inline]
> > > new_slab+0x2c3/0x430 mm/slub.c:3302
> > > ___slab_alloc+0xe18/0x1c90 mm/slub.c:4651
> > > __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774
> > > __slab_alloc_node mm/slub.c:4850 [inline]
> > > slab_alloc_node mm/slub.c:5246 [inline]
> > > __kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766
> > > kmalloc_noprof include/linux/slab.h:957 [inline]
> > > kzalloc_noprof include/linux/slab.h:1094 [inline]
> > > tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
> > > tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264
> > > tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> > > tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> > > tomoyo_environ security/tomoyo/domain.c:672 [inline]
> > > tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> > > tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> > > security_bprm_check+0x1b9/0x1e0 security/security.c:794
> > > search_binary_handler fs/exec.c:1659 [inline]
> > > exec_binprm fs/exec.c:1701 [inline]
> > > bprm_execve fs/exec.c:1753 [inline]
> > > bprm_execve+0x81e/0x1620 fs/exec.c:1729
> > > do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> > > page last free pid 5657 tgid 5657 stack trace:
> > > reset_page_owner include/linux/page_owner.h:25 [inline]
> > > free_pages_prepare mm/page_alloc.c:1394 [inline]
> > > __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901
> > > discard_slab mm/slub.c:3346 [inline]
> > > __put_partials+0x130/0x170 mm/slub.c:3886
> > > qlink_free mm/kasan/quarantine.c:163 [inline]
> > > qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179
> > > kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
> > > __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352
> > > kasan_slab_alloc include/linux/kasan.h:252 [inline]
> > > slab_post_alloc_hook mm/slub.c:4948 [inline]
> > > slab_alloc_node mm/slub.c:5258 [inline]
> > > __kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766
> > > kmalloc_noprof include/linux/slab.h:957 [inline]
> > > tomoyo_print_header security/tomoyo/audit.c:156 [inline]
> > > tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255
> > > tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
> > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
> > > tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
> > > tomoyo_environ security/tomoyo/domain.c:672 [inline]
> > > tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888
> > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
> > > tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92
> > > security_bprm_check+0x1b9/0x1e0 security/security.c:794
> > > search_binary_handler fs/exec.c:1659 [inline]
> > > exec_binprm fs/exec.c:1701 [inline]
> > > bprm_execve fs/exec.c:1753 [inline]
> > > bprm_execve+0x81e/0x1620 fs/exec.c:1729
> > > do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859
> > > do_execve fs/exec.c:1933 [inline]
> > > __do_sys_execve fs/exec.c:2009 [inline]
> > > __se_sys_execve fs/exec.c:2004 [inline]
> > > __x64_sys_execve+0x8e/0xb0 fs/exec.c:2004
> > > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > > do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
> > >
> > > Memory state around the buggy address:
> > > ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > > ffff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ^
> > > ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ==================================================================
> > >
> > > Fixes: a106e50be74b ("Bluetooth: HCI: Add support for LL Extended Feature Set")
> > > Reported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com
> > > Closes: https://syzbot.org/bug?extid=87badbb9094e008e0685
> > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > ---
> > > net/bluetooth/hci_sync.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > > index 45d16639874a..f67a32c1451e 100644
> > > --- a/net/bluetooth/hci_sync.c
> > > +++ b/net/bluetooth/hci_sync.c
> > > @@ -7371,7 +7371,7 @@ static void le_read_features_complete(struct hci_dev *hdev, void *data, int err)
> > > if (err == -ECANCELED)
> > > return;
> > >
> > > - hci_conn_drop(conn);
> > > + hci_conn_put(conn);
> > > }
> > >
> > > static int hci_le_read_all_remote_features_sync(struct hci_dev *hdev,
> > > @@ -7441,7 +7441,7 @@ int hci_le_read_remote_features(struct hci_conn *conn)
> > > if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
> > > err = hci_cmd_sync_queue_once(hdev,
> > > hci_le_read_remote_features_sync,
> > > - hci_conn_hold(conn),
> > > + hci_conn_get(conn),
> > > le_read_features_complete);
> > > else
> > > err = -EOPNOTSUPP;
> >
> > This looks like it leaks conn refcount if it can happen that the item
> > is already queued, or on queue error.
> >
> > The hci_cmd_sync_queue_once() and hci_cmd_sync_run_once() API probably
> > should indicate to caller whether an item was queued:
> >
> > https://lore.kernel.org/linux-bluetooth/e18591f264c50e15917cb8b9e5f9798d9880979d.1762100290.git.pav@iki.fi/T/#m66b153015dc461c5dacc9f4c9ec2805b1197d149
>
> Interesting. Is there a chance to resend this change? It's a little
> intrusive since we need to verify all call sites handle -EEXIST but I
> guess there is no better option.
I can rebase + resend it. Needs checking the callsites again as there
are new ones since.
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-25 16:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-25 15:18 [PATCH v1] Bluetooth: hci_sync: Fix UAF in le_read_features_complete Luiz Augusto von Dentz
2026-03-25 15:56 ` Pauli Virtanen
2026-03-25 16:00 ` Luiz Augusto von Dentz
2026-03-25 16:09 ` Pauli Virtanen
2026-03-25 16:05 ` [v1] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox