* [PATCH v1] Bluetooth: HIDP: Fix possible UAF
@ 2026-03-06 2:31 Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-06 2:31 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This fixes the following trace caused by not dropping l2cap_conn
reference when user->remove callback is called:
[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 97.809947] Call Trace:
[ 97.809954] <TASK>
[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
[ 97.810404] __fput (fs/file_table.c:470)
[ 97.810430] task_work_run (kernel/task_work.c:235)
[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
[ 97.810527] do_exit (kernel/exit.c:972)
[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 97.810721] do_group_exit (kernel/exit.c:1093)
[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810826] ? vfs_read (fs/read_write.c:555)
[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811078] ? ksys_read (fs/read_write.c:707)
[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 97.811338] RIP: 0033:0x445cfe
[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
Code starting with the faulting instruction
===========================================
[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
[ 97.811453] </TASK>
[ 98.402453] ==================================================================
[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
[ 98.405361]
[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 98.405600] Call Trace:
[ 98.405607] <TASK>
[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.406323] ? kthread (kernel/kthread.c:433)
[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406523] ? kthread (kernel/kthread.c:433)
[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406565] ? kthread (kernel/kthread.c:433)
[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.406610] kthread (kernel/kthread.c:467)
[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[ 98.406774] </TASK>
[ 98.406780]
[ 98.433693] The buggy address belongs to the physical page:
[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
[ 98.435557] flags: 0x200000000000000(node=0|zone=2)
[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
[ 98.438115] page dumped because: kasan: bad access detected
[ 98.438951]
[ 98.439211] Memory state around the buggy address:
[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.442458] ^
[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 98.444768] ==================================================================
[ 98.445719] Disabling lock debugging due to kernel taint
[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
[ 98.450040] Tainted: [B]=BAD_PAGE
[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
[ 98.450059] Call Trace:
[ 98.450065] <TASK>
[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.450271] ? kthread (kernel/kthread.c:433)
[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450528] ? kthread (kernel/kthread.c:433)
[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450578] ? kthread (kernel/kthread.c:433)
[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
[ 98.450637] kthread (kernel/kthread.c:467)
[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
[ 98.450836] </TASK>
Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
Reported-by: soufiane el hachmi <kilwa10@gmail.com>
Tested-by: soufiane el hachmi <kilwa10@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hidp/core.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6724adce615b..e0e400381550 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
skb_queue_purge(&session->intr_transmit);
fput(session->intr_sock->file);
fput(session->ctrl_sock->file);
- l2cap_conn_put(session->conn);
+ if (session->conn)
+ l2cap_conn_put(session->conn);
kfree(session);
}
@@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
down_write(&hidp_session_sem);
+ /* Drop L2CAP reference immediately to indicate that
+ * l2cap_unregister_user() shall not be called as it is already
+ * considered removed.
+ */
+ if (session->conn) {
+ l2cap_conn_put(session->conn);
+ session->conn = NULL;
+ }
+
hidp_session_terminate(session);
cancel_work_sync(&session->dev_init);
@@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
* Instead, this call has the same semantics as if user-space tried to
* delete the session.
*/
- l2cap_unregister_user(session->conn, &session->user);
+ if (session->conn)
+ l2cap_unregister_user(session->conn, &session->user);
+
hidp_session_put(session);
module_put_and_kthread_exit(0);
--
2.53.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* RE: [v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
@ 2026-03-06 4:27 ` bluez.test.bot
2026-03-06 18:40 ` [PATCH v1] " patchwork-bot+bluetooth
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-03-06 4:27 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 3149 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1062284
---Test result---
Test Summary:
CheckPatch PENDING 0.33 seconds
GitLint PENDING 0.26 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 26.03 seconds
CheckAllWarning PASS 28.99 seconds
CheckSparse WARNING 32.97 seconds
BuildKernel32 PASS 25.60 seconds
TestRunnerSetup PASS 566.00 seconds
TestRunner_l2cap-tester PASS 28.89 seconds
TestRunner_iso-tester PASS 94.23 seconds
TestRunner_bnep-tester PASS 6.47 seconds
TestRunner_mgmt-tester FAIL 118.14 seconds
TestRunner_rfcomm-tester PASS 9.63 seconds
TestRunner_sco-tester FAIL 14.71 seconds
TestRunner_ioctl-tester PASS 10.26 seconds
TestRunner_mesh-tester FAIL 12.43 seconds
TestRunner_smp-tester PASS 8.67 seconds
TestRunner_userchan-tester PASS 6.76 seconds
IncrementalBuild PENDING 0.79 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hidp/core.c:1486:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1487:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1488:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1489:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1490:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1490:1: error: bad constant expressionnet/bluetooth/hidp/core.c:1491:1: error: bad constant expression
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.112 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.607 seconds
Mesh - Send cancel - 2 Timed out 1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
@ 2026-03-06 18:40 ` patchwork-bot+bluetooth
2026-03-06 18:49 ` Pauli Virtanen
2026-04-22 1:14 ` [PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del Michael Bommarito
3 siblings, 0 replies; 7+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-06 18:40 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 5 Mar 2026 21:31:55 -0500 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following trace caused by not dropping l2cap_conn
> reference when user->remove callback is called:
>
> [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 97.809947] Call Trace:
> [ 97.809954] <TASK>
> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> [ 97.810404] __fput (fs/file_table.c:470)
> [ 97.810430] task_work_run (kernel/task_work.c:235)
> [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> [ 97.810527] do_exit (kernel/exit.c:972)
> [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 97.810721] do_group_exit (kernel/exit.c:1093)
> [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810826] ? vfs_read (fs/read_write.c:555)
> [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811078] ? ksys_read (fs/read_write.c:707)
> [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 97.811338] RIP: 0033:0x445cfe
> [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
>
> [...]
Here is the summary with links:
- [v1] Bluetooth: HIDP: Fix possible UAF
https://git.kernel.org/bluetooth/bluetooth-next/c/708efc5f2338
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
2026-03-06 18:40 ` [PATCH v1] " patchwork-bot+bluetooth
@ 2026-03-06 18:49 ` Pauli Virtanen
2026-03-06 19:23 ` Luiz Augusto von Dentz
2026-04-22 1:14 ` [PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del Michael Bommarito
3 siblings, 1 reply; 7+ messages in thread
From: Pauli Virtanen @ 2026-03-06 18:49 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
Hi,
to, 2026-03-05 kello 21:31 -0500, Luiz Augusto von Dentz kirjoitti:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This fixes the following trace caused by not dropping l2cap_conn
> reference when user->remove callback is called:
>
> [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 97.809947] Call Trace:
> [ 97.809954] <TASK>
> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> [ 97.810404] __fput (fs/file_table.c:470)
> [ 97.810430] task_work_run (kernel/task_work.c:235)
> [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> [ 97.810527] do_exit (kernel/exit.c:972)
> [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 97.810721] do_group_exit (kernel/exit.c:1093)
> [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810826] ? vfs_read (fs/read_write.c:555)
> [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811078] ? ksys_read (fs/read_write.c:707)
> [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 97.811338] RIP: 0033:0x445cfe
> [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
>
> Code starting with the faulting instruction
> ===========================================
> [ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> [ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
> [ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
> [ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
> [ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
> [ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
> [ 97.811453] </TASK>
> [ 98.402453] ==================================================================
> [ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
> [ 98.405361]
> [ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 98.405600] Call Trace:
> [ 98.405607] <TASK>
> [ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
> [ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> [ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
> [ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
> [ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> [ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> [ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> [ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
> [ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
> [ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> [ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
> [ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
> [ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
> [ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> [ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> [ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
> [ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.406323] ? kthread (kernel/kthread.c:433)
> [ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> [ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406523] ? kthread (kernel/kthread.c:433)
> [ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406565] ? kthread (kernel/kthread.c:433)
> [ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.406610] kthread (kernel/kthread.c:467)
> [ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
> [ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> [ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> [ 98.406774] </TASK>
> [ 98.406780]
> [ 98.433693] The buggy address belongs to the physical page:
> [ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
> [ 98.435557] flags: 0x200000000000000(node=0|zone=2)
> [ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
> [ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
> [ 98.438115] page dumped because: kasan: bad access detected
> [ 98.438951]
> [ 98.439211] Memory state around the buggy address:
> [ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.442458] ^
> [ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [ 98.444768] ==================================================================
> [ 98.445719] Disabling lock debugging due to kernel taint
> [ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
> [ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> [ 98.450040] Tainted: [B]=BAD_PAGE
> [ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> [ 98.450059] Call Trace:
> [ 98.450065] <TASK>
> [ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
> [ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> [ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
> [ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
> [ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
> [ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.450271] ? kthread (kernel/kthread.c:433)
> [ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> [ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> [ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> [ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450528] ? kthread (kernel/kthread.c:433)
> [ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450578] ? kthread (kernel/kthread.c:433)
> [ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> [ 98.450637] kthread (kernel/kthread.c:467)
> [ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
> [ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> [ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> [ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
> [ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> [ 98.450836] </TASK>
>
> Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
> Reported-by: soufiane el hachmi <kilwa10@gmail.com>
> Tested-by: soufiane el hachmi <kilwa10@gmail.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hidp/core.c | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 6724adce615b..e0e400381550 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
> skb_queue_purge(&session->intr_transmit);
> fput(session->intr_sock->file);
> fput(session->ctrl_sock->file);
> - l2cap_conn_put(session->conn);
> + if (session->conn)
> + l2cap_conn_put(session->conn);
> kfree(session);
> }
>
> @@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
>
> down_write(&hidp_session_sem);
>
> + /* Drop L2CAP reference immediately to indicate that
> + * l2cap_unregister_user() shall not be called as it is already
> + * considered removed.
> + */
> + if (session->conn) {
> + l2cap_conn_put(session->conn);
> + session->conn = NULL;
> + }
> +
> hidp_session_terminate(session);
>
> cancel_work_sync(&session->dev_init);
> @@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
> * Instead, this call has the same semantics as if user-space tried to
> * delete the session.
> */
> - l2cap_unregister_user(session->conn, &session->user);
> + if (session->conn)
> + l2cap_unregister_user(session->conn, &session->user);
Does this TOCTOU on session->conn:
[Task 1] [Task 2]
hci_dev_lock()
l2cap_disconn_cfm()
l2cap_conn_del()
if (session->conn)
hidp_session_remove()
l2cap_conn_free()
l2cap_unregister_user()
hdev = conn->hcon->hdev <UAF>
I wonder if it is same issue as
https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
and I remember the earlier patch that tries to address the race via
changing the locking:
https://lore.kernel.org/all/20251106182016.26508-1-ssranevjti@gmail.com/
AFAICS, done that way the call to l2cap_unregister_user() in
hidp_session_thread() should be noop via the !list_empty(&user->list)
branch, as the hidp_session_remove() already ran. session->conn would
remain until it is put when session->ref refcount goes to zero.
> +
> hidp_session_put(session);
>
> module_put_and_kthread_exit(0);
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v1] Bluetooth: HIDP: Fix possible UAF
2026-03-06 18:49 ` Pauli Virtanen
@ 2026-03-06 19:23 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-06 19:23 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hi Pauli,
On Fri, Mar 6, 2026 at 1:49 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi,
>
> to, 2026-03-05 kello 21:31 -0500, Luiz Augusto von Dentz kirjoitti:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > This fixes the following trace caused by not dropping l2cap_conn
> > reference when user->remove callback is called:
> >
> > [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00
> > [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> > [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > [ 97.809947] Call Trace:
> > [ 97.809954] <TASK>
> > [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> > [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)
> > [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))
> > [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)
> > [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))
> > [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)
> > [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)
> > [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))
> > [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> > [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)
> > [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)
> > [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)
> > [ 97.810404] __fput (fs/file_table.c:470)
> > [ 97.810430] task_work_run (kernel/task_work.c:235)
> > [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)
> > [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))
> > [ 97.810527] do_exit (kernel/exit.c:972)
> > [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)
> > [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> > [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> > [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 97.810721] do_group_exit (kernel/exit.c:1093)
> > [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))
> > [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)
> > [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810826] ? vfs_read (fs/read_write.c:555)
> > [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)
> > [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)
> > [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))
> > [ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)
> > [ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811078] ? ksys_read (fs/read_write.c:707)
> > [ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)
> > [ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)
> > [ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)
> > [ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))
> > [ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)
> > [ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))
> > [ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> > [ 97.811338] RIP: 0033:0x445cfe
> > [ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.
> >
> > Code starting with the faulting instruction
> > ===========================================
> > [ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> > [ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe
> > [ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004
> > [ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000
> > [ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8
> > [ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0
> > [ 97.811453] </TASK>
> > [ 98.402453] ==================================================================
> > [ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430
> > [ 98.405361]
> > [ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> > [ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > [ 98.405600] Call Trace:
> > [ 98.405607] <TASK>
> > [ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> > [ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)
> > [ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
> > [ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)
> > [ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))
> > [ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> > [ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
> > [ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)
> > [ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))
> > [ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)
> > [ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)
> > [ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)
> > [ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> > [ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))
> > [ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)
> > [ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.406323] ? kthread (kernel/kthread.c:433)
> > [ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> > [ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406523] ? kthread (kernel/kthread.c:433)
> > [ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406565] ? kthread (kernel/kthread.c:433)
> > [ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.406610] kthread (kernel/kthread.c:467)
> > [ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)
> > [ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> > [ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> > [ 98.406774] </TASK>
> > [ 98.406780]
> > [ 98.433693] The buggy address belongs to the physical page:
> > [ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4
> > [ 98.435557] flags: 0x200000000000000(node=0|zone=2)
> > [ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000
> > [ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000
> > [ 98.438115] page dumped because: kasan: bad access detected
> > [ 98.438951]
> > [ 98.439211] Memory state around the buggy address:
> > [ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > [ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.441580] >ffff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.442458] ^
> > [ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 98.444768] ==================================================================
> > [ 98.445719] Disabling lock debugging due to kernel taint
> > [ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400
> > [ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)
> > [ 98.450040] Tainted: [B]=BAD_PAGE
> > [ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > [ 98.450059] Call Trace:
> > [ 98.450065] <TASK>
> > [ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)
> > [ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)
> > [ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)
> > [ 98.450154] session_free (net/bluetooth/hidp/core.c:990)
> > [ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)
> > [ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.450271] ? kthread (kernel/kthread.c:433)
> > [ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))
> > [ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)
> > [ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))
> > [ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450528] ? kthread (kernel/kthread.c:433)
> > [ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450578] ? kthread (kernel/kthread.c:433)
> > [ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)
> > [ 98.450637] kthread (kernel/kthread.c:467)
> > [ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)
> > [ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
> > [ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
> > [ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)
> > [ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
> > [ 98.450836] </TASK>
> >
> > Fixes: b4f34d8d9d26 ("Bluetooth: hidp: add new session-management helpers")
> > Reported-by: soufiane el hachmi <kilwa10@gmail.com>
> > Tested-by: soufiane el hachmi <kilwa10@gmail.com>
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > net/bluetooth/hidp/core.c | 16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> > index 6724adce615b..e0e400381550 100644
> > --- a/net/bluetooth/hidp/core.c
> > +++ b/net/bluetooth/hidp/core.c
> > @@ -986,7 +986,8 @@ static void session_free(struct kref *ref)
> > skb_queue_purge(&session->intr_transmit);
> > fput(session->intr_sock->file);
> > fput(session->ctrl_sock->file);
> > - l2cap_conn_put(session->conn);
> > + if (session->conn)
> > + l2cap_conn_put(session->conn);
> > kfree(session);
> > }
> >
> > @@ -1164,6 +1165,15 @@ static void hidp_session_remove(struct l2cap_conn *conn,
> >
> > down_write(&hidp_session_sem);
> >
> > + /* Drop L2CAP reference immediately to indicate that
> > + * l2cap_unregister_user() shall not be called as it is already
> > + * considered removed.
> > + */
> > + if (session->conn) {
> > + l2cap_conn_put(session->conn);
> > + session->conn = NULL;
> > + }
> > +
> > hidp_session_terminate(session);
> >
> > cancel_work_sync(&session->dev_init);
> > @@ -1301,7 +1311,9 @@ static int hidp_session_thread(void *arg)
> > * Instead, this call has the same semantics as if user-space tried to
> > * delete the session.
> > */
> > - l2cap_unregister_user(session->conn, &session->user);
> > + if (session->conn)
> > + l2cap_unregister_user(session->conn, &session->user);
>
> Does this TOCTOU on session->conn:
>
> [Task 1] [Task 2]
> hci_dev_lock()
> l2cap_disconn_cfm()
> l2cap_conn_del()
> if (session->conn)
> hidp_session_remove()
> l2cap_conn_free()
> l2cap_unregister_user()
> hdev = conn->hcon->hdev <UAF>
>
> I wonder if it is same issue as
> https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
>
> and I remember the earlier patch that tries to address the race via
> changing the locking:
>
> https://lore.kernel.org/all/20251106182016.26508-1-ssranevjti@gmail.com/
Interesting, this one might have slipped through. It seems valid and
looks like it would address the TOCTOU, let me check with the reporter
if the above fix the problem as well then we migh just drop the change
setting the l2cap_conn to NULL.
>
> AFAICS, done that way the call to l2cap_unregister_user() in
> hidp_session_thread() should be noop via the !list_empty(&user->list)
> branch, as the hidp_session_remove() already ran. session->conn would
> remain until it is put when session->ref refcount goes to zero.
>
>
> > +
> > hidp_session_put(session);
> >
> > module_put_and_kthread_exit(0);
>
> --
> Pauli Virtanen
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
` (2 preceding siblings ...)
2026-03-06 18:49 ` Pauli Virtanen
@ 2026-04-22 1:14 ` Michael Bommarito
2026-04-22 4:13 ` bluez.test.bot
3 siblings, 1 reply; 7+ messages in thread
From: Michael Bommarito @ 2026-04-22 1:14 UTC (permalink / raw)
To: Marcel Holtmann; +Cc: Luiz Augusto von Dentz, linux-bluetooth, linux-kernel
commit dbf666e4fc9b ("Bluetooth: HIDP: Fix possible UAF") changed
hidp_session_remove() to drop the L2CAP reference and set
session->conn = NULL once the session is considered removed, and
added an if (session->conn) guard around the l2cap_unregister_user()
call at the kthread-exit site in hidp_session_thread().
The sibling call site in hidp_connection_del() still invokes
l2cap_unregister_user(session->conn, &session->user) unconditionally.
hidp_session_find() takes the session refcount under
down_read(&hidp_session_sem) and returns; between the find() and the
call at :1421, hidp_session_remove() can run on another thread
(driven by the remote peer disconnecting or local teardown), take
down_write(&hidp_session_sem), set session->conn to NULL, and return.
The HIDPCONNDEL ioctl path then dereferences a NULL l2cap_conn inside
l2cap_unregister_user(), which acquires conn->lock without a NULL
check. Result: kernel NULL-pointer dereference.
Apply the same if (session->conn) guard used at the twin site. No
functional change when session->conn is non-NULL.
Discovery and verification:
- Found via static audit of every session->conn read in hidp/core.c
after the referenced commit landed. The other reads are safe
(creation-time in hidp_session_dev_init, already-guarded in
session_free / hidp_session_thread / hidp_session_remove; the other
hidp_session_find callers do not touch session->conn at all), so
:1421 is the only remaining unguarded site.
- Runtime A/B confirmed in UML with CONFIG_BT_HIDP=y + CONFIG_KASAN=y:
a late_initcall stub that injects a fake hidp_session with
conn=NULL into hidp_session_list and invokes hidp_connection_del()
panics on the pre-fix tree at __mutex_lock from
l2cap_unregister_user+0x2d, and returns cleanly on the post-fix
tree with the new guard short-circuiting before the deref.
Fixes: dbf666e4fc9b ("Bluetooth: HIDP: Fix possible UAF")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
---
net/bluetooth/hidp/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 7bcf8c5ceaee..9192efd1b156 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -1417,7 +1417,7 @@ int hidp_connection_del(struct hidp_conndel_req *req)
HIDP_TRANS_HID_CONTROL |
HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
NULL, 0);
- else
+ else if (session->conn)
l2cap_unregister_user(session->conn, &session->user);
hidp_session_put(session);
--
2.53.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* RE: Bluetooth: HIDP: guard session->conn in hidp_connection_del
2026-04-22 1:14 ` [PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del Michael Bommarito
@ 2026-04-22 4:13 ` bluez.test.bot
0 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-04-22 4:13 UTC (permalink / raw)
To: linux-bluetooth, michael.bommarito
[-- Attachment #1: Type: text/plain, Size: 4405 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1084091
---Test result---
Test Summary:
CheckPatch FAIL 0.55 seconds
GitLint PASS 0.20 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 26.22 seconds
CheckAllWarning PASS 28.58 seconds
CheckSparse PASS 27.49 seconds
BuildKernel32 PASS 25.59 seconds
TestRunnerSetup PASS 574.90 seconds
TestRunner_l2cap-tester PASS 27.87 seconds
TestRunner_iso-tester PASS 42.34 seconds
TestRunner_bnep-tester PASS 6.48 seconds
TestRunner_mgmt-tester FAIL 114.28 seconds
TestRunner_rfcomm-tester PASS 9.83 seconds
TestRunner_sco-tester PASS 14.50 seconds
TestRunner_ioctl-tester PASS 10.22 seconds
TestRunner_mesh-tester FAIL 12.18 seconds
TestRunner_smp-tester PASS 8.81 seconds
TestRunner_userchan-tester PASS 6.92 seconds
TestRunner_6lowpan-tester FAIL 8.68 seconds
IncrementalBuild PASS 25.52 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: HIDP: guard session->conn in hidp_connection_del
WARNING: Non-standard signature: Assisted-by:
#140:
Assisted-by: Claude:claude-opus-4-7
ERROR: Unrecognized email address: 'Claude:claude-opus-4-7'
#140:
Assisted-by: Claude:claude-opus-4-7
total: 1 errors, 1 warnings, 0 checks, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14533271.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.112 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.627 seconds
Mesh - Send cancel - 2 Timed out 1.994 seconds
##############################
Test: TestRunner_6lowpan-tester - FAIL
Desc: Run 6lowpan-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
7.0.0-rc7-gcdeca5510265 #1 Not tainted
------------------------------------------------------
kworker/0:1/11 is trying to acquire lock:
ffff888002735940 ((wq_completion)hci0#2){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x75/0x180
but task is already holding lock:
ffffffff9d84f9e0 (rtnl_mutex){+.+.}-{4:4}, at: lowpan_unregister_netdev+0xd/0x30
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (rtnl_mutex){+.+.}-{4:4}:
lock_acquire+0xf7/0x2c0
__mutex_lock+0x16b/0x1fc0
lowpan_register_netdev+0x11/0x30
chan_ready_cb+0x836/0xd00
l2cap_recv_frame+0x61bb/0x88e0
l2cap_recv_acldata+0x790/0xdf0
hci_rx_work+0x500/0xd00
process_scheduled_works+0xba7/0x1a90
worker_thread+0x514/0xbb0
kthread+0x368/0x490
ret_from_fork+0x498/0x7e0
ret_from_fork_asm+0x19/0x30
-> #3 (&chan->lock#3/1){+.+.}-{4:4}:
lock_acquire+0xf7/0x2c0
__mutex_lock+0x16b/0x1fc0
l2cap_chan_connect+0x74e/0x1980
lowpan_control_write+0x523/0x660
full_proxy_write+0x10b/0x190
vfs_write+0x1c0/0xf60
ksys_write+0xf1/0x1d0
do_syscall_64+0xa0/0x570
entry_SYSCALL_64_after_hwframe+0x74/0x7c
-> #2 (&conn->lock){+.+.}-{4:4}:
...
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
https://github.com/bluez/bluetooth-next/pull/115
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-04-22 4:13 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-06 2:31 [PATCH v1] Bluetooth: HIDP: Fix possible UAF Luiz Augusto von Dentz
2026-03-06 4:27 ` [v1] " bluez.test.bot
2026-03-06 18:40 ` [PATCH v1] " patchwork-bot+bluetooth
2026-03-06 18:49 ` Pauli Virtanen
2026-03-06 19:23 ` Luiz Augusto von Dentz
2026-04-22 1:14 ` [PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del Michael Bommarito
2026-04-22 4:13 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox