* [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn
@ 2025-11-05 9:02 Yang Li via B4 Relay
2025-11-05 9:38 ` bluez.test.bot
2025-11-05 9:45 ` [PATCH] " Paul Menzel
0 siblings, 2 replies; 5+ messages in thread
From: Yang Li via B4 Relay @ 2025-11-05 9:02 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Yang Li
From: Yang Li <yang.li@amlogic.com>
kernel panic: Unable to handle kernel read from unreadable
memory at virtual address 00000000000003d8
Call trace:
iso_sock_disconn+0x110/0x1c8
__iso_sock_close+0x50/0x164
iso_sock_release+0x48/0xf0
__sock_release+0x40/0xb4
sock_close+0x18/0x28
__fput+0xd8/0x28c
__fput_sync+0x50/0x5c
__arm64_sys_close+0x38/0x7c
invoke_syscall+0x48/0x118
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc_compat+0x1c/0x34
el0_svc_compat+0x30/0x88
el0t_32_sync_handler+0x90/0x140
el0t_32_sync+0x198/0x19c
Signed-off-by: Yang Li <yang.li@amlogic.com>
---
net/bluetooth/iso.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 74ec7d125c88..89c7700ceb81 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
case BT_CONNECT:
case BT_CONNECTED:
case BT_CONFIG:
- if (iso_pi(sk)->conn->hcon)
+ if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
iso_sock_disconn(sk);
else
iso_chan_del(sk, ECONNRESET);
break;
case BT_CONNECT2:
- if (iso_pi(sk)->conn->hcon &&
+ if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
(test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
iso_sock_disconn(sk);
---
base-commit: 2747d929617743ecba08eeeb310283b4be681383
change-id: 20251105-kernel_panic-73adc703480d
Best regards,
--
Yang Li <yang.li@amlogic.com>
^ permalink raw reply related [flat|nested] 5+ messages in thread
* RE: Bluetooth: iso: Fix UAF on iso_sock_disconn
2025-11-05 9:02 [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
@ 2025-11-05 9:38 ` bluez.test.bot
2025-11-05 9:45 ` [PATCH] " Paul Menzel
1 sibling, 0 replies; 5+ messages in thread
From: bluez.test.bot @ 2025-11-05 9:38 UTC (permalink / raw)
To: linux-bluetooth, yang.li
[-- Attachment #1: Type: text/plain, Size: 2296 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1019783
---Test result---
Test Summary:
CheckPatch PENDING 0.29 seconds
GitLint PENDING 0.25 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 25.47 seconds
CheckAllWarning PASS 27.35 seconds
CheckSparse PASS 30.92 seconds
BuildKernel32 PASS 24.80 seconds
TestRunnerSetup PASS 496.53 seconds
TestRunner_l2cap-tester PASS 23.75 seconds
TestRunner_iso-tester PASS 78.33 seconds
TestRunner_bnep-tester PASS 6.13 seconds
TestRunner_mgmt-tester FAIL 120.19 seconds
TestRunner_rfcomm-tester PASS 9.03 seconds
TestRunner_sco-tester PASS 14.23 seconds
TestRunner_ioctl-tester PASS 9.81 seconds
TestRunner_mesh-tester FAIL 11.50 seconds
TestRunner_smp-tester PASS 8.34 seconds
TestRunner_userchan-tester PASS 6.43 seconds
IncrementalBuild PENDING 1.05 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 485 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.100 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.135 seconds
Mesh - Send cancel - 2 Timed out 1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn
2025-11-05 9:02 [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
2025-11-05 9:38 ` bluez.test.bot
@ 2025-11-05 9:45 ` Paul Menzel
2025-11-06 2:21 ` Yang Li
1 sibling, 1 reply; 5+ messages in thread
From: Paul Menzel @ 2025-11-05 9:45 UTC (permalink / raw)
To: Yang Li
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
linux-bluetooth, linux-kernel
Dear Yang,
Thank you for your patch.
Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay:
> From: Yang Li <yang.li@amlogic.com>
>
> kernel panic: Unable to handle kernel read from unreadable
> memory at virtual address 00000000000003d8
No line break needed in pasted logs.
>
> Call trace:
> iso_sock_disconn+0x110/0x1c8
> __iso_sock_close+0x50/0x164
> iso_sock_release+0x48/0xf0
> __sock_release+0x40/0xb4
> sock_close+0x18/0x28
> __fput+0xd8/0x28c
> __fput_sync+0x50/0x5c
> __arm64_sys_close+0x38/0x7c
> invoke_syscall+0x48/0x118
> el0_svc_common.constprop.0+0x40/0xe0
> do_el0_svc_compat+0x1c/0x34
> el0_svc_compat+0x30/0x88
> el0t_32_sync_handler+0x90/0x140
> el0t_32_sync+0x198/0x19c
Please add a paragraph about this problem, and how `iso_pi(sk)->conn`
can be NULL.
> Signed-off-by: Yang Li <yang.li@amlogic.com>
> ---
> net/bluetooth/iso.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> index 74ec7d125c88..89c7700ceb81 100644
> --- a/net/bluetooth/iso.c
> +++ b/net/bluetooth/iso.c
> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
> case BT_CONNECT:
> case BT_CONNECTED:
> case BT_CONFIG:
> - if (iso_pi(sk)->conn->hcon)
> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
> iso_sock_disconn(sk);
> else
> iso_chan_del(sk, ECONNRESET);
> break;
>
> case BT_CONNECT2:
> - if (iso_pi(sk)->conn->hcon &&
> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
> (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
> test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
> iso_sock_disconn(sk);
This diff looks fine.
Kind regards,
Paul
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn
2025-11-05 9:45 ` [PATCH] " Paul Menzel
@ 2025-11-06 2:21 ` Yang Li
2025-11-07 18:52 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 5+ messages in thread
From: Yang Li @ 2025-11-06 2:21 UTC (permalink / raw)
To: Paul Menzel
Cc: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
linux-bluetooth, linux-kernel
Hi Paul,
> [ EXTERNAL EMAIL ]
>
> Dear Yang,
>
>
> Thank you for your patch.
>
> Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay:
>> From: Yang Li <yang.li@amlogic.com>
>>
>> kernel panic: Unable to handle kernel read from unreadable
>> memory at virtual address 00000000000003d8
>
> No line break needed in pasted logs.
>
>>
>> Call trace:
>> iso_sock_disconn+0x110/0x1c8
>> __iso_sock_close+0x50/0x164
>> iso_sock_release+0x48/0xf0
>> __sock_release+0x40/0xb4
>> sock_close+0x18/0x28
>> __fput+0xd8/0x28c
>> __fput_sync+0x50/0x5c
>> __arm64_sys_close+0x38/0x7c
>> invoke_syscall+0x48/0x118
>> el0_svc_common.constprop.0+0x40/0xe0
>> do_el0_svc_compat+0x1c/0x34
>> el0_svc_compat+0x30/0x88
>> el0t_32_sync_handler+0x90/0x140
>> el0t_32_sync+0x198/0x19c
>
> Please add a paragraph about this problem, and how `iso_pi(sk)->conn`
> can be NULL.
I will update it.
Thanks!
>
>> Signed-off-by: Yang Li <yang.li@amlogic.com>
>> ---
>> net/bluetooth/iso.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
>> index 74ec7d125c88..89c7700ceb81 100644
>> --- a/net/bluetooth/iso.c
>> +++ b/net/bluetooth/iso.c
>> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
>> case BT_CONNECT:
>> case BT_CONNECTED:
>> case BT_CONFIG:
>> - if (iso_pi(sk)->conn->hcon)
>> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
>> iso_sock_disconn(sk);
>> else
>> iso_chan_del(sk, ECONNRESET);
>> break;
>>
>> case BT_CONNECT2:
>> - if (iso_pi(sk)->conn->hcon &&
>> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
>> (test_bit(HCI_CONN_PA_SYNC,
>> &iso_pi(sk)->conn->hcon->flags) ||
>> test_bit(HCI_CONN_PA_SYNC_FAILED,
>> &iso_pi(sk)->conn->hcon->flags)))
>> iso_sock_disconn(sk);
>
> This diff looks fine.
>
>
> Kind regards,
>
> Paul
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn
2025-11-06 2:21 ` Yang Li
@ 2025-11-07 18:52 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2025-11-07 18:52 UTC (permalink / raw)
To: Yang Li
Cc: Paul Menzel, Marcel Holtmann, Johan Hedberg, linux-bluetooth,
linux-kernel
Hi Yang,
On Wed, Nov 5, 2025 at 9:21 PM Yang Li <yang.li@amlogic.com> wrote:
>
> Hi Paul,
>
>
> > [ EXTERNAL EMAIL ]
> >
> > Dear Yang,
> >
> >
> > Thank you for your patch.
> >
> > Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay:
> >> From: Yang Li <yang.li@amlogic.com>
> >>
> >> kernel panic: Unable to handle kernel read from unreadable
> >> memory at virtual address 00000000000003d8
> >
> > No line break needed in pasted logs.
> >
> >>
> >> Call trace:
> >> iso_sock_disconn+0x110/0x1c8
> >> __iso_sock_close+0x50/0x164
> >> iso_sock_release+0x48/0xf0
> >> __sock_release+0x40/0xb4
> >> sock_close+0x18/0x28
> >> __fput+0xd8/0x28c
> >> __fput_sync+0x50/0x5c
> >> __arm64_sys_close+0x38/0x7c
> >> invoke_syscall+0x48/0x118
> >> el0_svc_common.constprop.0+0x40/0xe0
> >> do_el0_svc_compat+0x1c/0x34
> >> el0_svc_compat+0x30/0x88
> >> el0t_32_sync_handler+0x90/0x140
> >> el0t_32_sync+0x198/0x19c
> >
> > Please add a paragraph about this problem, and how `iso_pi(sk)->conn`
> > can be NULL.
>
>
> I will update it.
>
> Thanks!
>
> >
> >> Signed-off-by: Yang Li <yang.li@amlogic.com>
> >> ---
> >> net/bluetooth/iso.c | 4 ++--
> >> 1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
> >> index 74ec7d125c88..89c7700ceb81 100644
> >> --- a/net/bluetooth/iso.c
> >> +++ b/net/bluetooth/iso.c
> >> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
> >> case BT_CONNECT:
> >> case BT_CONNECTED:
> >> case BT_CONFIG:
> >> - if (iso_pi(sk)->conn->hcon)
> >> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
> >> iso_sock_disconn(sk);
> >> else
> >> iso_chan_del(sk, ECONNRESET);
> >> break;
> >>
> >> case BT_CONNECT2:
> >> - if (iso_pi(sk)->conn->hcon &&
> >> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
> >> (test_bit(HCI_CONN_PA_SYNC,
> >> &iso_pi(sk)->conn->hcon->flags) ||
> >> test_bit(HCI_CONN_PA_SYNC_FAILED,
> >> &iso_pi(sk)->conn->hcon->flags)))
> >> iso_sock_disconn(sk);
Hold on since the bug is actually in the handling of BIG Sync Lost, it
has been assuming that it also means PA Sync is lost as well when that
is inform byt its own event PA Sync Lost:
https://patchwork.kernel.org/project/bluetooth/patch/20251106230943.877242-2-luiz.dentz@gmail.com/
Also note that Ive changed the handling so it no longer calls
hci_conn_del without first calling hci_disconn_cfm, since the latter
actually informs the socket layers about the imminent deletion so the
socket can go ahead and clean up properly.
> > This diff looks fine.
> >
> >
> > Kind regards,
> >
> > Paul
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-11-07 18:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-05 9:02 [PATCH] Bluetooth: iso: Fix UAF on iso_sock_disconn Yang Li via B4 Relay
2025-11-05 9:38 ` bluez.test.bot
2025-11-05 9:45 ` [PATCH] " Paul Menzel
2025-11-06 2:21 ` Yang Li
2025-11-07 18:52 ` Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).