From: "Siwei Zhang" <oss@fourdim.xyz>
To: "Luiz Augusto von Dentz" <luiz.dentz@gmail.com>
Cc: "Marcel Holtmann" <marcel@holtmann.org>,
linux-bluetooth@vger.kernel.org,
"Safa Karakuş" <safa.karakus@secunnix.com>
Subject: Re: [PATCH v7 RESEND 0/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen()
Date: Wed, 20 May 2026 14:56:41 -0400 [thread overview]
Message-ID: <ab53262f-329d-4c00-9575-8b3a8e96093a@app.fastmail.com> (raw)
In-Reply-To: <CABBYNZ+6bP78+_m_ehhif3xCXxn2ZLQE2q5O3X_03mU8=_T5uA@mail.gmail.com>
Hi Luiz,
On Wed, May 20, 2026, at 2:26 PM, Luiz Augusto von Dentz wrote:
> Hi Siwei,
>
> On Wed, May 20, 2026 at 12:39 PM Siwei Zhang <oss@fourdim.xyz> wrote:
>>
>> Hi Bluetooth maintainers,
>>
>> A public patch covering the same UAF in l2cap_sock_cleanup_listen() was posted to linux-bluetooth on April 28
>> by Safa Karakuş. v4 is here:
>>
>> https://lore.kernel.org/linux-bluetooth/AS8P250MB079109F82C16BEDC4F9FE584EB372@AS8P250MB0791.EURP250.PROD.OUTLOOK.COM/
>>
>> I thanks for Safa's report and patch. I already reported the same issue privately to the maintainers in
>> April 11th. The public patch breaks the embargo and I would like to resend my patch here.
>>
>> Safa's v4 closes the sk-lifetime hole (sock_hold inside bt_accept_dequeue) but does not take conn->lock around
>> l2cap_chan_close, so the conn->chan_l list-corruption race in my report is still open after it.
>
> Are your changes on top of Safa's though? That seems a lot cleaner to be honest.
>
My patch is not on the top of Safa's. The diff looks quite different.
I reported both the sk-lifetime UAF and the conn->chan_l list-corruption race
privately to the maintainers on April 11th. And patch shortly on April 12th.
>> My patch closes both: it drops the parent sk_lock, acquires conn->lock → chan->lock in the established order
>> to serialize the chan_l mutation, and re-takes the parent sk_lock before returning.
>
> I rather have each issue handled separately though.
>
I am happy to handle that separately.
Could I get a Reported-by on Safa's patch since I reported the underlying issue before the public post?
Reported-by: Siwei Zhang <oss@fourdim.xyz>
I'll send the conn->lock patch (drains accept queue to local list, drops parent sk_lock, acquires conn->lock -> chan_lock in
established order) as another patch shortly.
>> Crash stack and C reproducers are available upon request, only for the maintainers.
>>
>> Maintainers can also refer to the email thread [Bug] KASAN: slab-use-after-free Read in l2cap_security_cfm
>> sent to security@kernel.org on April 11th for more details.
>>
>> Detailed Timeline:
>>
>> April 11th: I privately reported the issue to the maintainers and security@kernel.org
>> April 12th: Patch v1
>> April 13th: Patch v2
>> April 13th: Patch v3
>> April 14th: Patch v4
>> April 15th: Patch v5
>> May 2nd: Patch v6
>> May 2nd: Patch v7
>> May 20th: Resend v7 with a cover letter
>>
>> Best,
>> Siwei
>>
>> Siwei Zhang (1):
>> Bluetooth: L2CAP: Fix slab-use-after-free in
>> l2cap_sock_cleanup_listen()
>>
>> net/bluetooth/l2cap_sock.c | 57 ++++++++++++++++++++++++++++++++------
>> 1 file changed, 49 insertions(+), 8 deletions(-)
>>
>> --
>> 2.54.0
>>
>
>
> --
> Luiz Augusto von Dentz
Best,
Siwei
next prev parent reply other threads:[~2026-05-20 18:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 16:38 [PATCH v7 RESEND 0/1] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_sock_cleanup_listen() Siwei Zhang
2026-05-20 16:38 ` [PATCH v7 RESEND 1/1] " Siwei Zhang
2026-05-20 18:08 ` bluez.test.bot
2026-05-20 18:26 ` [PATCH v7 RESEND 0/1] " Luiz Augusto von Dentz
2026-05-20 18:56 ` Siwei Zhang [this message]
2026-05-20 19:40 ` Luiz Augusto von Dentz
2026-05-20 20:08 ` Siwei Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ab53262f-329d-4c00-9575-8b3a8e96093a@app.fastmail.com \
--to=oss@fourdim.xyz \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=safa.karakus@secunnix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox