* RE: [v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: bluez.test.bot @ 2026-06-05 20:33 UTC (permalink / raw)
To: linux-bluetooth, elver
In-Reply-To: <20260605142351.2306664-1-elver@google.com>
[-- Attachment #1: Type: text/plain, Size: 3450 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1106678
---Test result---
Test Summary:
CheckPatch FAIL 0.98 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.14 seconds
GitLint FAIL 0.35 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 25.50 seconds
CheckAllWarning PASS 28.24 seconds
CheckSparse PASS 26.60 seconds
BuildKernel32 PASS 24.91 seconds
TestRunnerSetup PASS 524.91 seconds
TestRunner_l2cap-tester PASS 58.70 seconds
IncrementalBuild PASS 23.81 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#98:
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
ERROR: Unrecognized email address: 'https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz'
#218:
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#218:
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
total: 1 errors, 2 warnings, 0 checks, 60 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14613573.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
8: B1 Line exceeds max length (107>80): "| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]"
9: B1 Line exceeds max length (125>80): "| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"
10: B1 Line exceeds max length (93>80): "| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]"
11: B1 Line exceeds max length (84>80): "| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318"
14: B1 Line exceeds max length (100>80): "| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)"
15: B1 Line exceeds max length (95>80): "| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014"
20: B1 Line exceeds max length (91>80): "| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"
https://github.com/bluez/bluetooth-next/pull/289
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH v3] Bluetooth: Add SPDX id lines to some source files
From: Paul Menzel @ 2026-06-05 20:31 UTC (permalink / raw)
To: Tim Bird
Cc: marcel, luiz.dentz, jannh@google.com, kuba, kiran.k@intel.com,
chharry, gustavo, prameela.j04cs, maxk, linux-bluetooth,
linux-spdx, linux-kernel
In-Reply-To: <MW5PR13MB5632F713AE9A9C87F131E28DFD112@MW5PR13MB5632.namprd13.prod.outlook.com>
Dear Tim,
Am 05.06.26 um 18:25 schrieb Bird, Tim:
>> -----Original Message-----
>> From: Paul Menzel <pmenzel@molgen.mpg.de>
>> Am 04.06.26 um 19:06 schrieb Tim Bird:
>>> Many bluetooth source files are missing SPDX-License-Identifier
>>> lines. Add appropriate IDs to these files, and remove other
>>> license lines from the headers.
>>>
>>> Leave the warranty disclaimer in files where the license ID is
>>> GPL-2.0 but the wording of the disclaimer is slightly different
>>> from that of the GPL v2 disclaimer.
>>>
>>> It is not different enough to cause licensing conflicts, but is
>>> kept to honor the original contributors' legal intent.
>>
>> Could you please add a note, why you use /* */ in header files (suffix
>> `.h`) and // in files ending with `.c`?
>
> This is documented in the kernel policies for applying SPDX license identifier
> lines. See Documentation/process/license-rules.rst, Section 2.
>
> The reason is that some old tools that parse .h files do not (or at least did
> not at one time) correctly handle the '//' style comments.
Thank you for enlightening me, and sorry for my ignorance.
> Did you want me to repeat this policy in the commit message? I'm not
> familiar with any other places where the official coding style is explicitly mentioned
> in the commit message, when the style is used in a contribution.
I think only a few will have read the license rules and just the coding
style, so I’d appreciated at least a reference to license-rules, Section 2.
>>> Signed-off-by: Tim Bird <tim.bird@sony.com>
>>> ---
>>> V2 -> V3:
>>> - move Signed-off-by above changlog
>>> V1 -> V2:
>>> - Leave different warranty disclaimers (which is most them)
>>> - Remove files recently removed from drivers/bluetooth from the patch
>>> ---
>>> drivers/bluetooth/btrsi.c | 12 +-----------
>>> include/net/bluetooth/bluetooth.h | 5 +----
>>> include/net/bluetooth/hci.h | 5 +----
>>> include/net/bluetooth/hci_core.h | 5 +----
>>> include/net/bluetooth/hci_mon.h | 5 +----
>>> include/net/bluetooth/hci_sock.h | 5 +----
>>> include/net/bluetooth/l2cap.h | 5 +----
>>> include/net/bluetooth/mgmt.h | 5 +----
>>> include/net/bluetooth/rfcomm.h | 5 +----
>>> include/net/bluetooth/sco.h | 5 +----
>>> net/bluetooth/af_bluetooth.c | 5 +----
>>> net/bluetooth/bnep/core.c | 5 +----
>>> net/bluetooth/bnep/netdev.c | 5 +----
>>> net/bluetooth/bnep/sock.c | 5 +----
>>> net/bluetooth/ecdh_helper.c | 5 +----
>>> net/bluetooth/ecdh_helper.h | 5 +----
>>> net/bluetooth/hci_conn.c | 5 +----
>>> net/bluetooth/hci_core.c | 5 +----
>>> net/bluetooth/hci_debugfs.c | 5 +----
>>> net/bluetooth/hci_debugfs.h | 5 +----
>>> net/bluetooth/hci_event.c | 5 +----
>>> net/bluetooth/hci_sock.c | 5 +----
>>> net/bluetooth/hidp/core.c | 5 +----
>>> net/bluetooth/hidp/hidp.h | 5 +----
>>> net/bluetooth/hidp/sock.c | 5 +----
>>> net/bluetooth/l2cap_core.c | 5 +----
>>> net/bluetooth/l2cap_sock.c | 5 +----
>>> net/bluetooth/lib.c | 5 +----
>>> net/bluetooth/mgmt.c | 5 +----
>>> net/bluetooth/mgmt_util.c | 5 +----
>>> net/bluetooth/mgmt_util.h | 5 +----
>>> net/bluetooth/rfcomm/core.c | 5 +----
>>> net/bluetooth/rfcomm/sock.c | 5 +----
>>> net/bluetooth/rfcomm/tty.c | 5 +----
>>> net/bluetooth/sco.c | 5 +----
>>> net/bluetooth/selftest.c | 5 +----
>>> net/bluetooth/selftest.h | 5 +----
>>> net/bluetooth/smp.c | 5 +----
>>> net/bluetooth/smp.h | 5 +----
>>> 39 files changed, 39 insertions(+), 163 deletions(-)
>>
>> […]
With the amended commit message, feel free to add:
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
^ permalink raw reply
* [bluez/action-ci] 979e81: ci: fix GitLint instantiation passing contrib rule...
From: Luiz Augusto von Dentz @ 2026-06-05 20:07 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/main
Home: https://github.com/bluez/action-ci
Commit: 979e8164c387738592e8af778f78634407a8c1bb
https://github.com/bluez/action-ci/commit/979e8164c387738592e8af778f78634407a8c1bb
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M ci.py
Log Message:
-----------
ci: fix GitLint instantiation passing contrib rules correctly
The --contrib argument was passed as a second argument to list.append()
instead of as a parameter to GitLint(). Pass it via gitlint_rules kwarg.
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/action-ci/settings/notifications
^ permalink raw reply
* Re: [PATCH v3] Bluetooth: Add SPDX id lines to some source files
From: Luiz Augusto von Dentz @ 2026-06-05 19:53 UTC (permalink / raw)
To: Bird, Tim
Cc: Paul Menzel, marcel@holtmann.org, jannh@google.com,
kuba@kernel.org, kiran.k@intel.com, chharry@chromium.org,
gustavo@padovan.org, prameela.j04cs@gmail.com, maxk@qualcomm.com,
linux-bluetooth@vger.kernel.org, linux-spdx@vger.kernel.org,
linux-kernel@vger.kernel.org
In-Reply-To: <MW5PR13MB5632F713AE9A9C87F131E28DFD112@MW5PR13MB5632.namprd13.prod.outlook.com>
Hi Tim,
On Fri, Jun 5, 2026 at 12:26 PM Bird, Tim <Tim.Bird@sony.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Paul Menzel <pmenzel@molgen.mpg.de>
> > Dear Tim,
> >
> > Thank you for your patch.
> >
> > Am 04.06.26 um 19:06 schrieb Tim Bird:
> > > Many bluetooth source files are missing SPDX-License-Identifier
> > > lines. Add appropriate IDs to these files, and remove other
> > > license lines from the headers.
> > >
> > > Leave the warranty disclaimer in files where the license ID is
> > > GPL-2.0 but the wording of the disclaimer is slightly different
> > > from that of the GPL v2 disclaimer.
> > >
> > > It is not different enough to cause licensing conflicts, but is
> > > kept to honor the original contributors' legal intent.
> >
> > Could you please add a note, why you use /* */ in header files (suffix
> > `.h`) and // in files ending with `.c`?
>
> This is documented in the kernel policies for applying SPDX license identifier
> lines. See Documentation/process/license-rules.rst, Section 2.
>
> The reason is that some old tools that parse .h files do not (or at least did
> not at one time) correctly handle the '//' style comments.
>
> Did you want me to repeat this policy in the commit message? I'm not
> familiar with any other places where the official coding style is explicitly mentioned
> in the commit message, when the style is used in a contribution.
Nothing to worry about, Ive already applied it.
> -- Tim
>
> > > Signed-off-by: Tim Bird <tim.bird@sony.com>
> > > ---
> > > V2 -> V3:
> > > - move Signed-off-by above changlog
> > > V1 -> V2:
> > > - Leave different warranty disclaimers (which is most them)
> > > - Remove files recently removed from drivers/bluetooth from the patch
> > > ---
> > > drivers/bluetooth/btrsi.c | 12 +-----------
> > > include/net/bluetooth/bluetooth.h | 5 +----
> > > include/net/bluetooth/hci.h | 5 +----
> > > include/net/bluetooth/hci_core.h | 5 +----
> > > include/net/bluetooth/hci_mon.h | 5 +----
> > > include/net/bluetooth/hci_sock.h | 5 +----
> > > include/net/bluetooth/l2cap.h | 5 +----
> > > include/net/bluetooth/mgmt.h | 5 +----
> > > include/net/bluetooth/rfcomm.h | 5 +----
> > > include/net/bluetooth/sco.h | 5 +----
> > > net/bluetooth/af_bluetooth.c | 5 +----
> > > net/bluetooth/bnep/core.c | 5 +----
> > > net/bluetooth/bnep/netdev.c | 5 +----
> > > net/bluetooth/bnep/sock.c | 5 +----
> > > net/bluetooth/ecdh_helper.c | 5 +----
> > > net/bluetooth/ecdh_helper.h | 5 +----
> > > net/bluetooth/hci_conn.c | 5 +----
> > > net/bluetooth/hci_core.c | 5 +----
> > > net/bluetooth/hci_debugfs.c | 5 +----
> > > net/bluetooth/hci_debugfs.h | 5 +----
> > > net/bluetooth/hci_event.c | 5 +----
> > > net/bluetooth/hci_sock.c | 5 +----
> > > net/bluetooth/hidp/core.c | 5 +----
> > > net/bluetooth/hidp/hidp.h | 5 +----
> > > net/bluetooth/hidp/sock.c | 5 +----
> > > net/bluetooth/l2cap_core.c | 5 +----
> > > net/bluetooth/l2cap_sock.c | 5 +----
> > > net/bluetooth/lib.c | 5 +----
> > > net/bluetooth/mgmt.c | 5 +----
> > > net/bluetooth/mgmt_util.c | 5 +----
> > > net/bluetooth/mgmt_util.h | 5 +----
> > > net/bluetooth/rfcomm/core.c | 5 +----
> > > net/bluetooth/rfcomm/sock.c | 5 +----
> > > net/bluetooth/rfcomm/tty.c | 5 +----
> > > net/bluetooth/sco.c | 5 +----
> > > net/bluetooth/selftest.c | 5 +----
> > > net/bluetooth/selftest.h | 5 +----
> > > net/bluetooth/smp.c | 5 +----
> > > net/bluetooth/smp.h | 5 +----
> > > 39 files changed, 39 insertions(+), 163 deletions(-)
> >
> > […]
> >
> >
> > Kind regards,
> >
> > Paul
--
Luiz Augusto von Dentz
^ permalink raw reply
* Re: [PATCH 5.10] Bluetooth: hci_core: Fix use-after-free in vhci_flush()
From: Sasha Levin @ 2026-06-05 19:37 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Sasha Levin, Vladislav Nikolaev, Marcel Holtmann, Johan Hedberg,
David S. Miller, Jakub Kicinski, David Herrmann, linux-bluetooth,
netdev, linux-kernel, Luiz Augusto von Dentz, David Rheinsberg,
Johan Hedberg, lvc-project, syzbot+2faa4825e556199361f9,
Kuniyuki Iwashima, Paul Menzel, Luiz Augusto von Dentz
In-Reply-To: <20260603234343.445-1-vlad102nikolaev@gmail.com>
> [PATCH 5.10] Bluetooth: hci_core: Fix use-after-free in vhci_flush()
Queued for 5.10.y, thanks.
--
Thanks,
Sasha
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-05 17:31 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1099150
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-05 17:31 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1106487
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] 80e9eb: test-mesh-crypto: Fix retval for skipped test
From: shengzhiyuan @ 2026-06-05 17:30 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/master
Home: https://github.com/bluez/bluez
Commit: 80e9eb51c4c9f60316c189f3498b137bfbbee7d3
https://github.com/bluez/bluez/commit/80e9eb51c4c9f60316c189f3498b137bfbbee7d3
Author: Bastien Nocera <hadess@hadess.net>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M unit/test-mesh-crypto.c
Log Message:
-----------
test-mesh-crypto: Fix retval for skipped test
Skipped tests should return 77, so they will be marked as skipped in
reports:
$ make check
make --no-print-directory check-TESTS
[...]
PASS: unit/test-gatt
SKIP: unit/test-mesh-crypto
[...]
============================================================================
Testsuite summary for bluez 5.86
============================================================================
# TOTAL: 39
# PASS: 38
# SKIP: 1
[...]
============================================================================
Commit: 7a0c8ebf91e69c3b2d2d48f8f4b0074fddde1fa4
https://github.com/bluez/bluez/commit/7a0c8ebf91e69c3b2d2d48f8f4b0074fddde1fa4
Author: Zhiyuan Sheng <zhiyuan.sheng@oss.qualcomm.com>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M obexd/plugins/pbap.c
M obexd/plugins/phonebook-ebook.c
Log Message:
-----------
obexd: fix PBAP PullPhoneBook failure with ebook backend
phonebook_pull() in phonebook-ebook.c does not set *err = 0 on the
success path, unlike phonebook-tracker.c and phonebook-dummy.c. The
caller vobject_pull_open() in pbap.c declares 'ret' without
initialization and passes &ret to phonebook_pull(), so 'ret' retains
an indeterminate stack value when the ebook backend is in use. The
subsequent 'if (ret < 0)' check then incorrectly triggers and rejects
the request with Internal Server Error.
Fix this by setting *err = 0 on success in phonebook-ebook.c, and
initialize 'ret' to 0 in vobject_pull_open() as a defensive measure
to guard against any backend that omits this assignment.
Compare: https://github.com/bluez/bluez/compare/42b2c543a70c...7a0c8ebf91e6
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/action-ci] 573ed2: ci: Use gitlint to check for missing signed-off-by
From: hadess @ 2026-06-05 16:35 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/main
Home: https://github.com/bluez/action-ci
Commit: 573ed22b5272556bbae648c399b78f673e8892fe
https://github.com/bluez/action-ci/commit/573ed22b5272556bbae648c399b78f673e8892fe
Author: Bastien Nocera <hadess@hadess.net>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M ci.py
M ci/gitlint.py
Log Message:
-----------
ci: Use gitlint to check for missing signed-off-by
But only for kernel patches
See:
https://jorisroovers.com/gitlint/latest/rules/contrib_rules/#cc1-contrib-body-requires-signed-off-by
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/action-ci/settings/notifications
^ permalink raw reply
* Re: [BlueZ] test-mesh-crypto: Fix retval for skipped test
From: patchwork-bot+bluetooth @ 2026-06-05 16:30 UTC (permalink / raw)
To: Bastien Nocera; +Cc: linux-bluetooth
In-Reply-To: <20260605093555.1969171-1-hadess@hadess.net>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Fri, 5 Jun 2026 11:35:53 +0200 you wrote:
> Skipped tests should return 77, so they will be marked as skipped in
> reports:
> $ make check
> make --no-print-directory check-TESTS
> [...]
> PASS: unit/test-gatt
> SKIP: unit/test-mesh-crypto
> [...]
> ============================================================================
> Testsuite summary for bluez 5.86
> ============================================================================
> # TOTAL: 39
> # PASS: 38
> # SKIP: 1
> [...]
> ============================================================================
>
> [...]
Here is the summary with links:
- [BlueZ] test-mesh-crypto: Fix retval for skipped test
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=80e9eb51c4c9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH v1] obexd: fix PBAP PullPhoneBook failure with ebook backend
From: patchwork-bot+bluetooth @ 2026-06-05 16:30 UTC (permalink / raw)
To: Zhiyuan Sheng; +Cc: linux-bluetooth, cheng.jiang, shuai.zhang
In-Reply-To: <20260522060312.1503481-1-zhiyuan.sheng@oss.qualcomm.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Fri, 22 May 2026 14:03:12 +0800 you wrote:
> phonebook_pull() in phonebook-ebook.c does not set *err = 0 on the
> success path, unlike phonebook-tracker.c and phonebook-dummy.c. The
> caller vobject_pull_open() in pbap.c declares 'ret' without
> initialization and passes &ret to phonebook_pull(), so 'ret' retains
> an indeterminate stack value when the ebook backend is in use. The
> subsequent 'if (ret < 0)' check then incorrectly triggers and rejects
> the request with Internal Server Error.
>
> [...]
Here is the summary with links:
- [v1] obexd: fix PBAP PullPhoneBook failure with ebook backend
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7a0c8ebf91e6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* RE: [PATCH v3] Bluetooth: Add SPDX id lines to some source files
From: Bird, Tim @ 2026-06-05 16:25 UTC (permalink / raw)
To: Paul Menzel
Cc: marcel@holtmann.org, luiz.dentz@gmail.com, jannh@google.com,
kuba@kernel.org, kiran.k@intel.com, chharry@chromium.org,
gustavo@padovan.org, prameela.j04cs@gmail.com, maxk@qualcomm.com,
linux-bluetooth@vger.kernel.org, linux-spdx@vger.kernel.org,
linux-kernel@vger.kernel.org
In-Reply-To: <8def22a9-85bb-493c-bd37-a299285a8f79@molgen.mpg.de>
> -----Original Message-----
> From: Paul Menzel <pmenzel@molgen.mpg.de>
> Dear Tim,
>
> Thank you for your patch.
>
> Am 04.06.26 um 19:06 schrieb Tim Bird:
> > Many bluetooth source files are missing SPDX-License-Identifier
> > lines. Add appropriate IDs to these files, and remove other
> > license lines from the headers.
> >
> > Leave the warranty disclaimer in files where the license ID is
> > GPL-2.0 but the wording of the disclaimer is slightly different
> > from that of the GPL v2 disclaimer.
> >
> > It is not different enough to cause licensing conflicts, but is
> > kept to honor the original contributors' legal intent.
>
> Could you please add a note, why you use /* */ in header files (suffix
> `.h`) and // in files ending with `.c`?
This is documented in the kernel policies for applying SPDX license identifier
lines. See Documentation/process/license-rules.rst, Section 2.
The reason is that some old tools that parse .h files do not (or at least did
not at one time) correctly handle the '//' style comments.
Did you want me to repeat this policy in the commit message? I'm not
familiar with any other places where the official coding style is explicitly mentioned
in the commit message, when the style is used in a contribution.
-- Tim
> > Signed-off-by: Tim Bird <tim.bird@sony.com>
> > ---
> > V2 -> V3:
> > - move Signed-off-by above changlog
> > V1 -> V2:
> > - Leave different warranty disclaimers (which is most them)
> > - Remove files recently removed from drivers/bluetooth from the patch
> > ---
> > drivers/bluetooth/btrsi.c | 12 +-----------
> > include/net/bluetooth/bluetooth.h | 5 +----
> > include/net/bluetooth/hci.h | 5 +----
> > include/net/bluetooth/hci_core.h | 5 +----
> > include/net/bluetooth/hci_mon.h | 5 +----
> > include/net/bluetooth/hci_sock.h | 5 +----
> > include/net/bluetooth/l2cap.h | 5 +----
> > include/net/bluetooth/mgmt.h | 5 +----
> > include/net/bluetooth/rfcomm.h | 5 +----
> > include/net/bluetooth/sco.h | 5 +----
> > net/bluetooth/af_bluetooth.c | 5 +----
> > net/bluetooth/bnep/core.c | 5 +----
> > net/bluetooth/bnep/netdev.c | 5 +----
> > net/bluetooth/bnep/sock.c | 5 +----
> > net/bluetooth/ecdh_helper.c | 5 +----
> > net/bluetooth/ecdh_helper.h | 5 +----
> > net/bluetooth/hci_conn.c | 5 +----
> > net/bluetooth/hci_core.c | 5 +----
> > net/bluetooth/hci_debugfs.c | 5 +----
> > net/bluetooth/hci_debugfs.h | 5 +----
> > net/bluetooth/hci_event.c | 5 +----
> > net/bluetooth/hci_sock.c | 5 +----
> > net/bluetooth/hidp/core.c | 5 +----
> > net/bluetooth/hidp/hidp.h | 5 +----
> > net/bluetooth/hidp/sock.c | 5 +----
> > net/bluetooth/l2cap_core.c | 5 +----
> > net/bluetooth/l2cap_sock.c | 5 +----
> > net/bluetooth/lib.c | 5 +----
> > net/bluetooth/mgmt.c | 5 +----
> > net/bluetooth/mgmt_util.c | 5 +----
> > net/bluetooth/mgmt_util.h | 5 +----
> > net/bluetooth/rfcomm/core.c | 5 +----
> > net/bluetooth/rfcomm/sock.c | 5 +----
> > net/bluetooth/rfcomm/tty.c | 5 +----
> > net/bluetooth/sco.c | 5 +----
> > net/bluetooth/selftest.c | 5 +----
> > net/bluetooth/selftest.h | 5 +----
> > net/bluetooth/smp.c | 5 +----
> > net/bluetooth/smp.h | 5 +----
> > 39 files changed, 39 insertions(+), 163 deletions(-)
>
> […]
>
>
> Kind regards,
>
> Paul
^ permalink raw reply
* Re: [PATCH v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: Luiz Augusto von Dentz @ 2026-06-05 15:47 UTC (permalink / raw)
To: Marco Elver
Cc: Marcel Holtmann, linux-bluetooth, linux-kernel, kasan-dev, stable,
Siwei Zhang, Luiz Augusto von Dentz
In-Reply-To: <20260605142351.2306664-1-elver@google.com>
Hi Marco,
On Fri, Jun 5, 2026 at 10:23 AM Marco Elver <elver@google.com> wrote:
>
> l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
> the connection is torn down while the timer is running or pending,
> chan->conn can be freed, leading to a use-after-free when the timer
> worker attempts to lock conn->lock:
>
> | BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> | BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> | BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> | BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> | Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
> |
> | CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
> | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> | Workqueue: events l2cap_chan_timeout
> | Call Trace:
> | <TASK>
> | instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> | atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> | __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> | mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> | l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> | </TASK>
> |
> | Allocated by task 320:
> | l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
> | l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
> | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> |
> | Freed by task 322:
> | hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
> | hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> | hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> | hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> | hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> | vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> | __fput+0x369/0x890 fs/file_table.c:510
> | task_work_run+0x160/0x1d0 kernel/task_work.c:233
> | get_signal+0xf5b/0x1120 kernel/signal.c:2810
> | arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> | __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> | exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> | __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
> e]
> | syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
> [inline]
> | syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> | do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> | entry_SYSCALL_64_after_hwframe+0x77/0x7f
> |
> | Last potentially related work creation:
> | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> | hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> | hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> | hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> | vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> | __fput+0x369/0x890 fs/file_table.c:510
> | task_work_run+0x160/0x1d0 kernel/task_work.c:233
> | get_signal+0xf5b/0x1120 kernel/signal.c:2810
> | arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> | __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> | exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> | __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
> e]
> | syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
> [inline]
> | syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> | do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> | entry_SYSCALL_64_after_hwframe+0x77/0x7f
> |
> | Last potentially related work creation:
> | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> |
> | The buggy address belongs to the object at ffff8881298d9400
> | which belongs to the cache kmalloc-512 of size 512
> | The buggy address is located 336 bytes inside of
> | freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
>
> Fix it by having struct l2cap_chan hold a reference to l2cap_conn
> (conn_ref) when the channel is added to the connection, and releasing it
> in the channel destructor. This ensures the connection remains alive as
> long as the channel exists. While conn and conn_ref point to the same
> object, conn being NULL indicates it being torn down, while conn_ref's
> only purpose is to associate its lifetime with the parent channel.
>
> Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
> Cc: <stable@vger.kernel.org>
> Cc: Siwei Zhang <oss@fourdim.xyz>
> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Assisted-by: Gemini:gemini-3.1-pro-preview
> Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
> Signed-off-by: Marco Elver <elver@google.com>
> ---
> v2:
> * Fix UAF in channel timeout by holding conn ref.
>
> v1: https://lore.kernel.org/r/20260603123111.2334409-1-elver@google.com
> ---
> include/net/bluetooth/l2cap.h | 1 +
> net/bluetooth/l2cap_core.c | 15 +++++++++++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index e0a1f2293679..de3673149deb 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -514,6 +514,7 @@ struct l2cap_seq_list {
>
> struct l2cap_chan {
> struct l2cap_conn *conn;
> + struct l2cap_conn *conn_ref;
> struct kref kref;
> atomic_t nesting;
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index c4ccfbda9d78..7f331a31b723 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -422,6 +422,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
> */
> l2cap_chan_lock(chan);
>
> + if (!chan->conn)
> + goto unlock;
> +
> if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
> reason = ECONNREFUSED;
> else if (chan->state == BT_CONNECT &&
> @@ -434,10 +437,10 @@ static void l2cap_chan_timeout(struct work_struct *work)
>
> chan->ops->close(chan);
>
> +unlock:
> l2cap_chan_unlock(chan);
> - l2cap_chan_put(chan);
> -
> mutex_unlock(&conn->lock);
> + l2cap_chan_put(chan);
> }
>
> struct l2cap_chan *l2cap_chan_create(void)
> @@ -490,6 +493,9 @@ static void l2cap_chan_destroy(struct kref *kref)
> list_del(&chan->global_l);
> write_unlock(&chan_list_lock);
>
> + if (chan->conn_ref)
> + l2cap_conn_put(chan->conn_ref);
> +
> kfree(chan);
> }
>
> @@ -594,6 +600,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
> conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
>
> chan->conn = conn;
> + chan->conn_ref = l2cap_conn_get(conn);
>
> switch (chan->chan_type) {
> case L2CAP_CHAN_CONN_ORIENTED:
> @@ -3160,12 +3167,16 @@ static void l2cap_ack_timeout(struct work_struct *work)
>
> l2cap_chan_lock(chan);
>
> + if (!chan->conn)
> + goto unlock;
> +
> frames_to_ack = __seq_offset(chan, chan->buffer_seq,
> chan->last_acked_seq);
>
> if (frames_to_ack)
> l2cap_send_rr_or_rnr(chan, 0);
>
> +unlock:
> l2cap_chan_unlock(chan);
> l2cap_chan_put(chan);
> }
> --
> 2.54.0.1032.g2f8565e1d1-goog
While I consider this a much cleaner approach than any the previous,
perhaps we could go one step further and stop using chan->conn as an
indiciation that l2cap_chan_del has run/detach l2cap_chan and instead
perhaps use a flag e.g. FLAG_DEL, that way we can make chan->conn be
used for reference tracking alone and don't need to introduce yet
another field for it.
--
Luiz Augusto von Dentz
^ permalink raw reply
* [PATCH v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: Marco Elver @ 2026-06-05 14:23 UTC (permalink / raw)
To: elver
Cc: Marcel Holtmann, Luiz Augusto von Dentz, linux-bluetooth,
linux-kernel, kasan-dev, stable, Siwei Zhang,
Luiz Augusto von Dentz
l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
the connection is torn down while the timer is running or pending,
chan->conn can be freed, leading to a use-after-free when the timer
worker attempts to lock conn->lock:
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
|
| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
| Workqueue: events l2cap_chan_timeout
| Call Trace:
| <TASK>
| instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
| </TASK>
|
| Allocated by task 320:
| l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
| l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| Freed by task 322:
| hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
| __fput+0x369/0x890 fs/file_table.c:510
| task_work_run+0x160/0x1d0 kernel/task_work.c:233
| get_signal+0xf5b/0x1120 kernel/signal.c:2810
| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
| __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
e]
| syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
[inline]
| syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
| entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| Last potentially related work creation:
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
| __fput+0x369/0x890 fs/file_table.c:510
| task_work_run+0x160/0x1d0 kernel/task_work.c:233
| get_signal+0xf5b/0x1120 kernel/signal.c:2810
| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
| __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
e]
| syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
[inline]
| syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
| entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| Last potentially related work creation:
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| The buggy address belongs to the object at ffff8881298d9400
| which belongs to the cache kmalloc-512 of size 512
| The buggy address is located 336 bytes inside of
| freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
Fix it by having struct l2cap_chan hold a reference to l2cap_conn
(conn_ref) when the channel is added to the connection, and releasing it
in the channel destructor. This ensures the connection remains alive as
long as the channel exists. While conn and conn_ref point to the same
object, conn being NULL indicates it being torn down, while conn_ref's
only purpose is to associate its lifetime with the parent channel.
Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
Cc: <stable@vger.kernel.org>
Cc: Siwei Zhang <oss@fourdim.xyz>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Assisted-by: Gemini:gemini-3.1-pro-preview
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
---
v2:
* Fix UAF in channel timeout by holding conn ref.
v1: https://lore.kernel.org/r/20260603123111.2334409-1-elver@google.com
---
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 15 +++++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index e0a1f2293679..de3673149deb 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -514,6 +514,7 @@ struct l2cap_seq_list {
struct l2cap_chan {
struct l2cap_conn *conn;
+ struct l2cap_conn *conn_ref;
struct kref kref;
atomic_t nesting;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c4ccfbda9d78..7f331a31b723 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -422,6 +422,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
*/
l2cap_chan_lock(chan);
+ if (!chan->conn)
+ goto unlock;
+
if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
reason = ECONNREFUSED;
else if (chan->state == BT_CONNECT &&
@@ -434,10 +437,10 @@ static void l2cap_chan_timeout(struct work_struct *work)
chan->ops->close(chan);
+unlock:
l2cap_chan_unlock(chan);
- l2cap_chan_put(chan);
-
mutex_unlock(&conn->lock);
+ l2cap_chan_put(chan);
}
struct l2cap_chan *l2cap_chan_create(void)
@@ -490,6 +493,9 @@ static void l2cap_chan_destroy(struct kref *kref)
list_del(&chan->global_l);
write_unlock(&chan_list_lock);
+ if (chan->conn_ref)
+ l2cap_conn_put(chan->conn_ref);
+
kfree(chan);
}
@@ -594,6 +600,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
chan->conn = conn;
+ chan->conn_ref = l2cap_conn_get(conn);
switch (chan->chan_type) {
case L2CAP_CHAN_CONN_ORIENTED:
@@ -3160,12 +3167,16 @@ static void l2cap_ack_timeout(struct work_struct *work)
l2cap_chan_lock(chan);
+ if (!chan->conn)
+ goto unlock;
+
frames_to_ack = __seq_offset(chan, chan->buffer_seq,
chan->last_acked_seq);
if (frames_to_ack)
l2cap_send_rr_or_rnr(chan, 0);
+unlock:
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
--
2.54.0.1032.g2f8565e1d1-goog
^ permalink raw reply related
* Re: [PATCH] Bluetooth: L2CAP: Fix UAF in l2cap_chan_timeout
From: Luiz Augusto von Dentz @ 2026-06-05 13:53 UTC (permalink / raw)
To: Marco Elver
Cc: Marcel Holtmann, linux-bluetooth, linux-kernel, kasan-dev, stable,
Siwei Zhang, Luiz Augusto von Dentz
In-Reply-To: <aiKigutVmlbOuXGy@elver.google.com>
Hi Marco,
On Fri, Jun 5, 2026 at 6:18 AM Marco Elver <elver@google.com> wrote:
>
> On Thu, Jun 04, 2026 at 10:10AM -0400, Luiz Augusto von Dentz wrote:
> > Hi Marco,
> >
> > On Thu, Jun 4, 2026 at 8:45 AM Marco Elver <elver@google.com> wrote:
> > >
> > > On Wed, Jun 03, 2026 at 01:31PM -0400, Luiz Augusto von Dentz wrote:
> > > > Hi Marco,
> > > >
> > > > On Wed, Jun 3, 2026 at 9:16 AM Marco Elver <elver@google.com> wrote:
> > > > >
> > > > > On Wed, 3 Jun 2026 at 14:31, Marco Elver <elver@google.com> wrote:
> > > > > >
> > > > > > l2cap_chan_timeout() accesses chan->conn without holding a reference to
> > > > > > the connection object. If l2cap_conn_del() races and tears down the
> > > > > > connection while the timer is waiting for locks, it can result in a
> > > > > > use-after-free when the timer wakes up and attempts to acquire
> > > > > > conn->lock:
> > > > > >
> > > > > > | BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > > > > | BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > > > > | BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > > > > | BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > > > > | Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
> > > > > > |
> > > > > > | CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
> > > > > > | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > > > > > | Workqueue: events l2cap_chan_timeout
> > > > > > | Call Trace:
> > > > > > | <TASK>
> > > > > > | instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > > > > | atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > > > > | __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > > > > | mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > > > > | l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
> > > > > > | process_one_work kernel/workqueue.c:3326 [inline]
> > > > > > | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > > > | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > > > | kthread+0x346/0x430 kernel/kthread.c:436
> > > > > > | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > > > | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > > > | </TASK>
> > > > > > |
> > > > > > | Allocated by task 320:
> > > > > > | l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
> > > > > > | l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
> > > > > > | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > > > > | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > > > > | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > > > > | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > > > > | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > > > > | process_one_work kernel/workqueue.c:3326 [inline]
> > > > > > | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > > > | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > > > | kthread+0x346/0x430 kernel/kthread.c:436
> > > > > > | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > > > | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > > > |
> > > > > > | Freed by task 322:
> > > > > > | hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
> > > > > > | hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> > > > > > | hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> > > > > > | hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> > > > > > | hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> > > > > > | vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> > > > > > | __fput+0x369/0x890 fs/file_table.c:510
> > > > > > | task_work_run+0x160/0x1d0 kernel/task_work.c:233
> > > > > > | get_signal+0xf5b/0x1120 kernel/signal.c:2810
> > > > > > | arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> > > > > > | __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> > > > > > | exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> > > > > > | __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
> > > > > > | syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
> > > > > > | syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> > > > > > | do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> > > > > > | entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > > > > |
> > > > > > | Last potentially related work creation:
> > > > > > | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > > > > | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > > > > | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > > > > | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > > > > | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > > > > | process_one_work kernel/workqueue.c:3326 [inline]
> > > > > > | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > > > | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > > > | kthread+0x346/0x430 kernel/kthread.c:436
> > > > > > | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > > > | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > > > |
> > > > > > | The buggy address belongs to the object at ffff8881298d9400
> > > > > > | which belongs to the cache kmalloc-512 of size 512
> > > > > > | The buggy address is located 336 bytes inside of
> > > > > > | freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
> > > > > >
> > > > > > Fix it by holding a reference to the connection when the channel timer
> > > > > > is scheduled, and releasing it when the timer is either canceled or
> > > > > > executes to completion.
> > > > > >
> > > > > > Since l2cap_chan_del() nullifies chan->conn to disassociate the channel
> > > > > > during teardown, the timer handler might read NULL from chan->conn even
> > > > > > if it held a reference. To address this, introduce a `timer_conn` field
> > > > > > to `struct l2cap_chan` to store the connection pointer associated with
> > > > > > the active timer. The timer handler uses this field to acquire locks and
> > > > > > release the connection reference, and skips channel closing operations
> > > > > > if chan->conn has already been nullified by teardown.
> > > > > >
> > > > > > Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
> > > > > > Cc: <stable@vger.kernel.org>
> > > > > > Cc: Siwei Zhang <oss@fourdim.xyz>
> > > > > > Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > > Assisted-by: Gemini:gemini-3.1-pro-preview
> > > > > > Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
> > > > > > Signed-off-by: Marco Elver <elver@google.com>
> > > > >
> > > > > Sigh, Sashiko points out more problems here:
> > > > > https://sashiko.dev/#/patchset/20260603123111.2334409-1-elver%40google.com
> > > > >
> > > > > > Can this lockless read of chan->timer_conn cause a use-after-free or double
> > > > > > free if another thread re-arms the timer concurrently?
> > > > >
> > > > > I haven't analyzed this further yet, so consider this patch a
> > > > > bug-report-only. If anyone finds a better fix sooner, please go ahead.
> > > >
> > > > I was thinking or something like the following:
> > >
> > > I tested that and my repro didn't trigger the UAF here, but I still
> > > think it has the same fundamental issue:
> > >
> > > If the timer worker is preempted immediately after reading chan->conn
> > > but before entering l2cap_conn_hold_unless_zero(), l2cap_conn_del() can
> > > complete concurrently.
> > >
> > > When the timer worker resumes, l2cap_conn_hold_unless_zero(conn) will
> > > attempt to read conn->ref that has already been freed, resulting in
> > > another UAF.
> >
> > I see. The window is very narrow but it is perhaps still triggerable
> > somehow. The only thing that comes to mind is that we would need to
> > take a reference of l2cap_conn with the likes of l2cap_set_timer then,
> > which means l2cap_chan_timeout needs to drop not only l2cap_chan but
> > also l2cap_conn when done, otherwise there will always be the risk of
> > l2cap_conn_del running while l2cap_chan_timeout is pending.
>
> What if we tie conn's lifetime to chan? I see that 'conn' being
> NULL/non-NULL is also used as a presence/not-present marker, but we
> could add an explicit conn_ref?
>
> ------ >8 ------
>
> From: Marco Elver <elver@google.com>
> Date: Wed, 3 Jun 2026 18:24:56 +0200
> Subject: [PATCH] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn
> ref
>
> l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
> the connection is torn down while the timer is running or pending,
> chan->conn can be freed, leading to a use-after-free when the timer
> worker attempts to lock conn->lock:
>
> | BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> | BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> | BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> | BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> | Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
> |
> | CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
> | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> | Workqueue: events l2cap_chan_timeout
> | Call Trace:
> | <TASK>
> | instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> | atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> | __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> | mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> | l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> | </TASK>
> |
> | Allocated by task 320:
> | l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
> | l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
> | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> |
> | Freed by task 322:
> | hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
> | hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> | hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> | hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> | hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> | vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> | __fput+0x369/0x890 fs/file_table.c:510
> | task_work_run+0x160/0x1d0 kernel/task_work.c:233
> | get_signal+0xf5b/0x1120 kernel/signal.c:2810
> | arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> | __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> | exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> | __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
> e]
> | syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
> [inline]
> | syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> | do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> | entry_SYSCALL_64_after_hwframe+0x77/0x7f
> |
> | Last potentially related work creation:
> | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> | hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> | hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> | hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> | vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> | __fput+0x369/0x890 fs/file_table.c:510
> | task_work_run+0x160/0x1d0 kernel/task_work.c:233
> | get_signal+0xf5b/0x1120 kernel/signal.c:2810
> | arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> | __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> | exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> | __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
> e]
> | syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
> [inline]
> | syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> | do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> | entry_SYSCALL_64_after_hwframe+0x77/0x7f
> |
> | Last potentially related work creation:
> | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> | process_one_work kernel/workqueue.c:3326 [inline]
> | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> | kthread+0x346/0x430 kernel/kthread.c:436
> | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> |
> | The buggy address belongs to the object at ffff8881298d9400
> | which belongs to the cache kmalloc-512 of size 512
> | The buggy address is located 336 bytes inside of
> | freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
>
> Fix it by having struct l2cap_chan hold a reference to l2cap_conn
> (conn_ref) when the channel is added to the connection, and releasing it
> in the channel destructor. This ensures the connection remains alive as
> long as the channel exists. While conn and conn_ref point to the same
> object, conn being NULL indicates it being torn down, while conn_ref's
> only purpose is to associate its lifetime with the parent channel.
>
> Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channe
> ls in cleanup_listen()")
> Cc: <stable@vger.kernel.org>
> Cc: Siwei Zhang <oss@fourdim.xyz>
> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Assisted-by: Gemini:gemini-3.1-pro-preview
> Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-o
> ss%40fourdim.xyz
> Signed-off-by: Marco Elver <elver@google.com>
> ---
> include/net/bluetooth/l2cap.h | 1 +
> net/bluetooth/l2cap_core.c | 15 +++++++++++++--
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index e0a1f2293679..de3673149deb 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -514,6 +514,7 @@ struct l2cap_seq_list {
>
> struct l2cap_chan {
> struct l2cap_conn *conn;
> + struct l2cap_conn *conn_ref;
> struct kref kref;
> atomic_t nesting;
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index c4ccfbda9d78..7f331a31b723 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -422,6 +422,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
> */
> l2cap_chan_lock(chan);
>
> + if (!chan->conn)
> + goto unlock;
> +
> if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
> reason = ECONNREFUSED;
> else if (chan->state == BT_CONNECT &&
> @@ -434,10 +437,10 @@ static void l2cap_chan_timeout(struct work_struct *work)
>
> chan->ops->close(chan);
>
> +unlock:
> l2cap_chan_unlock(chan);
> - l2cap_chan_put(chan);
> -
> mutex_unlock(&conn->lock);
> + l2cap_chan_put(chan);
> }
>
> struct l2cap_chan *l2cap_chan_create(void)
> @@ -490,6 +493,9 @@ static void l2cap_chan_destroy(struct kref *kref)
> list_del(&chan->global_l);
> write_unlock(&chan_list_lock);
>
> + if (chan->conn_ref)
> + l2cap_conn_put(chan->conn_ref);
> +
> kfree(chan);
> }
>
> @@ -594,6 +600,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
> conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
>
> chan->conn = conn;
> + chan->conn_ref = l2cap_conn_get(conn);
>
> switch (chan->chan_type) {
> case L2CAP_CHAN_CONN_ORIENTED:
> @@ -3160,12 +3167,16 @@ static void l2cap_ack_timeout(struct work_struct *work)
>
> l2cap_chan_lock(chan);
>
> + if (!chan->conn)
> + goto unlock;
> +
> frames_to_ack = __seq_offset(chan, chan->buffer_seq,
> chan->last_acked_seq);
>
> if (frames_to_ack)
> l2cap_send_rr_or_rnr(chan, 0);
>
> +unlock:
> l2cap_chan_unlock(chan);
> l2cap_chan_put(chan);
> }
> --
> 2.54.0.1032.g2f8565e1d1-goog
Looks good, please a spim a patch since just pasting like the above
doesn't seem to trigger PW and CI/CD run.
--
Luiz Augusto von Dentz
^ permalink raw reply
* RE: [BlueZ] test-mesh-crypto: Fix retval for skipped test
From: bluez.test.bot @ 2026-06-05 11:10 UTC (permalink / raw)
To: linux-bluetooth, hadess
In-Reply-To: <20260605093555.1969171-1-hadess@hadess.net>
[-- Attachment #1: Type: text/plain, Size: 1943 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1106487
---Test result---
Test Summary:
CheckPatch FAIL 0.32 seconds
GitLint PASS 0.24 seconds
BuildEll PASS 20.60 seconds
BluezMake PASS 665.36 seconds
MakeCheck PASS 19.11 seconds
MakeDistcheck PASS 250.36 seconds
CheckValgrind PASS 300.16 seconds
CheckSmatch PASS 351.23 seconds
bluezmakeextell PASS 182.59 seconds
IncrementalBuild PASS 654.30 seconds
ScanBuild PASS 1052.78 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ] test-mesh-crypto: Fix retval for skipped test
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#58:
============================================================================
/github/workspace/src/patch/14613073.patch total: 0 errors, 1 warnings, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14613073.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluez/pull/2181
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH v3] Bluetooth: Add SPDX id lines to some source files
From: Paul Menzel @ 2026-06-05 10:21 UTC (permalink / raw)
To: Tim Bird
Cc: marcel, luiz.dentz, jannh, kuba, kiran.k, chharry, gustavo,
prameela.j04cs, maxk, linux-bluetooth, linux-spdx, linux-kernel
In-Reply-To: <20260604170633.730139-1-tim.bird@sony.com>
Dear Tim,
Thank you for your patch.
Am 04.06.26 um 19:06 schrieb Tim Bird:
> Many bluetooth source files are missing SPDX-License-Identifier
> lines. Add appropriate IDs to these files, and remove other
> license lines from the headers.
>
> Leave the warranty disclaimer in files where the license ID is
> GPL-2.0 but the wording of the disclaimer is slightly different
> from that of the GPL v2 disclaimer.
>
> It is not different enough to cause licensing conflicts, but is
> kept to honor the original contributors' legal intent.
Could you please add a note, why you use /* */ in header files (suffix
`.h`) and // in files ending with `.c`?
> Signed-off-by: Tim Bird <tim.bird@sony.com>
> ---
> V2 -> V3:
> - move Signed-off-by above changlog
> V1 -> V2:
> - Leave different warranty disclaimers (which is most them)
> - Remove files recently removed from drivers/bluetooth from the patch
> ---
> drivers/bluetooth/btrsi.c | 12 +-----------
> include/net/bluetooth/bluetooth.h | 5 +----
> include/net/bluetooth/hci.h | 5 +----
> include/net/bluetooth/hci_core.h | 5 +----
> include/net/bluetooth/hci_mon.h | 5 +----
> include/net/bluetooth/hci_sock.h | 5 +----
> include/net/bluetooth/l2cap.h | 5 +----
> include/net/bluetooth/mgmt.h | 5 +----
> include/net/bluetooth/rfcomm.h | 5 +----
> include/net/bluetooth/sco.h | 5 +----
> net/bluetooth/af_bluetooth.c | 5 +----
> net/bluetooth/bnep/core.c | 5 +----
> net/bluetooth/bnep/netdev.c | 5 +----
> net/bluetooth/bnep/sock.c | 5 +----
> net/bluetooth/ecdh_helper.c | 5 +----
> net/bluetooth/ecdh_helper.h | 5 +----
> net/bluetooth/hci_conn.c | 5 +----
> net/bluetooth/hci_core.c | 5 +----
> net/bluetooth/hci_debugfs.c | 5 +----
> net/bluetooth/hci_debugfs.h | 5 +----
> net/bluetooth/hci_event.c | 5 +----
> net/bluetooth/hci_sock.c | 5 +----
> net/bluetooth/hidp/core.c | 5 +----
> net/bluetooth/hidp/hidp.h | 5 +----
> net/bluetooth/hidp/sock.c | 5 +----
> net/bluetooth/l2cap_core.c | 5 +----
> net/bluetooth/l2cap_sock.c | 5 +----
> net/bluetooth/lib.c | 5 +----
> net/bluetooth/mgmt.c | 5 +----
> net/bluetooth/mgmt_util.c | 5 +----
> net/bluetooth/mgmt_util.h | 5 +----
> net/bluetooth/rfcomm/core.c | 5 +----
> net/bluetooth/rfcomm/sock.c | 5 +----
> net/bluetooth/rfcomm/tty.c | 5 +----
> net/bluetooth/sco.c | 5 +----
> net/bluetooth/selftest.c | 5 +----
> net/bluetooth/selftest.h | 5 +----
> net/bluetooth/smp.c | 5 +----
> net/bluetooth/smp.h | 5 +----
> 39 files changed, 39 insertions(+), 163 deletions(-)
[…]
Kind regards,
Paul
^ permalink raw reply
* Re: [PATCH] Bluetooth: L2CAP: Fix UAF in l2cap_chan_timeout
From: Marco Elver @ 2026-06-05 10:18 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: Marcel Holtmann, linux-bluetooth, linux-kernel, kasan-dev, stable,
Siwei Zhang, Luiz Augusto von Dentz
In-Reply-To: <CABBYNZLvDNPM9YXa+Whbx=+4Cgy-rp+pVVv0J0M52DsUMcQ8NQ@mail.gmail.com>
On Thu, Jun 04, 2026 at 10:10AM -0400, Luiz Augusto von Dentz wrote:
> Hi Marco,
>
> On Thu, Jun 4, 2026 at 8:45 AM Marco Elver <elver@google.com> wrote:
> >
> > On Wed, Jun 03, 2026 at 01:31PM -0400, Luiz Augusto von Dentz wrote:
> > > Hi Marco,
> > >
> > > On Wed, Jun 3, 2026 at 9:16 AM Marco Elver <elver@google.com> wrote:
> > > >
> > > > On Wed, 3 Jun 2026 at 14:31, Marco Elver <elver@google.com> wrote:
> > > > >
> > > > > l2cap_chan_timeout() accesses chan->conn without holding a reference to
> > > > > the connection object. If l2cap_conn_del() races and tears down the
> > > > > connection while the timer is waiting for locks, it can result in a
> > > > > use-after-free when the timer wakes up and attempts to acquire
> > > > > conn->lock:
> > > > >
> > > > > | BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > > > | BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > > > | BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > > > | BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > > > | Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
> > > > > |
> > > > > | CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
> > > > > | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > > > > | Workqueue: events l2cap_chan_timeout
> > > > > | Call Trace:
> > > > > | <TASK>
> > > > > | instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > > > | atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > > > | __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > > > | mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > > > | l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
> > > > > | process_one_work kernel/workqueue.c:3326 [inline]
> > > > > | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > > | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > > | kthread+0x346/0x430 kernel/kthread.c:436
> > > > > | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > > | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > > | </TASK>
> > > > > |
> > > > > | Allocated by task 320:
> > > > > | l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
> > > > > | l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
> > > > > | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > > > | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > > > | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > > > | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > > > | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > > > | process_one_work kernel/workqueue.c:3326 [inline]
> > > > > | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > > | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > > | kthread+0x346/0x430 kernel/kthread.c:436
> > > > > | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > > | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > > |
> > > > > | Freed by task 322:
> > > > > | hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
> > > > > | hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> > > > > | hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> > > > > | hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> > > > > | hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> > > > > | vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> > > > > | __fput+0x369/0x890 fs/file_table.c:510
> > > > > | task_work_run+0x160/0x1d0 kernel/task_work.c:233
> > > > > | get_signal+0xf5b/0x1120 kernel/signal.c:2810
> > > > > | arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> > > > > | __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> > > > > | exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> > > > > | __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
> > > > > | syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
> > > > > | syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> > > > > | do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> > > > > | entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > > > |
> > > > > | Last potentially related work creation:
> > > > > | hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > > > | hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > > > | hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > > > | hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > > > | hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > > > | process_one_work kernel/workqueue.c:3326 [inline]
> > > > > | process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > > | worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > > | kthread+0x346/0x430 kernel/kthread.c:436
> > > > > | ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > > | ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > > |
> > > > > | The buggy address belongs to the object at ffff8881298d9400
> > > > > | which belongs to the cache kmalloc-512 of size 512
> > > > > | The buggy address is located 336 bytes inside of
> > > > > | freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
> > > > >
> > > > > Fix it by holding a reference to the connection when the channel timer
> > > > > is scheduled, and releasing it when the timer is either canceled or
> > > > > executes to completion.
> > > > >
> > > > > Since l2cap_chan_del() nullifies chan->conn to disassociate the channel
> > > > > during teardown, the timer handler might read NULL from chan->conn even
> > > > > if it held a reference. To address this, introduce a `timer_conn` field
> > > > > to `struct l2cap_chan` to store the connection pointer associated with
> > > > > the active timer. The timer handler uses this field to acquire locks and
> > > > > release the connection reference, and skips channel closing operations
> > > > > if chan->conn has already been nullified by teardown.
> > > > >
> > > > > Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
> > > > > Cc: <stable@vger.kernel.org>
> > > > > Cc: Siwei Zhang <oss@fourdim.xyz>
> > > > > Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > > Assisted-by: Gemini:gemini-3.1-pro-preview
> > > > > Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
> > > > > Signed-off-by: Marco Elver <elver@google.com>
> > > >
> > > > Sigh, Sashiko points out more problems here:
> > > > https://sashiko.dev/#/patchset/20260603123111.2334409-1-elver%40google.com
> > > >
> > > > > Can this lockless read of chan->timer_conn cause a use-after-free or double
> > > > > free if another thread re-arms the timer concurrently?
> > > >
> > > > I haven't analyzed this further yet, so consider this patch a
> > > > bug-report-only. If anyone finds a better fix sooner, please go ahead.
> > >
> > > I was thinking or something like the following:
> >
> > I tested that and my repro didn't trigger the UAF here, but I still
> > think it has the same fundamental issue:
> >
> > If the timer worker is preempted immediately after reading chan->conn
> > but before entering l2cap_conn_hold_unless_zero(), l2cap_conn_del() can
> > complete concurrently.
> >
> > When the timer worker resumes, l2cap_conn_hold_unless_zero(conn) will
> > attempt to read conn->ref that has already been freed, resulting in
> > another UAF.
>
> I see. The window is very narrow but it is perhaps still triggerable
> somehow. The only thing that comes to mind is that we would need to
> take a reference of l2cap_conn with the likes of l2cap_set_timer then,
> which means l2cap_chan_timeout needs to drop not only l2cap_chan but
> also l2cap_conn when done, otherwise there will always be the risk of
> l2cap_conn_del running while l2cap_chan_timeout is pending.
What if we tie conn's lifetime to chan? I see that 'conn' being
NULL/non-NULL is also used as a presence/not-present marker, but we
could add an explicit conn_ref?
------ >8 ------
From: Marco Elver <elver@google.com>
Date: Wed, 3 Jun 2026 18:24:56 +0200
Subject: [PATCH] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn
ref
l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
the connection is torn down while the timer is running or pending,
chan->conn can be freed, leading to a use-after-free when the timer
worker attempts to lock conn->lock:
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
|
| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
| Workqueue: events l2cap_chan_timeout
| Call Trace:
| <TASK>
| instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
| </TASK>
|
| Allocated by task 320:
| l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
| l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| Freed by task 322:
| hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
| __fput+0x369/0x890 fs/file_table.c:510
| task_work_run+0x160/0x1d0 kernel/task_work.c:233
| get_signal+0xf5b/0x1120 kernel/signal.c:2810
| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
| __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
e]
| syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
[inline]
| syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
| entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| Last potentially related work creation:
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
| __fput+0x369/0x890 fs/file_table.c:510
| task_work_run+0x160/0x1d0 kernel/task_work.c:233
| get_signal+0xf5b/0x1120 kernel/signal.c:2810
| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
| __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [i
e]
| syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:
[inline]
| syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
| entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| Last potentially related work creation:
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| The buggy address belongs to the object at ffff8881298d9400
| which belongs to the cache kmalloc-512 of size 512
| The buggy address is located 336 bytes inside of
| freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
Fix it by having struct l2cap_chan hold a reference to l2cap_conn
(conn_ref) when the channel is added to the connection, and releasing it
in the channel destructor. This ensures the connection remains alive as
long as the channel exists. While conn and conn_ref point to the same
object, conn being NULL indicates it being torn down, while conn_ref's
only purpose is to associate its lifetime with the parent channel.
Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channe
ls in cleanup_listen()")
Cc: <stable@vger.kernel.org>
Cc: Siwei Zhang <oss@fourdim.xyz>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Assisted-by: Gemini:gemini-3.1-pro-preview
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-o
ss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
---
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 15 +++++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index e0a1f2293679..de3673149deb 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -514,6 +514,7 @@ struct l2cap_seq_list {
struct l2cap_chan {
struct l2cap_conn *conn;
+ struct l2cap_conn *conn_ref;
struct kref kref;
atomic_t nesting;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c4ccfbda9d78..7f331a31b723 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -422,6 +422,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
*/
l2cap_chan_lock(chan);
+ if (!chan->conn)
+ goto unlock;
+
if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
reason = ECONNREFUSED;
else if (chan->state == BT_CONNECT &&
@@ -434,10 +437,10 @@ static void l2cap_chan_timeout(struct work_struct *work)
chan->ops->close(chan);
+unlock:
l2cap_chan_unlock(chan);
- l2cap_chan_put(chan);
-
mutex_unlock(&conn->lock);
+ l2cap_chan_put(chan);
}
struct l2cap_chan *l2cap_chan_create(void)
@@ -490,6 +493,9 @@ static void l2cap_chan_destroy(struct kref *kref)
list_del(&chan->global_l);
write_unlock(&chan_list_lock);
+ if (chan->conn_ref)
+ l2cap_conn_put(chan->conn_ref);
+
kfree(chan);
}
@@ -594,6 +600,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
chan->conn = conn;
+ chan->conn_ref = l2cap_conn_get(conn);
switch (chan->chan_type) {
case L2CAP_CHAN_CONN_ORIENTED:
@@ -3160,12 +3167,16 @@ static void l2cap_ack_timeout(struct work_struct *work)
l2cap_chan_lock(chan);
+ if (!chan->conn)
+ goto unlock;
+
frames_to_ack = __seq_offset(chan, chan->buffer_seq,
chan->last_acked_seq);
if (frames_to_ack)
l2cap_send_rr_or_rnr(chan, 0);
+unlock:
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
--
2.54.0.1032.g2f8565e1d1-goog
^ permalink raw reply related
* [bluez/bluez] 8650ce: test-mesh-crypto: Fix retval for skipped test
From: hadess @ 2026-06-05 10:11 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1106487
Home: https://github.com/bluez/bluez
Commit: 8650cea314a4b2414f639438d18989782d08e1b0
https://github.com/bluez/bluez/commit/8650cea314a4b2414f639438d18989782d08e1b0
Author: Bastien Nocera <hadess@hadess.net>
Date: 2026-06-05 (Fri, 05 Jun 2026)
Changed paths:
M unit/test-mesh-crypto.c
Log Message:
-----------
test-mesh-crypto: Fix retval for skipped test
Skipped tests should return 77, so they will be marked as skipped in
reports:
$ make check
make --no-print-directory check-TESTS
[...]
PASS: unit/test-gatt
SKIP: unit/test-mesh-crypto
[...]
============================================================================
Testsuite summary for bluez 5.86
============================================================================
# TOTAL: 39
# PASS: 38
# SKIP: 1
[...]
============================================================================
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* Re: [bluez/action-ci] c1b86b: ci: add verify_fixes and verify_signedoff checks f...
From: Bastien Nocera @ 2026-06-05 10:10 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
In-Reply-To: <bluez/action-ci/push/refs/heads/main/80ebbf-c1b86b@github.com>
On Thu, 2026-05-21 at 08:48 -0700, Luiz Augusto von Dentz wrote:
> Branch: refs/heads/main
> Home: https://github.com/bluez/action-ci
> Commit: c1b86bca7cacc936bea82b3ca8b2ee4b4fcb6e74
>
> https://github.com/bluez/action-ci/commit/c1b86bca7cacc936bea82b3ca8b2ee4b4fcb6e74
> Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Date: 2026-05-21 (Thu, 21 May 2026)
>
> Changed paths:
> M Dockerfile
> M ci.py
> M ci/__init__.py
> A ci/verifyfixes.py
> A ci/verifysignedoff.py
> A scripts/verify_fixes.sh
> A scripts/verify_signedoff.sh
>
> Log Message:
> -----------
> ci: add verify_fixes and verify_signedoff checks for kernel patches
>
> Add scripts from gregkh/gregkh-linux adapted for GitHub Actions:
> - verify_fixes.sh: validates Fixes: tag format, SHA existence,
> subject
> match, and ancestry (removed external Linus tree dependency)
> - verify_signedoff.sh: validates author/committer Signed-off-by
> presence
I haven't verified whether the functionality matches 1-1, but gitlint
already has support for verifying signed-off-by:
$ gitlint -C gitlint --contrib contrib-body-requires-signed-off-by --
msg-filename example.msg
1: CC1 Body does not contain a 'Signed-off-by' line
I've tried to integrate it into:
https://github.com/bluez/action-ci/pull/6
>
> Both run against origin/master..HEAD after checkpatch in the kernel
> CI
> pipeline and report results as warnings to patchwork.
>
>
>
> To unsubscribe from these emails, change your notification settings
> at https://github.com/bluez/action-ci/settings/notifications
^ permalink raw reply
* Re: [PATCH v1] obexd: fix PBAP PullPhoneBook failure with ebook backend
From: Bastien Nocera @ 2026-06-05 9:39 UTC (permalink / raw)
To: Zhiyuan Sheng, linux-bluetooth; +Cc: cheng.jiang, shuai.zhang
In-Reply-To: <20260522060312.1503481-1-zhiyuan.sheng@oss.qualcomm.com>
On Fri, 2026-05-22 at 14:03 +0800, Zhiyuan Sheng wrote:
> phonebook_pull() in phonebook-ebook.c does not set *err = 0 on the
> success path, unlike phonebook-tracker.c and phonebook-dummy.c. The
> caller vobject_pull_open() in pbap.c declares 'ret' without
> initialization and passes &ret to phonebook_pull(), so 'ret' retains
> an indeterminate stack value when the ebook backend is in use. The
> subsequent 'if (ret < 0)' check then incorrectly triggers and rejects
> the request with Internal Server Error.
>
> Fix this by setting *err = 0 on success in phonebook-ebook.c, and
> initialize 'ret' to 0 in vobject_pull_open() as a defensive measure
> to guard against any backend that omits this assignment.
>
> Signed-off-by: Zhiyuan Sheng <zhiyuan.sheng@oss.qualcomm.com>
Looks good to me
^ permalink raw reply
* Re: [PATCH BlueZ v1] test-mesh-crypto: Don't attempt to run test if AF_ALG is not available
From: Bastien Nocera @ 2026-06-05 9:36 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
In-Reply-To: <20260522164912.3253018-1-luiz.dentz@gmail.com>
On Fri, 2026-05-22 at 12:49 -0400, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This make use of mesh_crypto_check_avail to check if AF_ALG is
> available
> and if not just bail out which is similar to how test-crypto handles
> when bt_crypto_new returns NULL.
Skipped tests should return "77" instead.
I've sent a patch to fix that.
> ---
> unit/test-mesh-crypto.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/unit/test-mesh-crypto.c b/unit/test-mesh-crypto.c
> index 36cae70a68a4..24fbbba33298 100644
> --- a/unit/test-mesh-crypto.c
> +++ b/unit/test-mesh-crypto.c
> @@ -2132,6 +2132,9 @@ int main(int argc, char *argv[])
> {
> l_log_set_stderr();
>
> + if (!mesh_crypto_check_avail())
> + return 0;
> +
> /* Section 8.1 Sample Data Tests */
> check_s1(&s8_1_1);
> check_k1(&s8_1_2);
^ permalink raw reply
* [BlueZ] test-mesh-crypto: Fix retval for skipped test
From: Bastien Nocera @ 2026-06-05 9:35 UTC (permalink / raw)
To: linux-bluetooth
Skipped tests should return 77, so they will be marked as skipped in
reports:
$ make check
make --no-print-directory check-TESTS
[...]
PASS: unit/test-gatt
SKIP: unit/test-mesh-crypto
[...]
============================================================================
Testsuite summary for bluez 5.86
============================================================================
# TOTAL: 39
# PASS: 38
# SKIP: 1
[...]
============================================================================
---
unit/test-mesh-crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unit/test-mesh-crypto.c b/unit/test-mesh-crypto.c
index 24fbbba33298..95d17e1d81c8 100644
--- a/unit/test-mesh-crypto.c
+++ b/unit/test-mesh-crypto.c
@@ -2133,7 +2133,7 @@ int main(int argc, char *argv[])
l_log_set_stderr();
if (!mesh_crypto_check_avail())
- return 0;
+ return 77;
/* Section 8.1 Sample Data Tests */
check_s1(&s8_1_1);
--
2.54.0
^ permalink raw reply related
* Re: Fwd: Correct contact people(s) and Linux branch for my HID driver?
From: Bastien Nocera @ 2026-06-05 9:25 UTC (permalink / raw)
To: Mikko Laanti, linux-bluetooth
In-Reply-To: <74db472595986d0dec795353ea5f1eed7a3bd8e2.camel@strokeplan.com>
Hello Mikko,
On Thu, 2026-05-28 at 21:38 +0300, Mikko Laanti wrote:
> Hi,
>
> I have witten following driver for bluetooth HID device iRig
> BlueTurn.
> To whom should I contact? If it is accepted, to what git Linux kernel
> branch should I it check-in?
The way to submit patches to the kernel is explained at:
https://www.kernel.org/doc/html/v7.0/process/submitting-patches.html
What you'll find, once you've put your patch in a commit, generated
that patch and ran the "scripts/get_maintainer.pl" is that all drivers
under drivers/hid get reviewed on the linux-input@ mailing-list.
You can find how to post to it at:
https://subspace.kernel.org/vger.kernel.org.html
Cheers
>
> Regards,
>
> Mikko Laanti
>
>
> // SPDX-License-Identifier: GPL-2.0+
> /*
> * HID driver for IK Multimedia iRig BlueTurn devices
> *
> * Copyright (c) 2026 Mikko Laanti <strokeplan@gmail.com>
> */
>
> #include <linux/hid.h>
> #include <linux/module.h>
>
> #include "hid-ids.h"
>
> MODULE_AUTHOR("Mikko Laanti <strokeplan@gmail.com");
> MODULE_DESCRIPTION("iRig BlueTurn devices");
> MODULE_LICENSE("GPL");
>
> /* Changes in Makefile
> obj-$(CONFIG_HID_IRIG_BLUETURN) += hid-irig-blueturn.o
>
> * Changes in Kconfig
> config HID_IRIG_BLUETURN
> tristate "iRig BlueTurn devices"
> help
> Support for iRig BlueTurn devices, which are not fully
> compliant with the
> HID standard.
> hid-irig-blueturn
>
> To compile this driver as a module, choose M here: the
> module
> will be called hid-irig-blueturn.ko.
>
> * Changes in hid-ids.h
> #define USB_VENDOR_ID_IK_MULTIMEDIA 0x0214
> #define USB_VENDOR_ID_IK_MULTIMEDIA_IRIG_BLUETURN 0x0002
> */
>
> /*
> * The iRig BlueTurn (Page turner) foot controlled bluetooth keyboard
> uses unnumbered keyboard messages
> * iRig BlueTurn can be configured to three possible configurations
> for
> its two buttons:
> * 1. ARROW_UP/ARROW_DOWN
> * 2. PAGE_UP/PAGE_DOWN
> * 3. ARROW_LEFT/ARROW_RIGHT
> * E.g. A compliant bluetooth keyboard sends Up Arrow: 01 00 00 52
> 00
> 00 00 00 00 (first data byte means it is "numbered")
> * IK multimedia iRig BlueTurn sends Up Arrow: 00 00 00 52
> 00
> 00 00 00
> * Without this driver and iRig BlueTurn connected, you'll get system
> log dmesg error:
> * "Event data for report 0 was too short (8 vs 7)" (hid-core.c:
> hid_report_raw_event)
> */
>
> static int irig_blueturn_raw_event(struct hid_device *hdev, struct
> hid_report *report,
> u8 *data, int size)
> {
> /* iRig Blueturn always sends unnumbered 8 bytes i.e. 64
> bits
> data reports.
> * hid-core.c: hid_report_raw_event() decreases data size by
> one because keyboard messages should be numbered.
> * We decrease report size here so that it will pass data
> size
> test in hid-core.c:hid_report_raw_event()
> * Right way would be to adjust data so that it looks
> exactly
> like compliant keyboard, but we cannot set
> * the size because it has been passed to this
> irig_blueturn_raw_event as a value, not as a reference.
> * So we have to decrease report size here so that it will
> pass data size test in hid-core.c:hid_report_raw_event()
> */
> int ret = 0;
>
> if (report->size == 64) // 64 bits length
> {
> report->size = 56; // decrease it to 56 bit
> }
>
> return ret;
> }
>
> static const struct hid_device_id irig_blueturn_id_table[] = {
> { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_IK_MULTIMEDIA,
> USB_VENDOR_ID_IK_MULTIMEDIA_IRIG_BLUETURN)
> },
> { }
> };
> MODULE_DEVICE_TABLE(hid, irig_blueturn_id_table);
>
> static struct hid_driver irig_blueturn_driver = {
> .name = "irig blueturn",
> .id_table = irig_blueturn_id_table,
> .raw_event = irig_blueturn_raw_event,
> };
>
> module_hid_driver(irig_blueturn_driver);
^ permalink raw reply
* [Bug 220703] Bluetooth connection is sporadic, quality is poor - halts and stammers with linux-firmware-network-20250917_1
From: bugzilla-daemon @ 2026-06-04 21:45 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-220703-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=220703
Bob Hepple (bob.hepple@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |ANSWERED
--- Comment #2 from Bob Hepple (bob.hepple@gmail.com) ---
This appears to be resolved as of linux-6.18.32_1 and Firmware Version: 83-7.26
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox