From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48DBC21ADC7 for ; Wed, 22 Apr 2026 01:14:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776820494; cv=none; b=UE0QxalLe412ShsKYa3qLh1uxmziyyVObLUpybgrnL5JWyV8km0SHxg2YGMFBjmtBH0mJ7dGQ3xGolMoyso7ReAgHNh+7rrsAtMuAoJCUvntYUkUVqkts30NDHoKF8T77ubCgIElxmk2zCwVqqYgQ+/UXA0mKMB7oGklFOCpKRk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776820494; c=relaxed/simple; bh=m4o3o3Ix1Pv5Vmik6EioobXOvqo6HN3aS6ELsnlCG7M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r6O0DZJrPnzezpX5gX7Iu2TaD8CKM1CCrxNCg9ERGFAl/N53d9iGHgCoJqEZM8gZxfqBgi3x8QAtue4rqnIrvBsvRjBlxEZcGyjeWzcDjSYDDFJGU8QLxQNrFa7To7Hs1ZlndSeEp3+HMnGdlUfzPtGeTRjauYRXkyOghX7EfKA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=B9euCabu; arc=none smtp.client-ip=209.85.222.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="B9euCabu" Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8cb40149037so496708985a.2 for ; Tue, 21 Apr 2026 18:14:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776820491; x=1777425291; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pth4Do9OIcsliF6wBT8TKjxxUfEAzwCUqydUSwp3CVE=; b=B9euCabuFR8XYd9pz75qQXMcPZ9Q7TAMHWRkldcYfGsuvVoRjN3TedUmVs54eOMFtt iB8iuYBZGkz30KSV9CDZm/DUcmdRQgmoFB/xuXA75tgnLJn2egXST804RF7qyBZSFRh5 QAhszN4TVab57DOU/jjyMtG0IiRoPWCY/WLp+lq9zbTeeCyifNqiqiciIjtT5WsAEvHw gfLjwYgvEmOHH2N5o0LlZsQontcFgMtzPYGwo0Sq3jY6/0b4sBT98Yk1+XxvbVMr2cIV GZYg5jkjJcW5ELxmvKsGIUQHvPKQB3n24fqvkc/sTzu7YJVuPcpjK8AkVOCmHiRSNtfH 48hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776820491; x=1777425291; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=pth4Do9OIcsliF6wBT8TKjxxUfEAzwCUqydUSwp3CVE=; b=BIJB4hU2sR3kl/0XOb+6+m2qJuMLh7dekshCkMiIXKxIhsDQW75Dbz3/nYwck/PpJ+ hD1pyjf6L3AXbY6naveRk08XtK2CPnXjIXCNJ/qRSClPjyFBylwFdNN2DcALclXxY49i 17wcCPDbizSg+qZ/BedlFrTRInBDn4XtA0sUOpnhEG4DRPZe00Zsg1Vqmoc+s2aIMegn s/F6zBX+2l1wUVQj5yN1v58eECorPwP8YsD1Rk4FWT/p1IPanvjmhaw77GtClb8//ruO SHRC0eVho3Jz5eW6YlwPZH75ETnXO8EgMNCKJ5oc622gFg9vtsC1k1NyqeagwSijzphF 4G1A== X-Forwarded-Encrypted: i=1; AFNElJ8x3GsEGsq5GlP4O1EcrtyL23KKCJLO5wWqRgIs7uHwDyf7ro3ldajUAVdt/qJ8sJEBzg8g+fLflo9QBe8=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5fmCLUiO6FvGEILtQD54VwVo3hB5Ih+Ir6roBL3H/qfRskIL8 NdX6KpRvuCDiUAw3Yw4qCTRSbf+ujnUX8PZzWzhaj/lDAEL1+uxtCz2U X-Gm-Gg: AeBDieu5ELtgCuv3wy4BffDQPD7rBF4O3dvOUd0bZlQHY/YSoscscbddF5tFD1SlZ9I NSDQ1hw3mNtWVB+wBriemslHC/3Eglpf3McSkq2Wuk+8tdTZ2cgLhT9O54bpjUxRTk9F/cgbK7k jo/pqODKQYXbXgjcWY7+B/day380PKk7DCy2M1kH7oluj3TGNoXBs27qAy9ouKdEOcywz+jf9by hnjO1ej1mcLx6xxSTh6RnpzzRuUzwUUlRKjPg4CFcoD1OtKJMqUj41atne3c3oOdoI1w6g4P+2W IWT9NimAm9K8NIYYEadGTFsrPNoDaoVjrRJlP6X/s7xdywWGAIRUKso+Q8NNV43P1LNPMDlNtOf +ef58X4QH0ymYFwcKTbFX+WDVvJVaodO1M++Lq/rmw/vKdXVkAJaZ5dIbatuU9tqO4EYX39wVPV D1vpfyvS4vUWIyAmr5TjUGTv8gS3XuSSv9b9hk5KOXJnQqli346J7dq3zSSCHIjN5m2mWUPSUL0 5ji4t0QaEolXPaYO3x8PnnlfvISt84= X-Received: by 2002:a05:620a:2556:b0:8cf:cf7b:7ef4 with SMTP id af79cd13be357-8e78fa1ddecmr2985502885a.13.1776820491148; Tue, 21 Apr 2026 18:14:51 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8e7d69ad48asm1163614385a.19.2026.04.21.18.14.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 18:14:50 -0700 (PDT) From: Michael Bommarito To: Marcel Holtmann Cc: Luiz Augusto von Dentz , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del Date: Tue, 21 Apr 2026 21:14:37 -0400 Message-ID: <20260422011437.176643-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260306023155.554597-1-luiz.dentz@gmail.com> References: <20260306023155.554597-1-luiz.dentz@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit commit dbf666e4fc9b ("Bluetooth: HIDP: Fix possible UAF") changed hidp_session_remove() to drop the L2CAP reference and set session->conn = NULL once the session is considered removed, and added an if (session->conn) guard around the l2cap_unregister_user() call at the kthread-exit site in hidp_session_thread(). The sibling call site in hidp_connection_del() still invokes l2cap_unregister_user(session->conn, &session->user) unconditionally. hidp_session_find() takes the session refcount under down_read(&hidp_session_sem) and returns; between the find() and the call at :1421, hidp_session_remove() can run on another thread (driven by the remote peer disconnecting or local teardown), take down_write(&hidp_session_sem), set session->conn to NULL, and return. The HIDPCONNDEL ioctl path then dereferences a NULL l2cap_conn inside l2cap_unregister_user(), which acquires conn->lock without a NULL check. Result: kernel NULL-pointer dereference. Apply the same if (session->conn) guard used at the twin site. No functional change when session->conn is non-NULL. Discovery and verification: - Found via static audit of every session->conn read in hidp/core.c after the referenced commit landed. The other reads are safe (creation-time in hidp_session_dev_init, already-guarded in session_free / hidp_session_thread / hidp_session_remove; the other hidp_session_find callers do not touch session->conn at all), so :1421 is the only remaining unguarded site. - Runtime A/B confirmed in UML with CONFIG_BT_HIDP=y + CONFIG_KASAN=y: a late_initcall stub that injects a fake hidp_session with conn=NULL into hidp_session_list and invokes hidp_connection_del() panics on the pre-fix tree at __mutex_lock from l2cap_unregister_user+0x2d, and returns cleanly on the post-fix tree with the new guard short-circuiting before the deref. Fixes: dbf666e4fc9b ("Bluetooth: HIDP: Fix possible UAF") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- net/bluetooth/hidp/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 7bcf8c5ceaee..9192efd1b156 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -1417,7 +1417,7 @@ int hidp_connection_del(struct hidp_conndel_req *req) HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0); - else + else if (session->conn) l2cap_unregister_user(session->conn, &session->user); hidp_session_put(session); -- 2.53.0