From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Pauli Virtanen <pav@iki.fi>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Bin Lan <lanbincn@139.com>
Subject: [PATCH 5.15 67/75] Bluetooth: hci_event: call disconnect callback before deleting conn
Date: Mon, 9 Feb 2026 15:25:04 +0100 [thread overview]
Message-ID: <20260209142304.263885246@linuxfoundation.org> (raw)
In-Reply-To: <20260209142301.830618238@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
commit 7f7cfcb6f0825652973b780f248603e23f16ee90 upstream.
In hci_cs_disconnect, we do hci_conn_del even if disconnection failed.
ISO, L2CAP and SCO connections refer to the hci_conn without
hci_conn_get, so disconn_cfm must be called so they can clean up their
conn, otherwise use-after-free occurs.
ISO:
==========================================================
iso_sock_connect:880: sk 00000000eabd6557
iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
...
iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073
hci_dev_put:1487: hci0 orig refcnt 17
__iso_chan_add:214: conn 00000000b6251073
iso_sock_clear_timer:117: sock 00000000eabd6557 state 3
...
hci_rx_work:4085: hci0 Event packet
hci_event_packet:7601: hci0: event 0x0f
hci_cmd_status_evt:4346: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3107: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560
hci_conn_unlink:1102: hci0: hcon 000000001696f1fd
hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2
hci_chan_list_flush:2780: hcon 000000001696f1fd
hci_dev_put:1487: hci0 orig refcnt 21
hci_dev_put:1487: hci0 orig refcnt 20
hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c
... <no iso_* activity on sk/conn> ...
iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557
BUG: kernel NULL pointer dereference, address: 0000000000000668
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth
==========================================================
L2CAP:
==================================================================
hci_cmd_status_evt:4359: hci0: opcode 0x0406
hci_cs_disconnect:2760: hci0: status 0x0c
hci_sent_cmd_data:3085: hci0 opcode 0x0406
hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585
hci_conn_unlink:1102: hci0: hcon ffff88800c999000
hci_chan_list_flush:2780: hcon ffff88800c999000
hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280
...
BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]
Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175
CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xf8/0x180
? hci_send_acl+0x2d/0x540 [bluetooth]
kasan_report+0xa8/0xe0
? hci_send_acl+0x2d/0x540 [bluetooth]
hci_send_acl+0x2d/0x540 [bluetooth]
? __pfx___lock_acquire+0x10/0x10
l2cap_chan_send+0x1fd/0x1300 [bluetooth]
? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]
? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]
? lock_release+0x1d5/0x3c0
? mark_held_locks+0x1a/0x90
l2cap_sock_sendmsg+0x100/0x170 [bluetooth]
sock_write_iter+0x275/0x280
? __pfx_sock_write_iter+0x10/0x10
? __pfx___lock_acquire+0x10/0x10
do_iter_readv_writev+0x176/0x220
? __pfx_do_iter_readv_writev+0x10/0x10
? find_held_lock+0x83/0xa0
? selinux_file_permission+0x13e/0x210
do_iter_write+0xda/0x340
vfs_writev+0x1b4/0x400
? __pfx_vfs_writev+0x10/0x10
? __seccomp_filter+0x112/0x750
? populate_seccomp_data+0x182/0x220
? __fget_light+0xdf/0x100
? do_writev+0x19d/0x210
do_writev+0x19d/0x210
? __pfx_do_writev+0x10/0x10
? mark_held_locks+0x1a/0x90
do_syscall_64+0x60/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on_prepare+0x149/0x210
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7ff45cb23e64
Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64
RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017
RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40
R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0
R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040
</TASK>
Allocated by task 771:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0xaa/0xb0
hci_chan_create+0x67/0x1b0 [bluetooth]
l2cap_conn_add.part.0+0x17/0x590 [bluetooth]
l2cap_connect_cfm+0x266/0x6b0 [bluetooth]
hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth]
hci_event_packet+0x38d/0x800 [bluetooth]
hci_rx_work+0x287/0xb20 [bluetooth]
process_one_work+0x4f7/0x970
worker_thread+0x8f/0x620
kthread+0x17f/0x1c0
ret_from_fork+0x2c/0x50
Freed by task 771:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
____kasan_slab_free+0x169/0x1c0
slab_free_freelist_hook+0x9e/0x1c0
__kmem_cache_free+0xc0/0x310
hci_chan_list_flush+0x46/0x90 [bluetooth]
hci_conn_cleanup+0x7d/0x330 [bluetooth]
hci_cs_disconnect+0x35d/0x530 [bluetooth]
hci_cmd_status_evt+0xef/0x2b0 [bluetooth]
hci_event_packet+0x38d/0x800 [bluetooth]
hci_rx_work+0x287/0xb20 [bluetooth]
process_one_work+0x4f7/0x970
worker_thread+0x8f/0x620
kthread+0x17f/0x1c0
ret_from_fork+0x2c/0x50
==================================================================
Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2373,6 +2373,9 @@ static void hci_cs_disconnect(struct hci
hci_req_reenable_advertising(hdev);
}
+ /* Inform sockets conn is gone before we delete it */
+ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
+
/* If the disconnection failed for any reason, the upper layer
* does not retry to disconnect in current implementation.
* Hence, we need to do some basic cleanup here and re-enable
next prev parent reply other threads:[~2026-02-09 14:56 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 14:23 [PATCH 5.15 00/75] 5.15.200-rc1 review Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 5.15 01/75] x86/kfence: fix booting on 32bit non-PAE systems Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 5.15 02/75] platform/x86: intel_telemetry: Fix swapped arrays in PSS output Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 03/75] rbd: check for EOD after exclusive lock is ensured to be held Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 04/75] ARM: 9468/1: fix memset64() on big-endian Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 05/75] KVM: Dont clobber irqfd routing type when deassigning irqfd Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 06/75] mm/kfence: randomize the freelist on initialization Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 07/75] netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 08/75] Documentation: Remove bogus claim about del_timer_sync() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 09/75] ARM: spear: Do not use timer namespace for timer_shutdown() function Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 10/75] clocksource/drivers/arm_arch_timer: " Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 11/75] clocksource/drivers/sp804: " Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 12/75] timers: Get rid of del_singleshot_timer_sync() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 13/75] timers: Replace BUG_ON()s Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 14/75] timers: Rename del_timer() to timer_delete() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 15/75] Documentation: Replace del_timer/del_timer_sync() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 16/75] timers: Silently ignore timers with a NULL function Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 17/75] timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 18/75] timers: Add shutdown mechanism to the internal functions Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 19/75] timers: Provide timer_shutdown[_sync]() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 20/75] timers: Update the documentation to reflect on the new timer_shutdown() API Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 21/75] Bluetooth: hci_qca: Fix the teardown problem for real Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 22/75] timers: Fix NULL function pointer race in timer_shutdown_sync() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 23/75] binderfs: fix ida_alloc_max() upper bound Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 24/75] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 25/75] wifi: wlcore: ensure skb headroom before skb_push Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 26/75] net: usb: sr9700: support devices with virtual driver CD Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 27/75] block,bfq: fix aux stat accumulation destination Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 28/75] smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 29/75] HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 30/75] HID: intel-ish-hid: Reset enum_devices_done before enumeration Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 31/75] HID: playstation: Center initial joystick axes to prevent spurious events Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 32/75] ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 33/75] netfilter: replace -EEXIST with -EBUSY Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 34/75] HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 35/75] HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 36/75] ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 37/75] wifi: mac80211: collect station statistics earlier when disconnect Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 38/75] ASoC: davinci-evm: Fix reference leak in davinci_evm_probe Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 39/75] ASoC: tlv320adcx140: Propagate error codes during probe Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 40/75] wifi: cfg80211: Fix bitrate calculation overflow for HE rates Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 41/75] scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 42/75] scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 43/75] wifi: mac80211: dont increment crypto_tx_tailroom_needed_cnt twice Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 44/75] platform/x86: toshiba_haps: Fix memory leaks in add/remove routines Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 45/75] platform/x86: intel_telemetry: Fix PSS event register mask Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 46/75] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 47/75] net: liquidio: Initialize netdev pointer before queue setup Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 48/75] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 49/75] net: liquidio: Fix off-by-one error in VF " Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 50/75] dpaa2-switch: add bounds check for if_id in IRQ handler Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 51/75] macvlan: fix error recovery in macvlan_common_newlink() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 52/75] tipc: use kfree_sensitive() for session key material Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 53/75] hwmon: (occ) Mark occ_init_attribute() as __printf Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 54/75] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 55/75] nvmet-tcp: add an helper to free the cmd buffers Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 56/75] nvmet-tcp: fix memory leak when performing a controller reset Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 57/75] nvmet-tcp: fix regression in data_digest calculation Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 58/75] nvmet-tcp: dont map pages which cant come from HIGHMEM Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 59/75] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 60/75] ASoC: amd: fix memory leak in acp3x pdm dma ops Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 61/75] riscv: uprobes: Add missing fence.i after building the XOL buffer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.15 62/75] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 63/75] gfs2: Fix NULL pointer dereference in gfs2_log_flush Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 64/75] tracing: Fix ftrace event field alignments Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 65/75] gve: Fix stats report corruption on queue count change Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 66/75] gve: Correct ethtool rx_dropped calculation Greg Kroah-Hartman
2026-02-09 14:25 ` Greg Kroah-Hartman [this message]
2026-02-09 14:25 ` [PATCH 5.15 68/75] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 69/75] spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 70/75] spi: tegra210-quad: Move curr_xfer read inside spinlock Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 71/75] spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 72/75] spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 73/75] spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 74/75] spi: tegra: Fix a memory leak in tegra_slink_probe() Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.15 75/75] nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page() Greg Kroah-Hartman
2026-02-09 18:16 ` [PATCH 5.15 00/75] 5.15.200-rc1 review Brett A C Sheffield
2026-02-09 18:49 ` Florian Fainelli
2026-02-09 20:47 ` Hardik Garg
2026-02-09 20:55 ` Jon Hunter
2026-02-10 10:07 ` Ron Economos
2026-02-11 11:34 ` Greg Kroah-Hartman
2026-02-10 13:24 ` Mark Brown
2026-02-11 7:27 ` Vijayendra Suman
2026-02-11 10:44 ` Jeffrin Thalakkottoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260209142304.263885246@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lanbincn@139.com \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=pav@iki.fi \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox