From: Greg KH <gregkh@linuxfoundation.org>
To: Kai Zen <kai.aizen.dev@gmail.com>
Cc: linux-bluetooth@vger.kernel.org, luiz.von.dentz@intel.com,
stable@vger.kernel.org, marcel@holtmann.org
Subject: Re: [PATCH v3] Bluetooth: hci_conn: Fix UAF in create_big_sync and create_big_complete
Date: Thu, 5 Mar 2026 08:16:12 +0100 [thread overview]
Message-ID: <2026030557-apprehend-implicate-5b2b@gregkh> (raw)
In-Reply-To: <CALynFi7dq+5R+TRYa3T-9ethQ_TKegBtiv1AAAG5Lfb9oMto2A@mail.gmail.com>
On Thu, Mar 05, 2026 at 03:19:19AM +0200, Kai Zen wrote:
> create_big_sync() and create_big_complete() are queued via
> hci_cmd_sync_queue() with a raw hci_conn pointer as 'data', but unlike
> all other hci_cmd_sync_queue() callbacks that receive an hci_conn pointer
> they lack an hci_conn_valid() guard.
>
> If the connection is torn down after the work is queued but before (or
> during) execution, the work dereferences a freed hci_conn object.
>
> Race path:
> 1. hci_connect_bis() queues create_big_sync(conn) on hdev->req_workqueue
> 2. ISO socket close() triggers hci_conn_drop(); for BIS_LINK timeo=0,
> disc_work fires immediately on hdev->workqueue
> 3. disc_work -> hci_abort_conn -> hci_conn_del() frees conn
> 4. create_big_sync() dequeued and runs on req_workqueue; conn is
> already freed -> slab-use-after-free
>
> The two workqueues are distinct (req_workqueue vs workqueue). The only
> lock held by create_big_sync is hci_req_sync_lock; the deletion path
> in HCI event handlers holds only hci_dev_lock. No shared lock prevents
> concurrent execution.
>
> This is the same bug class fixed for hci_enhanced_setup_sync in commit
> 98ccd44002d8 ("Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync"),
> and for hci_le_create_conn_sync, hci_le_pa_create_sync,
> hci_le_big_create_sync, hci_acl_create_conn_sync. create_big_sync and
> create_big_complete in hci_conn.c were not included in those sweeps.
>
> Fix: add hci_conn_valid() guard at the start of both functions. In
> create_big_sync the 'qos' pointer assignment is moved past the guard
> to avoid dereferencing conn before validation.
>
> Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
> ---
> v3: Rebase on bluetooth-next HEAD 50003ce2; no logic changes
> v2: Regenerate with git format-patch to fix malformed patch fragment header
> v1: Initial submission
>
> net/bluetooth/hci_conn.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index a47f5da..e7fe9cc 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -2119,10 +2119,15 @@ static void hci_iso_qos_setup(struct hci_dev
> *hdev, struct hci_conn *conn,
> static int create_big_sync(struct hci_dev *hdev, void *data)
> {
> struct hci_conn *conn = data;
> - struct bt_iso_qos *qos = &conn->iso_qos;
> u16 interval, sync_interval = 0;
> u32 flags = 0;
> int err;
> + struct bt_iso_qos *qos;
> +
> + if (!hci_conn_valid(hdev, conn))
> + return -ECANCELED;
> +
> + qos = &conn->iso_qos;
>
> if (qos->bcast.out.phys == BIT(1))
> flags |= MGMT_ADV_FLAG_SEC_2M;
> @@ -2196,6 +2201,9 @@ static void create_big_complete(struct hci_dev
> *hdev, void *data, int err)
> {
> struct hci_conn *conn = data;
>
> + if (!hci_conn_valid(hdev, conn))
> + return;
> +
> bt_dev_dbg(hdev, "conn %p", conn);
>
> if (err) {
> --
> 2.43.0
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
and can not be applied. Please read the file,
Documentation/process/email-clients.rst in order to fix this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
prev parent reply other threads:[~2026-03-05 7:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 1:19 [PATCH v3] Bluetooth: hci_conn: Fix UAF in create_big_sync and create_big_complete Kai Zen
2026-03-05 7:16 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026030557-apprehend-implicate-5b2b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=kai.aizen.dev@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox