[PATCH v3] Bluetooth: hci_conn: Fix UAF in create_big_sync and create_big_complete

[PATCH v3] Bluetooth: hci_conn: Fix UAF in create_big_sync and create_big_complete

[Kai Zen]

create_big_sync() and create_big_complete() are queued via
hci_cmd_sync_queue() with a raw hci_conn pointer as 'data', but unlike
all other hci_cmd_sync_queue() callbacks that receive an hci_conn pointer
they lack an hci_conn_valid() guard.

If the connection is torn down after the work is queued but before (or
during) execution, the work dereferences a freed hci_conn object.

Race path:
 1. hci_connect_bis() queues create_big_sync(conn) on hdev->req_workqueue
 2. ISO socket close() triggers hci_conn_drop(); for BIS_LINK timeo=0,
    disc_work fires immediately on hdev->workqueue
 3. disc_work -> hci_abort_conn -> hci_conn_del() frees conn
 4. create_big_sync() dequeued and runs on req_workqueue; conn is
    already freed -> slab-use-after-free

The two workqueues are distinct (req_workqueue vs workqueue). The only
lock held by create_big_sync is hci_req_sync_lock; the deletion path
in HCI event handlers holds only hci_dev_lock. No shared lock prevents
concurrent execution.

This is the same bug class fixed for hci_enhanced_setup_sync in commit
98ccd44002d8 ("Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync"),
and for hci_le_create_conn_sync, hci_le_pa_create_sync,
hci_le_big_create_sync, hci_acl_create_conn_sync. create_big_sync and
create_big_complete in hci_conn.c were not included in those sweeps.

Fix: add hci_conn_valid() guard at the start of both functions. In
create_big_sync the 'qos' pointer assignment is moved past the guard
to avoid dereferencing conn before validation.

Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
Cc: stable@vger.kernel.org
Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
---
v3: Rebase on bluetooth-next HEAD 50003ce2; no logic changes
v2: Regenerate with git format-patch to fix malformed patch fragment header
v1: Initial submission

 net/bluetooth/hci_conn.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index a47f5da..e7fe9cc 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2119,10 +2119,15 @@ static void hci_iso_qos_setup(struct hci_dev
*hdev, struct hci_conn *conn,
 static int create_big_sync(struct hci_dev *hdev, void *data)
 {
        struct hci_conn *conn = data;
-       struct bt_iso_qos *qos = &conn->iso_qos;
        u16 interval, sync_interval = 0;
        u32 flags = 0;
        int err;
+       struct bt_iso_qos *qos;
+
+       if (!hci_conn_valid(hdev, conn))
+               return -ECANCELED;
+
+       qos = &conn->iso_qos;

        if (qos->bcast.out.phys == BIT(1))
                flags |= MGMT_ADV_FLAG_SEC_2M;
@@ -2196,6 +2201,9 @@ static void create_big_complete(struct hci_dev
*hdev, void *data, int err)
 {
        struct hci_conn *conn = data;

+       if (!hci_conn_valid(hdev, conn))
+               return;
+
        bt_dev_dbg(hdev, "conn %p", conn);

        if (err) {
--
2.43.0

Re: [PATCH v3] Bluetooth: hci_conn: Fix UAF in create_big_sync and create_big_complete

[Greg KH]

On Thu, Mar 05, 2026 at 03:19:19AM +0200, Kai Zen wrote:
> create_big_sync() and create_big_complete() are queued via
> hci_cmd_sync_queue() with a raw hci_conn pointer as 'data', but unlike
> all other hci_cmd_sync_queue() callbacks that receive an hci_conn pointer
> they lack an hci_conn_valid() guard.
> 
> If the connection is torn down after the work is queued but before (or
> during) execution, the work dereferences a freed hci_conn object.
> 
> Race path:
>  1. hci_connect_bis() queues create_big_sync(conn) on hdev->req_workqueue
>  2. ISO socket close() triggers hci_conn_drop(); for BIS_LINK timeo=0,
>     disc_work fires immediately on hdev->workqueue
>  3. disc_work -> hci_abort_conn -> hci_conn_del() frees conn
>  4. create_big_sync() dequeued and runs on req_workqueue; conn is
>     already freed -> slab-use-after-free
> 
> The two workqueues are distinct (req_workqueue vs workqueue). The only
> lock held by create_big_sync is hci_req_sync_lock; the deletion path
> in HCI event handlers holds only hci_dev_lock. No shared lock prevents
> concurrent execution.
> 
> This is the same bug class fixed for hci_enhanced_setup_sync in commit
> 98ccd44002d8 ("Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync"),
> and for hci_le_create_conn_sync, hci_le_pa_create_sync,
> hci_le_big_create_sync, hci_acl_create_conn_sync. create_big_sync and
> create_big_complete in hci_conn.c were not included in those sweeps.
> 
> Fix: add hci_conn_valid() guard at the start of both functions. In
> create_big_sync the 'qos' pointer assignment is moved past the guard
> to avoid dereferencing conn before validation.
> 
> Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
> ---
> v3: Rebase on bluetooth-next HEAD 50003ce2; no logic changes
> v2: Regenerate with git format-patch to fix malformed patch fragment header
> v1: Initial submission
> 
>  net/bluetooth/hci_conn.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index a47f5da..e7fe9cc 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -2119,10 +2119,15 @@ static void hci_iso_qos_setup(struct hci_dev
> *hdev, struct hci_conn *conn,
>  static int create_big_sync(struct hci_dev *hdev, void *data)
>  {
>         struct hci_conn *conn = data;
> -       struct bt_iso_qos *qos = &conn->iso_qos;
>         u16 interval, sync_interval = 0;
>         u32 flags = 0;
>         int err;
> +       struct bt_iso_qos *qos;
> +
> +       if (!hci_conn_valid(hdev, conn))
> +               return -ECANCELED;
> +
> +       qos = &conn->iso_qos;
> 
>         if (qos->bcast.out.phys == BIT(1))
>                 flags |= MGMT_ADV_FLAG_SEC_2M;
> @@ -2196,6 +2201,9 @@ static void create_big_complete(struct hci_dev
> *hdev, void *data, int err)
>  {
>         struct hci_conn *conn = data;
> 
> +       if (!hci_conn_valid(hdev, conn))
> +               return;
> +
>         bt_dev_dbg(hdev, "conn %p", conn);
> 
>         if (err) {
> --
> 2.43.0
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
  and can not be applied.  Please read the file,
  Documentation/process/email-clients.rst in order to fix this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot