| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e795d2b600d98bfaf9b63088929e8ac0e8d4e3ba.camel@iki.fi>
Date: Wed, 05 Nov 2025 21:36:23 +0200
From: Pauli Virtanen <pav@....fi>
To: ssrane_b23@...vjti.ac.in
Cc: linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-kernel-mentees@...ts.linux.dev, skhan@...uxfoundation.org,
david.hunter.linux@...il.com, khalid@...nel.org
Subject: Re: [PATCH] Bluetooth: L2CAP: Fix use-after-free in
l2cap_unregister_user
ke, 2025-11-05 kello 19:52 +0530, ssrane_b23@...vjti.ac.in kirjoitti:
> From: Shaurya Rane <ssrane_b23@...vjti.ac.in>
>
> Syzbot reported a use-after-free in l2cap_unregister_user(), caused by
> missing reference counting on the associated hci_dev. If the device is
> unregistered while L2CAP users are still active, l2cap_unregister_user()
> may access a freed hci_dev when taking its lock.
>
> Fix this by taking a device reference in l2cap_register_user() using
> hci_dev_hold(), and releasing it in l2cap_unregister_user() via
> hci_dev_put(). This ensures the hci_dev remains valid for the lifetime
> of registered L2CAP users.
>
> Reported-by: syzbot+14b6d57fb728e27ce23c@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=14b6d57fb728e27ce23c
> Fixes: c8992cffbe74 ("Bluetooth: hci_event: Use of a function table to handle Command Complete")
> Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
> ---
> net/bluetooth/l2cap_core.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 805c752ac0a9..6a880f8ab6c2 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -1688,6 +1688,11 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
> struct hci_dev *hdev = conn->hcon->hdev;
> int ret;
>
> + /* Hold a reference to hdev to prevent it from being freed while
> + * we have registered users.
> + */
> + hci_dev_hold(hdev);
> +
> /* We need to check whether l2cap_conn is registered. If it is not, we
> * must not register the l2cap_user. l2cap_conn_del() is unregisters
> * l2cap_conn objects, but doesn't provide its own locking. Instead, it
The old comment here seems out of date since commit ab4eedb790cae,
currently l2cap_conn_del() appears to be using conn->lock to do
mutex_lock(&conn->lock);
...
l2cap_unregister_all_users(conn);
...
hci_chan_del(conn->hchan);
conn->hchan = NULL;
...
mutex_unlock(&conn->lock);
so it looks likely also taking conn->lock could avoid the races with
conn->users and conn->hchan.
> @@ -1717,6 +1722,10 @@ int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
>
> out_unlock:
> hci_dev_unlock(hdev);
> +
> + if (ret)
> + hci_dev_put(hdev);
> +
> return ret;
> }
> EXPORT_SYMBOL(l2cap_register_user);
> @@ -1735,6 +1744,9 @@ void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
>
> out_unlock:
> hci_dev_unlock(hdev);
> +
> + /* Release the reference we took in l2cap_register_user */
> + hci_dev_put(hdev);
> }
> EXPORT_SYMBOL(l2cap_unregister_user);
>
--
Pauli Virtanen
Powered by blists - more mailing lists