Re: [PATCH v4] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()

Next message: Guenter Roeck: "[GIT PULL] hwmon fixes for v7.1-rc4"
Previous message: Drew Fustini: "Re: [PATCH RFC v4 12/18] riscv_cbqri: resctrl: Add L3 cache occupancy monitoring"
In reply to: Safa Karaku&#x15F;: "[PATCH v4] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()"
Next in thread: fourdim: "Re: [PATCH v4] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Sat May 16 2026 - 18:40:31 EST

On Sat, 16 May 2026 21:15:04 +0300 Safa Karakus wrote:
> bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
> accept queue and release_sock()s it before returning, so the returned
> sk has no caller reference and is unlocked.
>
> l2cap_sock_cleanup_listen() walks these children on listening-socket
> close. A concurrent HCI disconnect drives hci_rx_work ->
> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
> frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
>
> BUG: KASAN: slab-use-after-free in l2cap_sock_kill
> l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
> Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
>
Feel free to add the regular KASAN uaf calltrace to help understand your fix.