Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync

From: XIAO WU

Date: Sat Jun 20 2026 - 21:58:09 EST

Hi,

I came across a Sashiko AI code review [1] that flagged a related
use-after-free in `get_l2cap_conn()` — it has the same lock-dropping
pattern that your patch fixes in `set_cig_params_sync()`.

I was able to trigger it in QEMU with KASAN on a 6.6.y kernel. Writing
to the 6lowpan debugfs control file races against connection teardown.

On Sun, Jun 8, 2026 at 5:56:55PM +0300, Pauli Virtanen wrote:
> This commit adds hci_dev_lock() around the hci_conn lookup and field
> accesses in set_cig_params_sync(). This prevents a potential
> use-after-free if the connection is concurrently freed.

The same pattern in `get_l2cap_conn()` still drops the lock before
accessing the returned hcon pointer:

```c
// net/bluetooth/6lowpan.c: get_l2cap_conn()
hci_dev_lock(hdev);
hcon = hci_conn_hash_lookup_le(hdev, addr, le_addr_type);
hci_dev_unlock(hdev);                  // lock dropped
hci_dev_put(hdev);

if (!hcon)
    return -ENOENT;

*conn = (struct l2cap_conn *)hcon->l2cap_data;  // UAF if freed
```

The connection is returned without a reference count.  If a concurrent
disconnect event frees it via `hci_conn_del()`, the subsequent
dereference of `hcon->l2cap_data` hits freed memory.

[KASAN report — kernel 6.6.142, CONFIG_KASAN=y]

  ==================================================================
  BUG: KASAN: slab-use-after-free in get_l2cap_conn.constprop.0+0x73f/0x750
  Read of size 8 at addr ffff888106514ab8 by task poc/9349

  CPU: 1 PID: 9349 Comm: poc Not tainted 6.6.142-g1ab6d2b45d08 #1

  Call Trace:
   <TASK>
   dump_stack_lvl+0xd9/0x1b0
   print_report+0xce/0x630
   kasan_report+0xd4/0x110
   get_l2cap_conn.constprop.0+0x73f/0x750
   lowpan_control_write+0x574/0x740
   full_proxy_write+0x12f/0x1a0
   vfs_write+0x2ba/0xe60
   ksys_write+0x134/0x260
   do_syscall_64+0x39/0xc0
   entry_SYSCALL_64_after_hwframe+0x79/0xe3

  Allocated by task 56:
   __hci_conn_add+0x136/0x1ac0
   hci_conn_add_unset+0x72/0x100
   le_conn_complete_evt+0x667/0x2180
   hci_le_conn_complete_evt+0x241/0x370

  Freed by task 56:
   __kmem_cache_free+0xb6/0x2e0
   hci_conn_del+0x.../...

[1] https://sashiko.dev/#/patchset/tencent_42D87A0C871AE6AF019BF6AB46F003577205%40qq.com
    (Sashiko AI code review — "Use-After-Free", Severity: High)

Thanks,
XIAO