[BUG] Bluetooth: slab-use-after-free in hci_core.c:hci_send_acl()

Next message: Javier Garcia: "[PATCH] fbdev/tridentfb: replace printk() with dev_*() in probe"
Previous message: Alexandre Courbot: "Re: [PATCH v5 13/13] gpu: nova-core: gsp: Retrieve GSP static info to gather GPU information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 李天宇

Date: Sat Nov 15 2025 - 07:49:57 EST

Hello,

A use-after-free bug was triggered in the Bluetooth subsystem when handling L2CAP connection setup sequences.
The kernel reports a slab-use-after-free in hci_send_acl() issue caused by l2cap_info_timeout() accessing a freed hci_chan object.

This bug was found via a fuzzing framework on Linux v6.6(x86_64, QEMU). Test environment, configuration, and relevant materials are provided below:

Kernel source: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.6.tar.gz
Config file: https://github.com/j1akai/KConfigFuzz_bug/raw/refs/heads/main/x86/66-config
Kernel log: https://github.com/j1akai/KConfigFuzz_bug/raw/refs/heads/main/x86/crashes-part1/0094_aa5b436b78ce432eb9fa23bf14105889c0825990/x86_62_66_syzkaller_0901_6.6_yin/report0

The reports indicate that hci_chan was allocated in hci_chan_create() and later freed in hci_chan_cleanup(), while a pending L2CAP work queue callback (l2cap_info_timeout) continued to access this object and invoked hci_send_acl(), resulting in a use-after-free read.
After checking relevant code on mainline, it seems though there are some additional checks, none of them involve checking whether hci_chan is empty.

I’m currently only reporting the issue to the community; the exact fix will likely need confirmation and review from the Bluetooth maintainers.