[BUG] Bluetooth: use-after-free in l2cap_info_timeout during connection cleanup

Next message: Nicolin Chen: "Re: [PATCH v5 3/5] iommu: Add iommu_driver_get_domain_for_dev() helper"
Previous message: Hannes Reinecke: "Re: [PATCH 1/1] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 许东洁

Date: Tue Nov 18 2025 - 02:04:50 EST

Hello,

A use-after-free vulnerability was discovered in the Bluetooth L2CAP subsystem of Linux kernel 6.6.0 using the syzkaller fuzzing tool.

The issue involves a race condition during connection cleanup: when l2cap_conn_del starts cleaning up connection resources, if l2cap_info_timeout workqueue executes simultaneously on another CPU, it may access freed memory.

Specific mechanism:
- l2cap_conn_del function deletes HCI channels and cleans up connection state
- However, before calling cancel_delayed_work_sync to wait for info_timer completion, the connection data structures may have been partially destroyed
- Meanwhile, l2cap_info_timeout continues executing and accesses the hci_chan structure being cleaned up through the call chain
- This eventually leads to dereferencing an invalid pointer in skb_queue_tail

Crash signature:
BUG: unable to handle kernel NULL pointer dereference in skb_queue_tail

Call stack path:
l2cap_info_timeout -> l2cap_conn_start -> ... -> hci_queue_acl -> skb_queue_tail

Related materials are provided below:
Config file: https://github.com/j1akai/KConfigFuzz_bug/blob/main/x86/66-config
Additional fuzzing context: https://github.com/PLASSICAxu/OS-bug/tree/main/ea13e77411e2a197a1929ad0738d6d8d3e181823

Suggested approach: add reference count checking at the beginning of l2cap_info_timeout to ensure the connection remains valid throughout function execution.

Acknowledgments
Xu Dongjie
University of Chinese Academy of Sciences