[REGRESSION] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

[Pauli Virtanen]

Hi,

ti, 2026-05-19 kello 15:00 +0000, patchwork-bot+bluetooth@xxxxxxxxxx
kirjoitti:
> Hello:
> 
> This patch was applied to bluetooth/bluetooth-next.git (master)
> by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:
> 
> On Mon, 18 May 2026 10:49:49 +0800 you wrote:
> > From: Mingyu Wang <25181214217@xxxxxxxxxxxxxxxxx>
> > 
> > Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
> > Dereference (NPD) conditions were observed in the lifecycle management
> > of hci_uart.
> > 
> > The primary issue arises because the workqueues (init_ready and
> > write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY
> > flag is set during TTY close. If a hangup occurs before setup completes,
> > hci_uart_tty_close() skips the teardown of these workqueues and
> > proceeds to free the `hu` struct. When the scheduled work executes
> > later, it blindly dereferences the freed `hu` struct.
> > 
> > [...]
> 
> Here is the summary with links:
>   - [v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
>     https://git.kernel.org/bluetooth/bluetooth-next/c/7db62a762f61
> 
> You are awesome, thank you!

This patch (c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b upstream) appears
to cause a regression in the following test case, which does 
btmgmt power off; btmgmt power on; in a loop.

At some point response to Reset command is not received, and the
(emulated) controller can no longer be powered on.

Found by noting that newer kernel versions fail automated testing.

Kernel built with the bluez tester config
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc/tester.config

With c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b reverted, the power
off/on toggle continues indefinitely without errors.

Didn't investigate so far why precisely it starts failing.


$ cd bluez
$ git rev-parse HEAD
40f2e34b373944cf8142154881ce69f92c2be68d
$ make tools/test-runner emulator/btvirt
$ bash xtest.sh
...
hci0 Set Powered complete, settings: powered br/edr 
hci0 Set Powered complete, settings: br/edr 
hci0 Set Powered complete, settings: powered br/edr 
hci0 Set Powered complete, settings: br/edr 
Bluetooth: hci0: Opcode 0x0c03 failed: -110
Set Powered for hci0 failed with status 0x05 (Authentication Failed)
Set Powered for hci0 failed with status 0x05 (Authentication Failed)
Process 38 exited with status 0
reboot: Restarting system
reboot: machine restart
Set Powered for hci0 failed with status 0x05 (Authentication Failed)
Set Powered for hci0 failed with status 0x05 (Authentication Failed)
FAIL

----8<---- xtest.sh
#!/bin/sh

KERNEL=../linux/arch/x86_64/boot/bzImage

cat <<EOF > xtest-run.sh
for j in \$(seq 1 100); do
    ./tools/btmgmt power off 2>&1 | tee /tmp/test.log
    ./tools/btmgmt power on 2>&1 | tee -a /tmp/test.log
    if grep 'Authentication Failed' /tmp/test.log; then break; fi
done
EOF

./emulator/btvirt -s &
trap 'kill $(jobs -p)' EXIT

./tools/test-runner -k $KERNEL -u/tmp/bt-server-bredrle -- bash xtest-run.sh 2>&1 | tee xtest.log

if grep 'Authentication Failed' xtest.log; then
    echo "FAIL"
    exit 1
else
    echo "OK"
    exit 0
fi
----8<----

-- 
Pauli Virtanen