Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bnep_add_connection
From: Jann Horn
Date: Fri Jun 19 2026 - 07:32:12 EST
On Tue, May 26, 2026 at 8:46 AM syzbot
<syzbot+604a39147226ba42d117@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> BUG: KASAN: slab-use-after-free in strnlen+0x66/0x90 lib/string.c:432
> Read of size 1 at addr ffff8880126e8120 by task syz.0.0/5330
>
> CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
> print_address_description+0x55/0x1e0 mm/kasan/report.c:378
> print_report+0x58/0x70 mm/kasan/report.c:482
> kasan_report+0x117/0x150 mm/kasan/report.c:595
> strnlen+0x66/0x90 lib/string.c:432
> strnlen include/linux/fortify-string.h:231 [inline]
> __fortify_strlen include/linux/fortify-string.h:267 [inline]
> strcpy include/linux/fortify-string.h:794 [inline]
> bnep_add_connection+0x90c/0xca0 net/bluetooth/bnep/core.c:649
> do_bnep_sock_ioctl+0x40b/0x650 net/bluetooth/bnep/sock.c:83
> sock_do_ioctl+0x101/0x320 net/socket.c:1313
> sock_ioctl+0x5c6/0x7f0 net/socket.c:1434
> vfs_ioctl fs/ioctl.c:51 [inline]
Funny that syzbot found this ancient bug ten days after the fix landed
in a subsystem tree...
This is fixed by commit 59e932ded949fa6f0340bf7c6d7818f962fa4fd2.
#syz fix: Bluetooth: bnep: Fix UAF read of dev->name