From nobody Tue Feb 10 06:05:07 2026
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 281511B4138
	for <linux-kernel@vger.kernel.org>; Mon,  9 Feb 2026 10:03:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770631390; cv=none;
 b=pBnrwZ5UioQn4Cej8rvaRP82TUHs6O9dS/pQwPdyliolrpp10LhteRGRdoPpAIhPALcUPvrLhCff/O88hfuG1xf06YLz9YTk8kDUO4f1jTRLOAHjyxQAFhoOdKrRmmNqM7jlPbfnPEpXKGud7wq6OaKSGTTC4JBTruwgpaksW6k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770631390; c=relaxed/simple;
	bh=5+lRtwgPgmReUX4V0KCfyAGPc0Avl5EmgO8z7ErzUh8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=nHzMYOhPk8WG1bO99mwzn6Q+3Ert4qnEr+jQdgXmOsbk6nKM05QXDdRdoOgGglMcPNZgceortdWXa6T2ZM+pVem5FbMgLVSKm09xPixaVB+/0jxHlxBJcUPHL88q/zffuVwKhLlGb+KbYcMREhAaRakqu87xPICfuv8UCdMXxto=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JvOOUMyE; arc=none smtp.client-ip=209.85.210.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JvOOUMyE"
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-82361bcbd8fso1452661b3a.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 09 Feb 2026 02:03:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770631389; x=1771236189;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=FrvRN4MSZWE5zr7X5X+UXnl0MTUjfN6wQH5wIcRuKCk=;
        b=JvOOUMyEGp6/59wl1pEWPMjp+CAAyEAOfG85PP78bk/fc3ZGEkhIuUUaLeMRbgq5dk
         R1yy3bG2rYGmnwJzamZkeFytZHW7OfRT6Rqd7wy7ALG6z7lDp1/2Awe5/ZXWmwXCLp4k
         VSiy8x88MNaSpQGsjrX1ZRoCrAaK+1BeNYkS7M/WfH5C+qEQN7qK3DftPrWdUNKCjF2P
         8wI7Y2FxqMUKRQabWqvt2aVLJ4h50qGOI1sSyWyVEGVZ6x3XEK/vKK/+hanKGxrGY4y/
         qYd4T27JtS9WJY26HO9FNAPZaafQpFKnBOH01fPRakCNjF+Me66Iv1qI0FNfC7Z93q7P
         TSkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770631389; x=1771236189;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FrvRN4MSZWE5zr7X5X+UXnl0MTUjfN6wQH5wIcRuKCk=;
        b=aVUi6ZBhLWs1qG+oJC1ioOTtumSBrzLzcC6eF7Rn0xoS4vZ/hI0Jn/xraJOH8DIRe6
         qH2HBHeuvRn+v5F4YdcGUbVK0Qum2g5IVlh2hmDyTtaAAI9Nw9GhDEIY0lpMdg1rQLJm
         PRho1UdMP+dnqRaw5G/sJQlto47l4tFOKbnueOMOuf03e/44DLc2yzm1X/kyWkc/3kDH
         N8wMyiYg7EZyT8PXpjFo3bQo0N+JsJEJAdQkHveOwcghOHIOpSGeRwkEDQ/csTyD7seJ
         4uho7VAzyk6rgywN6ju8hu+b9NC9J9813sPF2W2nib6R/FkLXPcjhOOVWmxurY95xb+5
         ttKA==
X-Forwarded-Encrypted: i=1;
 AJvYcCW3OwWmx9STo/s/1TSYMeQNfGqVyavgHXpZ6L4rjBXjG95lia6uzKX6KJCfBSLOcY1e/YT8Awagj/goNf4=@vger.kernel.org
X-Gm-Message-State: AOJu0YzQ48mVKIPdHS0c6Peq1Kpn/hjFpFRthf0nzIrbcg5427UYnn/j
	oSGpGBy7fI0hSem17XOBmm3UpJDnUkLOHp29Lc+T+S7VPk/Y7MVychdx
X-Gm-Gg: AZuq6aI90oLCw+vs59AEBdvcFY4D7g5JISyfQryTFMIbVUSZu/SwF/S276454POi+Ha
	AaaQ7j/7rquH3EH/HQ+JnS5ORinj1ndUx0qQEA1rQAfPvhAN1szDXP9yElg5XYqmhJJi7zzqql8
	VjIjKtgQ7fdq+TPnb4k2gJAGYAyvT9Z4zb22peKaBdAZr8QamPVePbbK7FeoHGYN3eLzlYkgyQG
	d7aczznZaasJFP0k3Sknb7U31hOPdhM12ECjaMsE8hcM/aLoGQ+cJNrNj7cMlTX9EKsLUEUXPia
	yjxAdPCtNg2h4qihSns4l1uoX/0u+5a1Eapd7V192iRMUHONN/cA3+2NyT8jcaXvLSaDqNGyQzs
	AF3Zmj1j3IkkrYXtn7PVUfEBEXqm4s13mVI9zckwKT5UZKN+tpqhDmxctieFRdd6uyz/lo8+W8a
	9V4Eek0BsVOKqBmtJa8FOUR1utNHvIgTaSE70jbL+oiLZyAnBm1an5Ag==
X-Received: by 2002:a05:6a00:1904:b0:821:7d7e:41e0 with SMTP id
 d2e1a72fcca58-824416098e2mr9602870b3a.5.1770631389158;
        Mon, 09 Feb 2026 02:03:09 -0800 (PST)
Received: from localhost.localdomain ([240d:1a:5cd:bc00:ad05:ab82:7c72:ffef])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-824418b5373sm10082527b3a.53.2026.02.09.02.03.07
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Mon, 09 Feb 2026 02:03:08 -0800 (PST)
From: Masahiro Kawada <youjingxiaogao2@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: luiz.dentz@gmail.com,
	marcel@holtmann.org,
	johan.hedberg@gmail.com,
	linux-kernel@vger.kernel.org,
	Masahiro Kawada <youjingxiaogao2@gmail.com>,
	syzbot+3609b9b48e68e1fe47fd@syzkaller.appspotmail.com
Subject: [PATCH] Bluetooth: fix use-after-free in hci_conn_drop
Date: Mon,  9 Feb 2026 19:02:11 +0900
Message-ID: <20260209100211.36533-1-youjingxiaogao2@gmail.com>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fix a use-after-free in hci_conn_drop triggered via hci_cmd_sync_work.

In hci_conn_del(), hci_cmd_sync_dequeue() is called after
hci_conn_cleanup() which may have already freed the conn pointer.
Fix by moving the dequeue before cleanup.

Additionally, le_read_features_complete() calls hci_conn_drop(conn)
without checking whether conn is still valid. When
hci_le_read_remote_features_sync() blocks waiting for an HCI event,
another thread can free conn through hci_conn_del(). Fix by adding
a hci_conn_valid() check before calling hci_conn_drop().

Fixes: 881559af5f5c ("Bluetooth: hci_sync: Attempt to dequeue connection at=
tempt")
Fixes: a106e50be74b ("Bluetooth: HCI: Add support for LL Extended Feature S=
et")
Reported-by: syzbot+3609b9b48e68e1fe47fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D3609b9b48e68e1fe47fd
Tested-by: syzbot+3609b9b48e68e1fe47fd@syzkaller.appspotmail.com
Signed-off-by: Masahiro Kawada <youjingxiaogao2@gmail.com>
---
 net/bluetooth/hci_conn.c | 6 +++---
 net/bluetooth/hci_sync.c | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 0795818963a..aa3607327ad 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1232,15 +1232,15 @@ void hci_conn_del(struct hci_conn *conn)
 	skb_queue_purge(&conn->data_q);
 	skb_queue_purge(&conn->tx_q.queue);
=20
+	/* Dequeue callbacks using connection pointer as data */
+	hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
+
 	/* Remove the connection from the list and cleanup its remaining
 	 * state. This is a separate function since for some cases like
 	 * BT_CONNECT_SCAN we *only* want the cleanup part without the
 	 * rest of hci_conn_del.
 	 */
 	hci_conn_cleanup(conn);
-
-	/* Dequeue callbacks using connection pointer as data */
-	hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
 }
=20
 struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_ty=
pe)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index f04a90bce4a..f31086c187f 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7371,6 +7371,9 @@ static void le_read_features_complete(struct hci_dev =
*hdev, void *data, int err)
 	if (err =3D=3D -ECANCELED)
 		return;
=20
+	if (!hci_conn_valid(hdev, conn))
+		return;
+
 	hci_conn_drop(conn);
 }
=20
--=20
2.43.0