From nobody Sun Jun 14 02:33:37 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BDE1B3DE446 for ; Mon, 4 May 2026 15:11:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777907463; cv=none; b=PosNzcUWe8XnUsbPr0PE0sLzqJqP9+bQkk72S4oIZ1fP1G1h2lQTQAX2JHSjMBkrjmgqxrAdeafQG07MZp5oeOQCv6ejfoI8ooPtO2ZWa4f9xGJ9Y2jTW+8fjoQKRa20CAIWlRWi47m+zOfDZB6nRo2ocvgSfZRMgybe/l59o1g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777907463; c=relaxed/simple; bh=epyxwrL8HrbxoCP7PkosxUpgcxoLg7mTf7gK+mD/Juw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=ImNrk4iKzYyy29iKr4ipDi+n3OTub9TiqmSlF4H6uVhHMsXr7XzPQI1PJ9c6RQyosSLOXqBLTjeoYxUIbFMGPEyrINYLrFnvZLNbDJ9zduqD6YfnxARbMNBhbmK8mxwaWbc8r3TeVaxZsbvJrOJv2nXOezPf25BkxK360IRkRaU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=sUuRjf0K; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="sUuRjf0K" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-488940ccfa6so187495e9.1 for ; Mon, 04 May 2026 08:11:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777907460; x=1778512260; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=Z8WdMGm0rrN8quly4F4KIR+pnvKVzpSZ4Q6VY0RQAP8=; b=sUuRjf0KbxyJMoH2OM2N9Q4R/QlouG6oE7rFuiylsWpYGaN4B/yNMUhXxDJ892tGZj LlebA4LPDobWTzyWlsRs9hmRTe3QMEWoIpXnq+uPohJxO+VP6/2lF8KwUuco6Cf+yjzT Zrpb/K923gsaeWOPhVbuQi1cFwrF9/8KRr9GxG5dKBWok+ND3gHiH5a+m3fjvIfBnmCi VI0iM8spmvZH9QJN13+z04WD22tQfgHRgR42HnJY3NWT/+454VmCuxP8a37N8OoYNlm5 P9pHGYL0fmCh2pimvVv3yoUAok4RHVY3ywVcjqgke+NGhFukmmok0dXdqL8ghmHmpxyM U7wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777907460; x=1778512260; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Z8WdMGm0rrN8quly4F4KIR+pnvKVzpSZ4Q6VY0RQAP8=; b=ANZEOXIpvmG/ouUBtV/4weDXd1sKYaZNQj+VoOUxa45Mbv4KFpQ++1hRgNq5T7G7Ch iLytNDovZIjtTp6xDpuonSGd0anZ6RW058mxDPNyCHSLrJUwKa5vEB7aaASfFRja6wOB qdCA1fhywJI2b8fkfx3skR77qywRtZW37HA2wp1MOT6rlMeDkUH0s7ZMY1vKvDEoXzrQ Ycixg72pDG4SQ49+QGGz1fqQdxk5GDaN6jrhD5JVELgMLiifklb85pDafBRBDm6Nnljn Ky7//VJnH+bxphtHu5GcLe2cqghikEN3C9vLTRxKbm92b9I2E9IazToObXr6oc+FMHKl kwng== X-Gm-Message-State: AOJu0YxTNU/m06+6qkMt9Sr+GmZbhj7rdCnmoY8QmSoexHS/+HUIfgIt mwWn5EKkwNzNhOVnCO5XH1PethTYo0cLzSvocqQMc8v3zcRlWx8F3FLoUGUwlIawgg== X-Gm-Gg: AeBDieukMsvBnA+BgnGbObC1mnl1yVu17ypzJxOOid5CxM27H5KMakBiJtuw29WjCSY Am+Y9NJXeM7BZZ1I1yBiGhMpe/OL220KDbSHpWtjOSIzllsvxpPLW3ONnSwNv2Guxel3BGIuDyV GKrw0k38u/3pAPsLm9oNL944QW2PjkDrD1oADkotSp3yXAzYwoRvAGqJlGq168UB2vunO46kAly 2JElGRnW3p/hAA10OPrD0ab8o6OabVtpzcBML7ySuF0eS7AFR+pAYvTLdN+NKiObfy4vXKJNLK3 fdxUbyxLB0zclMTN0+In0GG1YmIMVWbDw8FDeRgL2QFm0Ds4QOPhlIS1m2MqhPAzMH0HnBw2Kgg ec60TRWWc66JEK3t3I3C4Rao6X8KTNBJfBh0URKyW4ZNZOyhjPnj1erfZ1YWEPDx8XcvVmYvK+2 d1TBSKy00VbyxgepqOYGvCP52AgeGdxD38fcSERQki/E/DcHdFVMX7rLaOnesuGf0UViEEfCph7 HDOJyu3mYI= X-Received: by 2002:a05:600c:6c01:b0:48a:6321:87f7 with SMTP id 5b1f17b1804b1-48a9852d32amr2442135e9.8.1777907459745; Mon, 04 May 2026 08:10:59 -0700 (PDT) Received: from localhost ([2a00:79e0:288a:8:ee16:7cbd:ae26:6ec9]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a8fee8751sm140677795e9.9.2026.05.04.08.10.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 08:10:59 -0700 (PDT) From: Jann Horn Date: Mon, 04 May 2026 17:10:51 +0200 Subject: [PATCH] Bluetooth: fix UAF read of ->accept_q in bt_accept_poll() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-bluetooth-accept-uaf-fix-v1-1-1ca63c0efadd@google.com> X-B4-Tracking: v=1; b=H4sIAPq2+GkC/x2MQQqAIBAAvxJ7bkHLgvpKdDBdcyEy1CKI/p50n IGZBxJFpgRj9UCkixOHvYCsKzBe7ysh28LQiKYXnVC4bCflELJHbQwdGU/t0PGN1rVDaxarpVR Q8iNS0f96mt/3A1I0V0xqAAAA X-Change-ID: 20260504-bluetooth-accept-uaf-fix-df393cbda114 To: Marcel Holtmann , Luiz Augusto von Dentz , linux-bluetooth@vger.kernel.org Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1777907454; l=2723; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=epyxwrL8HrbxoCP7PkosxUpgcxoLg7mTf7gK+mD/Juw=; b=QoIgBmQLNzGorMBeLgzY082aDS4VEiDU46sH6OYp3kRwhxKnglkde1HyRIGwFeBEpXI50XpAF ueO6oxPOUaSCINSshOm9Vq2+5uvIxVsKaQXkEMkLeGnovKOkGIyW8Js X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= Use lock_sock() to guard against bt_accept_poll() racing with concurrent close(accept()), which can lead to UAF: task 1 task 2 =3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D __x64_sys_poll __se_sys_poll __do_sys_poll do_sys_poll do_poll do_pollfd vfs_poll sock_poll bt_sock_poll bt_accept_poll [read ->accept_q next pointer] __x64_sys_accept __se_sys_accept __do_sys_accept __sys_accept4 __sys_accept4_file do_accept l2cap_sock_accept bt_accept_dequeue bt_accept_unlink [removes new socket from ->accept_q] __x64_sys_close __se_sys_close __do_sys_close fput_close_sync __fput sock_close __sock_release l2cap_sock_release l2cap_sock_kill sock_put sk_free __sk_free sk_destruct __sk_destruct [frees new socket] [UAF read of ->sk_state] This UAF only leads to incorrect reads, it does not corrupt memory; it is a fairly tight race window; I believe every race attempt requires an incoming bluetooth connection; and the leaked data is limited. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- net/bluetooth/af_bluetooth.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index 33d053d63407..d24897167838 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -521,13 +521,17 @@ static inline __poll_t bt_accept_poll(struct sock *pa= rent) struct bt_sock *s, *n; struct sock *sk; =20 + lock_sock(parent); list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) { sk =3D (struct sock *)s; if (sk->sk_state =3D=3D BT_CONNECTED || (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags) && - sk->sk_state =3D=3D BT_CONNECT2)) + sk->sk_state =3D=3D BT_CONNECT2)) { + release_sock(parent); return EPOLLIN | EPOLLRDNORM; + } } + release_sock(parent); =20 return 0; } --- base-commit: 6d35786de28116ecf78797a62b84e6bf3c45aa5a change-id: 20260504-bluetooth-accept-uaf-fix-df393cbda114 -- =20 Jann Horn