[PW_SID:1036498] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work #3235

BluezTestBot · 2025-12-25T01:14:09Z

syzbot reported a slab-use-after-free in hci_cmd_work.
The issue is that hci_send_cmd_sync() consumes the skb reference
(either by passing it to the driver which frees it, or by calling
kfree_skb() on error), but the skb might be accessed after the call
in certain configurations or due to race conditions with the freeing
process (e.g. vhci_read).

Explicitly hold a reference to the skb using skb_get() before calling
hci_send_cmd_sync() and release it with kfree_skb() afterwards. This
ensures the skb object remains valid throughout the function call,
regardless of how hci_send_cmd_sync() handles the original reference.

Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
Signed-off-by: Szymon Wilczek swilczek.lx@gmail.com

net/bluetooth/hci_core.c | 3 +++
1 file changed, 3 insertions(+)

This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>

syzbot reported a slab-use-after-free in hci_cmd_work. The issue is that hci_send_cmd_sync() consumes the skb reference (either by passing it to the driver which frees it, or by calling kfree_skb() on error), but the skb might be accessed after the call in certain configurations or due to race conditions with the freeing process (e.g. vhci_read). Explicitly hold a reference to the skb using skb_get() before calling hci_send_cmd_sync() and release it with kfree_skb() afterwards. This ensures the skb object remains valid throughout the function call, regardless of how hci_send_cmd_sync() handles the original reference. Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>

github-actions · 2025-12-25T01:17:24Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.35 seconds
Result: PENDING

github-actions · 2025-12-25T01:17:24Z

GitLint
Desc: Run gitlint
Duration: 0.26 seconds
Result: PENDING

github-actions · 2025-12-25T01:17:25Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.11 seconds
Result: PASS

github-actions · 2025-12-25T01:17:54Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.01 seconds
Result: PASS

github-actions · 2025-12-25T01:18:25Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.27 seconds
Result: PASS

github-actions · 2025-12-25T01:19:00Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 30.42 seconds
Result: WARNING
Output:

net/bluetooth/hci_core.c:85:9: warning: context imbalance in '__hci_dev_get' - different lock contexts for basic blocknet/bluetooth/hci_core.c: note: in included file (through include/linux/notifier.h, include/linux/memory_hotplug.h, include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, include/linux/radix-tree.h, ...):

github-actions · 2025-12-25T01:19:29Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.45 seconds
Result: PASS

github-actions · 2025-12-25T01:28:37Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 547.75 seconds
Result: PASS

github-actions · 2025-12-25T01:29:06Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 27.98 seconds
Result: PASS

github-actions · 2025-12-25T01:30:31Z

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 84.99 seconds
Result: PASS

github-actions · 2025-12-25T01:30:38Z

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.19 seconds
Result: PASS

github-actions · 2025-12-25T01:32:35Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 116.22 seconds
Result: FAIL
Output:

Total: 494, Passed: 486 (98.4%), Failed: 4, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.106 seconds
LL Privacy - Add Device 3 (AL is full)               Failed       0.196 seconds
LL Privacy - Set Flags 3 (2 Devices to RL)           Failed       0.193 seconds
LL Privacy - Start Discovery 2 (Disable RL)          Failed       0.184 seconds

github-actions · 2025-12-25T01:32:45Z

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.28 seconds
Result: PASS

github-actions · 2025-12-25T01:33:00Z

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.26 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

github-actions · 2025-12-25T01:33:11Z

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.12 seconds
Result: PASS

github-actions · 2025-12-25T01:33:23Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 11.41 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.052 seconds
Mesh - Send cancel - 2                               Timed out    1.992 seconds

github-actions · 2025-12-25T01:33:32Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.39 seconds
Result: PASS

github-actions · 2025-12-25T01:33:39Z

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.48 seconds
Result: PASS

github-actions · 2025-12-25T01:33:40Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.72 seconds
Result: PENDING

tedd-an and others added 2 commits December 22, 2025 19:50

github-actions bot force-pushed the workflow branch 5 times, most recently from 264a7dc to e7984f7 Compare January 12, 2026 20:31

github-actions bot force-pushed the workflow branch from e7984f7 to e352d45 Compare January 15, 2026 16:43

[PW_SID:1036498] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work #3235

Are you sure you want to change the base?

[PW_SID:1036498] Bluetooth: hci_core: Fix slab-use-after-free in hci_cmd_work #3235

Uh oh!

Conversation

BluezTestBot commented Dec 25, 2025

Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca Signed-off-by: Szymon Wilczek swilczek.lx@gmail.com

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

github-actions bot commented Dec 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4d6b203d625d2f57d4ca
Signed-off-by: Szymon Wilczek swilczek.lx@gmail.com