Commit 59e932de authored May 12, 2026 by Jann Horn Committed by Luiz Augusto von Dentz May 20, 2026

Bluetooth: bnep: Fix UAF read of dev->name



bnep_add_connection() needs to keep holding the bnep_session_sem while
reading dev->name (just like bnep_get_connlist() does); otherwise the
bnep_session() thread can concurrently free the net_device, which can for
example be triggered by a concurrent bnep_del_connection().

(This UAF is fairly uninteresting from a security perspective;
calling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)
check. It also requires completely tearing down a netdev during a fairly
tight race window.)

Cc: stable@vger.kernel.org
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent 375ba748

net/bluetooth/bnep/core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -645,8 +645,8 @@ int bnep_add_connection(struct bnep_connadd_req req, struct socket sock)
		goto failed;
		}

		up_write(&bnep_session_sem);
		strcpy(req->device, dev->name);
		up_write(&bnep_session_sem);
		return 0;

		failed: