[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240908133747.2610-1-hdanton@sina.com>
Date: Sun, 8 Sep 2024 21:37:47 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+c12e2f941af1feb5632c@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)
On Sat, 07 Sep 2024 07:42:26 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 788220eee30d Merge tag 'pm-6.11-rc7' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1304189f980000
#syz test
--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -3782,13 +3782,18 @@ static void hci_acldata_packet(struct hc
hci_dev_lock(hdev);
conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (conn)
+ hci_conn_get(conn);
hci_dev_unlock(hdev);
if (conn) {
hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
+ hci_req_sync_lock(hdev);
/* Send to upper protocol */
l2cap_recv_acldata(conn, skb, flags);
+ hci_req_sync_unlock(hdev);
+ hci_conn_put(conn);
return;
} else {
bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
--
Powered by blists - more mailing lists