lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CABBYNZJ4zvkqFY8QjO+7_vJS-LGfqRyzQtRzcgOAToNUo0onFA@mail.gmail.com>
Date: Mon, 15 Sep 2025 12:18:45 -0400
From: Luiz Augusto von Dentz <luiz.dentz@...il.com>
To: Cen Zhang <zzzccc427@...il.com>
Cc: johan.hedberg@...il.com, marcel@...tmann.org, linux-kernel@...r.kernel.org, 
	baijiaju1990@...il.com, zhenghaoran154@...il.com, r33s3n6@...il.com, 
	linux-bluetooth@...r.kernel.org, "gality369@...il.com" <gality369@...il.com>
Subject: Re: [BUG]: slab-use-after-free Read in mgmt_set_powered_complete

Hi Cen,

On Mon, Sep 15, 2025 at 12:16 PM Luiz Augusto von Dentz
<luiz.dentz@...il.com> wrote:
>
> Hi Cen,
>
> On Mon, Sep 15, 2025 at 11:40 AM Cen Zhang <zzzccc427@...il.com> wrote:
> >
> > Hi Luiz,
> >
> > Thank you for the nice patch. I've been testing your patch for some
> > time now, and it appears to have successfully resolved the original
> > issue.
> >
> > However, during my extended testing, I discovered two similar bugs
> > that might be worth fixing together. Here's the detailed report:
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in set_le_sync+0x86/0x810
> > net/bluetooth/mgmt.c:2096
> > Read of size 8 at addr ffff888147503220 by task kworker/u17:6/352
> >
> > CPU: 3 UID: 0 PID: 352 Comm: kworker/u17:6 Not tainted
> > 6.17.0-rc5-ge5bbb70171d1-dirty #15 PREEMPT(voluntary)
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > Workqueue: hci0 hci_cmd_sync_work
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:94 [inline]
> >  dump_stack_lvl+0xca/0x130 lib/dump_stack.c:120
> >  print_address_description mm/kasan/report.c:378 [inline]
> >  print_report+0x171/0x7f0 mm/kasan/report.c:482
> >  kasan_report+0x139/0x170 mm/kasan/report.c:595
> >  set_le_sync+0x86/0x810 net/bluetooth/mgmt.c:2096
>
> Looks like we are still accessing things like cmd->param before
> checking if that is still valid.

Hit send too soon, here is the v6 that attempts to clean up the
existing access of cmd before checking that it is still valid.

> >  hci_cmd_sync_work+0x798/0xaf0 net/bluetooth/hci_sync.c:332
> >  process_one_work kernel/workqueue.c:3236 [inline]
> >  process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
> >  worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
> >  kthread+0x3d4/0x800 kernel/kthread.c:463
> >  ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
> >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> >  </TASK>
> >
> > Allocated by task 193:
> >  kasan_save_stack mm/kasan/common.c:47 [inline]
> >  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> >  poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
> >  __kasan_kmalloc+0x72/0x90 mm/kasan/common.c:405
> >  kmalloc_noprof include/linux/slab.h:905 [inline]
> >  kzalloc_noprof include/linux/slab.h:1039 [inline]
> >  mgmt_pending_new+0xcd/0x580 net/bluetooth/mgmt_util.c:269
> >  mgmt_pending_add+0x54/0x410 net/bluetooth/mgmt_util.c:296
> >  set_le+0xd73/0x15f0 net/bluetooth/mgmt.c:2547
> >  hci_mgmt_cmd+0x1ee4/0x33f0 net/bluetooth/hci_sock.c:1719
> >  hci_sock_sendmsg+0xcb0/0x2510 net/bluetooth/hci_sock.c:1839
> >  sock_sendmsg_nosec net/socket.c:714 [inline]
> >  __sock_sendmsg+0x21c/0x270 net/socket.c:729
> >  sock_write_iter+0x1b7/0x250 net/socket.c:1179
> >  do_iter_readv_writev+0x598/0x760
> >  vfs_writev+0x3c8/0xd20 fs/read_write.c:1057
> >  do_writev+0x105/0x270 fs/read_write.c:1103
> >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >  do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > Freed by task 6434:
> >  kasan_save_stack mm/kasan/common.c:47 [inline]
> >  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> >  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
> >  poison_slab_object mm/kasan/common.c:243 [inline]
> >  __kasan_slab_free+0x41/0x50 mm/kasan/common.c:275
> >  kasan_slab_free include/linux/kasan.h:233 [inline]
> >  slab_free_hook mm/slub.c:2428 [inline]
> >  slab_free mm/slub.c:4701 [inline]
> >  kfree+0x189/0x390 mm/slub.c:4900
> >  mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
> >  mgmt_pending_foreach+0x6c4/0x8a0 net/bluetooth/mgmt_util.c:257
> >  __mgmt_power_off+0x19e/0x3e0 net/bluetooth/mgmt.c:9479
> >  hci_dev_close_sync+0x1064/0x2c10 net/bluetooth/hci_sync.c:5290
> >  hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
> >  hci_dev_close+0x232/0x460 net/bluetooth/hci_core.c:526
> >  hci_sock_ioctl+0x785/0x1000 net/bluetooth/hci_sock.c:1135
> >  sock_do_ioctl+0x7f/0x2e0 net/socket.c:1238
> >  sock_ioctl+0x521/0x6a0 net/socket.c:1359
> >  vfs_ioctl fs/ioctl.c:51 [inline]
> >  __do_sys_ioctl fs/ioctl.c:598 [inline]
> >  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
> >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >  do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > The buggy address belongs to the object at ffff888147503200
> >  which belongs to the cache kmalloc-96 of size 96
> > The buggy address is located 32 bytes inside of
> >  freed 96-byte region [ffff888147503200, ffff888147503260)
> > ==================================================================
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in set_name_complete+0x8e/0x790
> > net/bluetooth/mgmt.c:3890
> > Read of size 8 at addr ffff888145c595a0 by task kworker/u17:3/364
> >
> > CPU: 0 UID: 0 PID: 364 Comm: kworker/u17:3 Not tainted
> > 6.17.0-rc5-ge5bbb70171d1-dirty #15 PREEMPT(voluntary)
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > Workqueue: hci0 hci_cmd_sync_work
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:94 [inline]
> >  dump_stack_lvl+0xca/0x130 lib/dump_stack.c:120
> >  print_address_description mm/kasan/report.c:378 [inline]
> >  print_report+0x171/0x7f0 mm/kasan/report.c:482
> >  kasan_report+0x139/0x170 mm/kasan/report.c:595
> >  set_name_complete+0x8e/0x790 net/bluetooth/mgmt.c:3890
> >  hci_cmd_sync_work+0x8df/0xaf0 net/bluetooth/hci_sync.c:334
> >  process_one_work kernel/workqueue.c:3236 [inline]
> >  process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
> >  worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
> >  kthread+0x3d4/0x800 kernel/kthread.c:463
> >  ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
> >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> >  </TASK>
> >
> > Allocated by task 191:
> >  kasan_save_stack mm/kasan/common.c:47 [inline]
> >  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> >  poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
> >  __kasan_kmalloc+0x72/0x90 mm/kasan/common.c:405
> >  kmalloc_noprof include/linux/slab.h:905 [inline]
> >  kzalloc_noprof include/linux/slab.h:1039 [inline]
> >  mgmt_pending_new+0xcd/0x580 net/bluetooth/mgmt_util.c:269
> >  mgmt_pending_add+0x54/0x410 net/bluetooth/mgmt_util.c:296
> >  set_local_name+0x390/0x910 net/bluetooth/mgmt.c:3975
> >  hci_mgmt_cmd+0x1ee4/0x33f0 net/bluetooth/hci_sock.c:1719
> >  hci_sock_sendmsg+0xcb0/0x2510 net/bluetooth/hci_sock.c:1839
> >  sock_sendmsg_nosec net/socket.c:714 [inline]
> >  __sock_sendmsg+0x21c/0x270 net/socket.c:729
> >  sock_write_iter+0x1b7/0x250 net/socket.c:1179
> >  do_iter_readv_writev+0x598/0x760
> >  vfs_writev+0x3c8/0xd20 fs/read_write.c:1057
> >  do_writev+0x105/0x270 fs/read_write.c:1103
> >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >  do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > Freed by task 23433:
> >  kasan_save_stack mm/kasan/common.c:47 [inline]
> >  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> >  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
> >  poison_slab_object mm/kasan/common.c:243 [inline]
> >  __kasan_slab_free+0x41/0x50 mm/kasan/common.c:275
> >  kasan_slab_free include/linux/kasan.h:233 [inline]
> >  slab_free_hook mm/slub.c:2428 [inline]
> >  slab_free mm/slub.c:4701 [inline]
> >  kfree+0x189/0x390 mm/slub.c:4900
> >  mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
> >  mgmt_pending_foreach+0x6c4/0x8a0 net/bluetooth/mgmt_util.c:257
> >  __mgmt_power_off+0x19e/0x3e0 net/bluetooth/mgmt.c:9479
> >  hci_dev_close_sync+0x1064/0x2c10 net/bluetooth/hci_sync.c:5290
> >  hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
> >  hci_dev_close+0x232/0x460 net/bluetooth/hci_core.c:526
> >  hci_sock_ioctl+0x785/0x1000 net/bluetooth/hci_sock.c:1135
> >  sock_do_ioctl+0x7f/0x2e0 net/socket.c:1238
> >  sock_ioctl+0x521/0x6a0 net/socket.c:1359
> >  vfs_ioctl fs/ioctl.c:51 [inline]
> >  __do_sys_ioctl fs/ioctl.c:598 [inline]
> >  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
> >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >  do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > The buggy address belongs to the object at ffff888145c59580
> >  which belongs to the cache kmalloc-96 of size 96
> > The buggy address is located 32 bytes inside of
> >  freed 96-byte region [ffff888145c59580, ffff888145c595e0)
> >
> > The buggy address belongs to the physical page:
> > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c59
> > flags: 0x200000000000000(node=0|zone=2)
> > page_type: f5(slab)
> > raw: 0200000000000000 ffff888100042280 ffffea0004579a00 dead000000000002
> > raw: 0000000000000000 0000000000200020 00000000f5000000 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> >  ffff888145c59480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> >  ffff888145c59500: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > >ffff888145c59580: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> >                                ^
> >  ffff888145c59600: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> >  ffff888145c59680: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > ==================================================================
> >
> >
> > Best regards,
> > Cen Zhang
> >
> > Luiz Augusto von Dentz <luiz.dentz@...il.com> 于2025年9月15日周一 20:59写道:
> > >
> > > Hi Cen,
> > >
> > > On Fri, Sep 12, 2025 at 11:01 PM cen zhang <zzzccc427@...il.com> wrote:
> > > >
> > > > Hi Luiz,
> > > >
> > > > I've just started testing the patch, and it seems to have introduced a
> > > > new issue. I've attached the detailed report below:
> > > >
> > > > ==================================================================
> > > > BUG: KASAN: slab-use-after-free in mgmt_pending_valid+0x8f/0x7e0
> > > > net/bluetooth/mgmt_util.c:330
> > > > Read of size 8 at addr ffff888140eae198 by task kworker/u17:2/82
> > > >
> > > > CPU: 1 UID: 0 PID: 82 Comm: kworker/u17:2 Not tainted
> > > > 6.17.0-rc5-ge5bbb70171d1-dirty #8 PREEMPT(voluntary)
> > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > > > Workqueue: hci0 hci_cmd_sync_work
> > > > Call Trace:
> > > >  <TASK>
> > > >  __dump_stack lib/dump_stack.c:94 [inline]
> > > >  dump_stack_lvl+0xca/0x130 lib/dump_stack.c:120
> > > >  print_address_description mm/kasan/report.c:378 [inline]
> > > >  print_report+0x171/0x7f0 mm/kasan/report.c:482
> > > >  kasan_report+0x139/0x170 mm/kasan/report.c:595
> > > >  mgmt_pending_valid+0x8f/0x7e0 net/bluetooth/mgmt_util.c:330
> > >
> > > Looks like this is the result of trying to access the cmd->hdev, which
> > > is definitely wrong since the whole point of the function is to try to
> > > determine if cmd is still valid, so please try with the v5.
> > >
> > > >  mgmt_set_powered_complete+0x81/0xf20 net/bluetooth/mgmt.c:1326
> > > >  hci_cmd_sync_work+0x8df/0xaf0 net/bluetooth/hci_sync.c:334
> > > >  process_one_work kernel/workqueue.c:3236 [inline]
> > > >  process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
> > > >  worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
> > > >  kthread+0x3d4/0x800 kernel/kthread.c:463
> > > >  ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
> > > >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > >  </TASK>
> > > >
> > > > Allocated by task 195:
> > > >  kasan_save_stack mm/kasan/common.c:47 [inline]
> > > >  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> > > >  poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
> > > >  __kasan_kmalloc+0x72/0x90 mm/kasan/common.c:405
> > > >  kmalloc_noprof include/linux/slab.h:905 [inline]
> > > >  kzalloc_noprof include/linux/slab.h:1039 [inline]
> > > >  mgmt_pending_new+0xcd/0x580 net/bluetooth/mgmt_util.c:269
> > > >  mgmt_pending_add+0x54/0x410 net/bluetooth/mgmt_util.c:296
> > > >  set_powered+0x8c6/0xea0 net/bluetooth/mgmt.c:1406
> > > >  hci_mgmt_cmd+0x1ee4/0x33f0 net/bluetooth/hci_sock.c:1719
> > > >  hci_sock_sendmsg+0xcb0/0x2510 net/bluetooth/hci_sock.c:1839
> > > >  sock_sendmsg_nosec net/socket.c:714 [inline]
> > > >  __sock_sendmsg+0x21c/0x270 net/socket.c:729
> > > >  sock_write_iter+0x1b7/0x250 net/socket.c:1179
> > > >  do_iter_readv_writev+0x598/0x760
> > > >  vfs_writev+0x3c8/0xd20 fs/read_write.c:1057
> > > >  do_writev+0x105/0x270 fs/read_write.c:1103
> > > >  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > > >  do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
> > > >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > >
> > > > Freed by task 82:
> > > >  kasan_save_stack mm/kasan/common.c:47 [inline]
> > > >  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> > > >  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
> > > >  poison_slab_object mm/kasan/common.c:243 [inline]
> > > >  __kasan_slab_free+0x41/0x50 mm/kasan/common.c:275
> > > >  kasan_slab_free include/linux/kasan.h:233 [inline]
> > > >  slab_free_hook mm/slub.c:2428 [inline]
> > > >  slab_free mm/slub.c:4701 [inline]
> > > >  kfree+0x189/0x390 mm/slub.c:4900
> > > >  mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
> > > >  mgmt_pending_foreach+0x6c4/0x8a0 net/bluetooth/mgmt_util.c:257
> > > >  mgmt_power_on+0x43d/0x5e0 net/bluetooth/mgmt.c:9448
> > > >  hci_dev_open_sync+0x44fa/0x5060 net/bluetooth/hci_sync.c:5137
> > > >  hci_power_on_sync net/bluetooth/hci_sync.c:5376 [inline]
> > > >  hci_set_powered_sync+0x43e/0xfa0 net/bluetooth/hci_sync.c:5768
> > > >  set_powered_sync+0x1e0/0x2c0 net/bluetooth/mgmt.c:1369
> > > >  hci_cmd_sync_work+0x798/0xaf0 net/bluetooth/hci_sync.c:332
> > > >  process_one_work kernel/workqueue.c:3236 [inline]
> > > >  process_scheduled_works+0x7a8/0x1030 kernel/workqueue.c:3319
> > > >  worker_thread+0xb97/0x11d0 kernel/workqueue.c:3400
> > > >  kthread+0x3d4/0x800 kernel/kthread.c:463
> > > >  ret_from_fork+0x13b/0x1e0 arch/x86/kernel/process.c:148
> > > >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > >
> > > > The buggy address belongs to the object at ffff888140eae180
> > > >  which belongs to the cache kmalloc-96 of size 96
> > > > The buggy address is located 24 bytes inside of
> > > >  freed 96-byte region [ffff888140eae180, ffff888140eae1e0)
> > > >
> > > > The buggy address belongs to the physical page:
> > > > page: refcount:0 mapcount:0 mapping:0000000000000000
> > > > index:0xffff888140eae200 pfn:0x140eae
> > > > flags: 0x200000000000200(workingset|node=0|zone=2)
> > > > page_type: f5(slab)
> > > > raw: 0200000000000200 ffff888100042280 ffffea0004763ad0 ffffea0004763a90
> > > > raw: ffff888140eae200 000000000020001f 00000000f5000000 0000000000000000
> > > > page dumped because: kasan: bad access detected
> > > >
> > > > Memory state around the buggy address:
> > > >  ffff888140eae080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > > >  ffff888140eae100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > > > >ffff888140eae180: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > > >                             ^
> > > >  ffff888140eae200: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > > >  ffff888140eae280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> > > > ==================================================================
> > > >
> > > > Best regards,
> > > > Cen Zhang
> > > >
> > > > cen zhang <zzzccc427@...il.com> 于2025年9月13日周六 10:16写道:
> > > > >
> > > > > Hi Luiz,
> > > > >
> > > > > Thanks for your patch! It not only addresses the TOCTOU issue we
> > > > > discussed but may also fix another bug I reported
> > > > > (https://lore.kernel.org/linux-bluetooth/CAFRLqsWWMnrZ6y8MUMUSK=tmAb3r8_jfSwqforOoR8_-=XgX7g@mail.gmail.com/T/#u).
> > > > >
> > > > > I will test it soon to confirm.
> > > > >
> > > > > Thanks again for the great work.
> > > > >
> > > > > Best regards,
> > > > >
> > > > > Cen Zhang
> > > > >
> > > > > Luiz Augusto von Dentz <luiz.dentz@...il.com> 于2025年9月13日周六 02:29写道:
> > > > > >
> > > > > > Hi Cen,
> > > > > >
> > > > > > On Fri, Sep 12, 2025 at 11:59 AM cen zhang <zzzccc427@...il.com> wrote:
> > > > > > >
> > > > > > > Hi Luiz,
> > > > > > >
> > > > > > > Thank you for your quick response and the important clarification
> > > > > > > about hci_cmd_sync_dequeue().
> > > > > > >
> > > > > > > You are absolutely correct - I was indeed referring to the TOCTOU
> > > > > > > problem in pending_find(), not the -ECANCELED check. The
> > > > > > > hci_cmd_sync_dequeue() call in cmd_complete_rsp() is a crucial detail
> > > > > > > that I initially overlooked in my analysis.
> > > > > > >
> > > > > > > After examining the code more carefully, I can see that while
> > > > > > > hci_cmd_sync_dequeue() does attempt to remove pending sync commands
> > > > > > > from the queue, but it cannot prevent the race condition we're seeing.
> > > > > > > The fundamental issue is that hci_cmd_sync_dequeue() can only remove
> > > > > > > work items that are still queued, but cannot stop work items that are
> > > > > > > already executing or about to execute their completion callbacks.
> > > > > > >
> > > > > > > The race window occurs when:
> > > > > > > 1. mgmt_set_powered_complete() is about to execute (work item has been dequeued)
> > > > > > > 2. mgmt_index_removed() -> mgmt_pending_foreach() -> cmd_complete_rsp() executes
> > > > > > > 3. hci_cmd_sync_dequeue() removes queued items but cannot affect the
> > > > > > > already-running callback
> > > > > > > 4. mgmt_pending_free() frees the cmd object
> > > > > > > 5. mgmt_set_powered_complete() still executes and accesses freed cmd->param
> > > > > > >
> > > > > > > I am sorry that I haven't get a reliable reproducer from syzkaller for
> > > > > > > this bug may be due to it is timing-sensitive.
> > > > > >
> > > > > > Let's try to fix all instances then, since apparently there is more
> > > > > > than one cmd with this pattern, please test with the attached patch.
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz



-- 
Luiz Augusto von Dentz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ