Re: [syzbot] [bluetooth?] general protection fault in h4_recv

Next message: Menglong Dong: " Re: [PATCH bpf-next v2 1/3] bpf: add missing fsession to the verifier log"
Previous message: David Laight: "Re: [PATCH v3 1/1] mtd: cfi_cmdset_0001: Factor out do_write_buffer_locked() to reduce stack frame"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] general protection fault in h4_recv"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] general protection fault in h4_recv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Thu Apr 09 2026 - 07:29:24 EST

#syz test

diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
index a889a66a326f..07cc2a79a77b 100644
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -109,6 +109,9 @@ static int h4_recv(struct hci_uart *hu, const void *data, int count)
{
struct h4_struct *h4 = hu->priv;

+ if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
+ return -EUNATCH;
+
h4->rx_skb = h4_recv_buf(hu, h4->rx_skb, data, count,
h4_recv_pkts, ARRAY_SIZE(h4_recv_pkts));
if (IS_ERR(h4->rx_skb)) {