Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)

From: Hillf Danton
Date: Sun Sep 08 2024 - 08:50:50 EST

Next message: Christophe Leroy: "[PATCH] powerpc: Add __must_check to set_memory_...()"
Previous message: Masahiro Yamada: "[PATCH 6/6] kconfig: cache expression values"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 07 Sep 2024 07:42:26 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 788220eee30d Merge tag 'pm-6.11-rc7' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1304189f980000

#syz test

--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -3787,8 +3787,10 @@ static void hci_acldata_packet(struct hc
if (conn) {
hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);

+ hci_req_sync_lock(hdev);
/* Send to upper protocol */
l2cap_recv_acldata(conn, skb, flags);
+ hci_req_sync_unlock(hdev);
return;
} else {
bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
--

Next message: Christophe Leroy: "[PATCH] powerpc: Add __must_check to set_memory_...()"
Previous message: Masahiro Yamada: "[PATCH 6/6] kconfig: cache expression values"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]