Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)

From: Hillf Danton
Date: Sun Sep 08 2024 - 09:38:21 EST

Next message: Tang Bin: "[PATCH] ASoC: codecs: fix the right check and simplify code"
Previous message: Jan Kiszka: "Re: [PATCH v8 3/4] driver core: shut down devices asynchronously"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 07 Sep 2024 07:42:26 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 788220eee30d Merge tag 'pm-6.11-rc7' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1304189f980000

#syz test

--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -3782,13 +3782,18 @@ static void hci_acldata_packet(struct hc

hci_dev_lock(hdev);
conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (conn)
+ hci_conn_get(conn);
hci_dev_unlock(hdev);

if (conn) {
hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);

+ hci_req_sync_lock(hdev);
/* Send to upper protocol */
l2cap_recv_acldata(conn, skb, flags);
+ hci_req_sync_unlock(hdev);
+ hci_conn_put(conn);
return;
} else {
bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
--

Next message: Tang Bin: "[PATCH] ASoC: codecs: fix the right check and simplify code"
Previous message: Jan Kiszka: "Re: [PATCH v8 3/4] driver core: shut down devices asynchronously"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_connect (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]