Re: [syzbot] [bluetooth?] KMSAN: uninit-value in hci_rx_work

From: Edward Adam Davis
Date: Tue Oct 08 2024 - 05:48:05 EST

Next message: Mark Brown: "Re: [PATCH v2] ASoC: dt-bindings: rockchip,rk3036-codec: convert to yaml"
Previous message: Inochi Amaoto: "Re: [PATCH 1/1] riscv: sophgo: dts: add power key for pioneer box"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] KMSAN: uninit-value in hci_rx_work"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] KMSAN: uninit-value in hci_rx_work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If hci_queue_acl is not executed, where does hci_acl_hdr->handle come from ?

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index d6976db02c06..6e22eb33fdc7 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3185,6 +3185,7 @@ static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,

hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;

+ printk("conn: %p, cnn H: %u, %s\n", conn, conn->handle, __func__);
hci_add_acl_hdr(skb, conn->handle, flags);

list = skb_shinfo(skb)->frag_list;
@@ -3791,8 +3792,7 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
l2cap_recv_acldata(conn, skb, flags);
return;
} else {
- bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
- handle);
+ bt_dev_err(hdev, "ACL packet for unknown connection handle");
}

kfree_skb(skb);

Next message: Mark Brown: "Re: [PATCH v2] ASoC: dt-bindings: rockchip,rk3036-codec: convert to yaml"
Previous message: Inochi Amaoto: "Re: [PATCH 1/1] riscv: sophgo: dts: add power key for pioneer box"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] KMSAN: uninit-value in hci_rx_work"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] KMSAN: uninit-value in hci_rx_work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]