Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_sync
From: Mazin Alhaddad
Date: Thu Dec 05 2024 - 10:52:16 EST
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From fe103377fd3b4388dac32a1ccc93caa3762f6f8c Mon Sep 17 00:00:00 2001
From: Mazin AlHaddad <mazin@xxxxxxxxxxxx>
Date: Thu, 5 Dec 2024 16:00:03 +0300
Subject: [PATCH] TEST
---
net/bluetooth/hci_core.c | 2 ++
net/bluetooth/hci_sync.c | 5 +++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index f9e19f9cb..6ba2b9501 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -478,6 +478,8 @@ int hci_dev_do_close(struct hci_dev *hdev)
BT_DBG("%s %p", hdev->name, hdev);
+ hci_cmd_sync_clear(hdev);
+
hci_req_sync_lock(hdev);
err = hci_dev_close_sync(hdev);
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index c86f4e42e..aa5aa3fed 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5197,6 +5197,9 @@ int hci_dev_close_sync(struct hci_dev *hdev)
*/
drain_workqueue(hdev->workqueue);
+ /* flush cmd work */
+ flush_work(&hdev->cmd_work);
+
hci_dev_lock(hdev);
hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
@@ -5234,8 +5237,6 @@ int hci_dev_close_sync(struct hci_dev *hdev)
clear_bit(HCI_INIT, &hdev->flags);
}
- /* flush cmd work */
- flush_work(&hdev->cmd_work);
/* Drop queues */
skb_queue_purge(&hdev->rx_q);
--
2.46.0