Re: [syzbot] Re: [syzbot] [bluetooth?] BUG: corrupted list in hci_chan_del (2)
From: syzbot
Date: Thu Feb 06 2025 - 23:09:42 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx.
***
Subject: Re: [syzbot] [bluetooth?] BUG: corrupted list in hci_chan_del (2)
Author: lizhi.xu@xxxxxxxxxxxxx
old logical will make get/put unbalance in l2cap_recv_acldata.
so remote get/put conn.
move chan_del from l2cap_conn_free to conn_del, avoid up level l2cap_sock_release double call it.
#syz test
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index adb8c33ac595..bbaf2141578b 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1801,6 +1801,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
}
mutex_unlock(&conn->chan_lock);
+ hci_chan_del(conn->hchan);
if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
cancel_delayed_work_sync(&conn->info_timer);
@@ -1813,7 +1814,6 @@ static void l2cap_conn_free(struct kref *ref)
{
struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
- hci_chan_del(conn->hchan);
hci_conn_put(conn->hcon);
kfree(conn);
}
@@ -7497,8 +7497,6 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
if (!conn)
conn = l2cap_conn_add(hcon);
- conn = l2cap_conn_hold_unless_zero(conn);
-
hci_dev_unlock(hcon->hdev);
if (!conn)
@@ -7592,8 +7590,6 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
break;
}
- l2cap_conn_put(conn);
-
drop:
kfree_skb(skb);
}