From: syzbot <syzbot+10bd8fe6741eedd2be2e@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Re: [syzbot] Re: [syzbot] [bluetooth?] BUG: corrupted list in hci_chan_del (2)
Date: Fri, 07 Feb 2025 04:25:29 -0800 [thread overview]
Message-ID: <67a5fbb9.050a0220.2b1e6.001f.GAE@google.com> (raw)
In-Reply-To: <67a4b4c3.050a0220.264083.0005.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: Re: [syzbot] [bluetooth?] BUG: corrupted list in hci_chan_del (2)
Author: lizhi.xu@windriver.com
old logical will make get/put unbalance in l2cap_recv_acldata.
so remote get/put conn.
protect conn refcnt under hci dev lock.
#syz test
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index adb8c33ac595..503626f70be5 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7497,8 +7497,6 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
if (!conn)
conn = l2cap_conn_add(hcon);
- conn = l2cap_conn_hold_unless_zero(conn);
-
hci_dev_unlock(hcon->hdev);
if (!conn)
@@ -7592,8 +7590,6 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
break;
}
- l2cap_conn_put(conn);
-
drop:
kfree_skb(skb);
}
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 46ea0bee2259..2a99394925a5 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1359,10 +1359,12 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
l2cap_chan_lock(chan);
conn = chan->conn;
- if (conn)
+ l2cap_chan_unlock(chan);
+ if (conn) {
+ hci_dev_lock(conn->hcon->hdev);
/* prevent conn structure from being freed */
l2cap_conn_get(conn);
- l2cap_chan_unlock(chan);
+ }
if (conn)
/* mutex lock must be taken before l2cap_chan_lock() */
@@ -1375,6 +1377,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
if (conn) {
mutex_unlock(&conn->chan_lock);
l2cap_conn_put(conn);
+ hci_dev_unlock(conn->hcon->hdev);
}
lock_sock(sk);
next prev parent reply other threads:[~2025-02-07 12:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-06 13:10 [syzbot] [bluetooth?] BUG: corrupted list in hci_chan_del (2) syzbot
2025-02-06 22:05 ` [syzbot] Re: [PATCH v1] Bluetooth: L2CAP: Fix corrupted list in hci_chan_del syzbot
2025-02-07 2:20 ` [syzbot] Re: [syzbot] [bluetooth?] BUG: corrupted list in hci_chan_del (2) syzbot
2025-02-07 4:09 ` syzbot
2025-02-07 6:37 ` syzbot
2025-02-07 12:25 ` syzbot [this message]
2025-02-07 14:02 ` [PATCH next] Bluetooth: l2cap: protect conn refcnt under hci dev lock Lizhi Xu
2025-02-07 14:31 ` [next] " bluez.test.bot
2025-02-08 8:20 ` [PATCH next] " kernel test robot
2025-02-07 16:13 ` [syzbot] Re: [PATCH v1] Bluetooth: L2CAP: Fix corrupted list in hci_chan_del syzbot
2025-02-07 16:54 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67a5fbb9.050a0220.2b1e6.001f.GAE@google.com \
--to=syzbot+10bd8fe6741eedd2be2e@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.