From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_unregister_user
Date: Sat, 2 Nov 2024 09:27:10 +0800 [thread overview]
Message-ID: <20241102012710.2865-1-hdanton@sina.com> (raw)
In-Reply-To: <67251e01.050a0220.529b6.0162.GAE@google.com>
On Fri, 01 Nov 2024 11:29:21 -0700
> syzbot found the following issue on:
>
> HEAD commit: 90602c251cda Merge tag 'net-6.12-rc6' of git://git.kernel...
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bd9340580000
#syz test
--- l/net/bluetooth/hidp/core.c
+++ y/net/bluetooth/hidp/core.c
@@ -1302,6 +1302,7 @@ static int hidp_session_thread(void *arg
* delete the session.
*/
l2cap_unregister_user(session->conn, &session->user);
+ hci_dev_put(session->conn->hcon->hdev);
hidp_session_put(session);
module_put_and_kthread_exit(0);
@@ -1378,6 +1379,7 @@ int hidp_connection_add(const struct hid
ret = l2cap_register_user(conn, &session->user);
if (ret)
goto out_session;
+ hci_dev_hold(conn->hcon->hdev);
ret = 0;
@@ -1405,8 +1407,10 @@ int hidp_connection_del(struct hidp_conn
HIDP_TRANS_HID_CONTROL |
HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
NULL, 0);
- else
+ else {
l2cap_unregister_user(session->conn, &session->user);
+ hci_dev_put(session->conn->hcon->hdev);
+ }
hidp_session_put(session);
--
next prev parent reply other threads:[~2024-11-02 1:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-01 18:29 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_unregister_user syzbot
2024-11-02 1:27 ` Hillf Danton [this message]
2024-11-02 1:46 ` syzbot
2024-12-23 22:29 ` syzbot
2025-08-12 16:31 ` syzbot
2025-08-13 1:46 ` Hillf Danton
2025-08-13 2:41 ` syzbot
2026-03-07 8:59 ` Forwarded: Re: [RESEND] Bluetooth: L2CAP: Fix use-after-free " syzbot
2026-03-07 9:45 ` syzbot
2026-03-07 10:33 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2025-11-05 14:40 [PATCH] " shaurya
2025-11-05 15:32 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot
2025-11-05 19:03 ` shaurya
2025-11-05 19:04 ` syzbot
2025-11-05 19:05 ` shaurya
2025-11-05 19:05 ` syzbot
2025-11-05 19:26 [PATCH] Bluetooth: L2CAP: Fix use-after-free " shaurya
2025-11-05 20:14 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read " syzbot
[not found] <625d3721ef07c7c15488af80fbfc53620921611b.camel@iki.fi>
2026-03-07 9:33 ` syzbot
[not found] <a36a0c60c12b6a8e09776875f2836f2e03894639.camel@iki.fi>
2026-03-07 10:22 ` syzbot
[not found] <5c93792d0d75a84b0df4f9828d20f33c7a1e71fb.camel@iki.fi>
2026-03-07 11:00 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241102012710.2865-1-hdanton@sina.com \
--to=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox