Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in force_devcd_write

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+bc71245e56f06e3127b7@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in force_devcd_write
Date: Fri,  4 Jul 2025 22:52:10 +0800	[thread overview]
Message-ID: <20250704145211.2487-1-hdanton@sina.com> (raw)
In-Reply-To: <6867a14e.a70a0220.29cf51.0017.GAE@google.com>

> Date: Fri, 04 Jul 2025 02:39:26 -0700
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    4c06e63b9203 Merge tag 'for-6.16-rc4-tag' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11594c8c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=9887aa986c36cc50
> dashboard link: https://syzkaller.appspot.com/bug?extid=bc71245e56f06e3127b7
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=139dac8c580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14b90f70580000

#syz test

--- x/drivers/bluetooth/hci_vhci.c
+++ y/drivers/bluetooth/hci_vhci.c
@@ -320,11 +320,13 @@ static inline void force_devcd_timeout(s
 #endif
 }
 
+static DEFINE_MUTEX(vhci_release_lock);
+static int released = 0;
 static ssize_t force_devcd_write(struct file *file, const char __user *user_buf,
 				 size_t count, loff_t *ppos)
 {
-	struct vhci_data *data = file->private_data;
-	struct hci_dev *hdev = data->hdev;
+	struct vhci_data *data;
+	struct hci_dev *hdev;
 	struct sk_buff *skb = NULL;
 	struct devcoredump_test_data dump_data;
 	size_t data_size;
@@ -343,6 +345,21 @@ static ssize_t force_devcd_write(struct
 		return -ENOMEM;
 	skb_put_data(skb, &dump_data.data, data_size);
 
+	if (!mutex_trylock(&vhci_release_lock)) {
+out:
+		kfree_skb(skb);
+		return -EBUSY;
+	}
+	if (released) {
+		mutex_unlock(&vhci_release_lock);
+		goto out;
+	}
+	data = file->private_data;
+	if (!data) {
+		mutex_unlock(&vhci_release_lock);
+		goto out;
+	}
+	hdev = data->hdev;
 	hci_devcd_register(hdev, vhci_coredump, vhci_coredump_hdr, NULL);
 
 	/* Force the devcoredump timeout */
@@ -352,6 +369,7 @@ static ssize_t force_devcd_write(struct
 	ret = hci_devcd_init(hdev, skb->len);
 	if (ret) {
 		BT_ERR("Failed to generate devcoredump");
+		mutex_unlock(&vhci_release_lock);
 		kfree_skb(skb);
 		return ret;
 	}
@@ -369,9 +387,11 @@ static ssize_t force_devcd_write(struct
 		/* Do nothing */
 		break;
 	default:
+		mutex_unlock(&vhci_release_lock);
 		return -EINVAL;
 	}
 
+	mutex_unlock(&vhci_release_lock);
 	return count;
 }
 
@@ -656,6 +676,8 @@ static int vhci_release(struct inode *in
 	struct vhci_data *data = file->private_data;
 	struct hci_dev *hdev;
 
+	mutex_lock(&vhci_release_lock);
+	data = file->private_data;
 	cancel_delayed_work_sync(&data->open_timeout);
 	flush_work(&data->suspend_work);
 
@@ -669,6 +691,8 @@ static int vhci_release(struct inode *in
 	skb_queue_purge(&data->readq);
 	file->private_data = NULL;
 	kfree(data);
+	released++;
+	mutex_unlock(&vhci_release_lock);
 
 	return 0;
 }
--

next prev parent reply	other threads:[~2025-07-04 14:52 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-25  2:26 [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in force_devcd_write syzbot
2024-12-25  7:10 ` Edward Adam Davis
2024-12-25  7:25   ` syzbot
2024-12-26  3:43 ` [syzbot] syzbot
2025-07-04  9:39 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in force_devcd_write syzbot
2025-07-04 13:51   ` Hillf Danton
2025-07-04 14:08     ` syzbot
2025-07-04 14:29   ` Hillf Danton
2025-07-04 14:46     ` syzbot
2025-07-04 14:52   ` Hillf Danton [this message]
2025-07-04 15:16     ` syzbot
     [not found] <D6LBL8ROHULS.TMYHX3Z1WN0R@getstate.dev>
2024-12-26  4:03 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250704145211.2487-1-hdanton@sina.com \
    --to=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+bc71245e56f06e3127b7@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox