On Mon, Mar 20, 2023 at 09:50:18PM -0400, Sungwoo Kim wrote:
> To loop a variable-length array, hci_init_stage_sync(stage) considers
> that stage[i] is valid as long as stage[i-1].func is valid.
> Thus, the last element of stage[].func should be intentionally invalid
> as hci_init0[], le_init2[], and others did.
> However, amp_init1[] and amp_init2[] have no invalid element, letting
> hci_init_stage_sync() keep accessing amp_init1[] over its valid range.
> This patch fixes this by adding {} in the last of amp_init1[] and
> amp_init2[].
...
> This bug is found by FuzzBT, a modified version of Syzkaller.
> Other contributors for this bug are Ruoyu Wu and Peng Hui.
>
> Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages")
> Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx>
Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
...
