Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:
On Sat, 2 Mar 2024 19:06:23 +0200 you wrote:
> hci_send_cmd_sync first sends skb and then tries to clone it. However,
> the driver may have already freed the skb at that point.
>
> Fix by cloning the sent_cmd cloned just above, instead of the original.
>
> Log:
> ================================================================
> BUG: KASAN: slab-use-after-free in __copy_skb_header+0x1a/0x240
> ...
> Call Trace: ..
> __skb_clone+0x59/0x2c0
> hci_cmd_work+0x3b3/0x3d0 [bluetooth]
> process_one_work+0x459/0x900
> ...
> Allocated by task 129: ...
> __alloc_skb+0x1ae/0x220
> __hci_cmd_sync_sk+0x44c/0x7a0 [bluetooth]
> __hci_cmd_sync_status+0x24/0xb0 [bluetooth]
> set_cig_params_sync+0x778/0x7d0 [bluetooth]
> ...
> Freed by task 0: ...
> kmem_cache_free+0x157/0x3c0
> __usb_hcd_giveback_urb+0x11e/0x1e0
> usb_giveback_urb_bh+0x1ad/0x2a0
> tasklet_action_common.isra.0+0x259/0x4a0
> __do_softirq+0x15b/0x5a7
> ================================================================
>
> [...]
Here is the summary with links:
- Bluetooth: fix use-after-free in accessing skb after sending it
https://git.kernel.org/bluetooth/bluetooth-next/c/d147be932692
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
