Hi,
su, 2024-06-23 kello 17:06 +0800, Edward Adam Davis kirjoitti:
> Look at the following situation:
>
> cpu1 cpu2
> ==== ====
> sock_ioctl
> sock_do_ioctl
> hci_sock_ioctl
> hci_rx_work hci_dev_cmd
> hci_event_packet hci_req_sync
> req_complete_skb __hci_req_sync
> hci_req_sync_complete
>
> If hci_rx_work executes before __hci_req_sync releases req_skb, everything
> is normal, otherwise it will result in double free of req_skb.
>
> Adding NULL check of req_skb before releasing it can avoid double free.
Do you understand why?
kfree_skb(NULL) is allowed, so this is logically a no-op.
Probably it perturbs the timings so syzkaller repro no longer hits the
race window, ie doesn't fix the issue.
> Fixes: 45d355a926ab ("Bluetooth: Fix memory leak in hci_req_sync_complete()")
> Reported-and-tested-by: syzbot+35ebc808442df6420eae@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=35ebc808442df6420eae
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> net/bluetooth/hci_request.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
> index efea25eb56ce..3862fa6bb288 100644
> --- a/net/bluetooth/hci_request.c
> +++ b/net/bluetooth/hci_request.c
> @@ -106,7 +106,8 @@ void hci_req_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
> hdev->req_result = result;
> hdev->req_status = HCI_REQ_DONE;
> if (skb) {
> - kfree_skb(hdev->req_skb);
> + if (hdev->req_skb)
> + kfree_skb(hdev->req_skb);
> hdev->req_skb = skb_get(skb);
> }
> wake_up_interruptible(&hdev->req_wait_q);
