Syzbot reported a uninit-value in hci_rx_work.This is because l2cap didn't execute the corresponding connection request to call l2cap_send_cmd() or l2cap_do_send(), and ultimately called hci_add_acl_hdr() to set hdr->handle. Therefore, when calling the thread callback function hci_rx_work() to call hci_acldata_packet, hdr->handle should not be used directly. Reported-and-tested-by: syzbot+6ea290ba76d8c1eb1ac2@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=6ea290ba76d8c1eb1ac2 Signed-off-by: Edward Adam Davis <eadavis@xxxxxx> --- net/bluetooth/hci_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index d6976db02c06..20605a7f3f4e 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3791,8 +3791,7 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) l2cap_recv_acldata(conn, skb, flags); return; } else { - bt_dev_err(hdev, "ACL packet for unknown connection handle %d", - handle); + bt_dev_err(hdev, "ACL packet for unknown connection handle"); } kfree_skb(skb); -- 2.43.0
