Re: [DMARC error] Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in skb_queue_purge_reason (2)

Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx> · Tue, 11 Feb 2025 11:51:26 -0500

Hi Arseniy,

On Tue, Feb 11, 2025 at 11:22 AM Arseniy Krasnov
<avkrasnov@xxxxxxxxxxxxxxxxx> wrote:
>
> May be my previous version was free of this problem ?
>
> https://lore.kernel.org/linux-bluetooth/a1db0c90-1803-e01c-3e23-d18e4343a4eb@xxxxxxxxxxxxxxxxx/

You can try sending it to
syzbot+683f8cb11b94b1824c77@xxxxxxxxxxxxxxxxxxxxxxxxx to check if that
works.

> Thanks
>
> On 11.02.2025 17:16, Arseniy Krasnov wrote:
> > Hi, I guess problem here is that, if hci_uart_tty_close() will be called between
> > setting HCI_UART_PROTO_READY and skb_queue_head_init(), in that case mrvl_close()
> > will access uninitialized data.
> >
> > hci_uart_set_proto() {
> >         ...
> >         set_bit(HCI_UART_PROTO_READY, &hu->flags);
> >
> >         err = hci_uart_register_dev(hu);
> >                 mrvl_open()
> >                     skb_queue_head_init();

Or we follow what the likes of hci_uart_register_device_priv, in fact
we may want to take the time to clean this up, afaik the ldisc is
deprecated and serdev shall be used instead, in any case if we can't
just remove ldisc version then at very least they shall be using the
same flow when it comes to hci_register_dev since the share the same
struct hci_uart.

> >         if (err) {
> >                 return err;
> >         }
> >         ...
> > }
> >
> > Thanks
> >
> > On 10.02.2025 14:26, syzbot wrote:
> >> syzbot has bisected this issue to:
> >>
> >> commit c411c62cc13319533b1861e00cedc4883c3bc1bb
> >> Author: Arseniy Krasnov <avkrasnov@xxxxxxxxxxxxxxxxx>
> >> Date:   Thu Jan 30 18:43:26 2025 +0000
> >>
> >>     Bluetooth: hci_uart: fix race during initialization
> >>
> >> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=116cebdf980000
> >> start commit:   40b8e93e17bf Add linux-next specific files for 20250204
> >> git tree:       linux-next
> >> final oops:     https://syzkaller.appspot.com/x/report.txt?x=136cebdf980000
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=156cebdf980000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=ec880188a87c6aad
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=683f8cb11b94b1824c77
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b7eeb0580000
> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f74f64580000
> >>
> >> Reported-by: syzbot+683f8cb11b94b1824c77@xxxxxxxxxxxxxxxxxxxxxxxxx
> >> Fixes: c411c62cc133 ("Bluetooth: hci_uart: fix race during initialization")
> >>
> >> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

-- 
Luiz Augusto von Dentz