Hi Myungho, > In h4_recv(), if h4_recv_buf() returns error and h4_recv() is > asynchronously called again before setting rx_skb to NULL, ERR_PTR will > be dereferenced in h4_recv_buf(). Check return value in a local variable > before writing to rx_skb. > > Reported-by: syzbot+017a32f149406df32703@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx> > --- > drivers/bluetooth/hci_h4.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) patch has been applied to bluetooth-next tree. Can you actually fix all callers of h4_recv_buf since they all suffer from the same issue. Regards Marcel
