On Fri, Jan 18, 2019 at 10:19:41AM +0100, Marcel Holtmann wrote: > Hi Myungho, > > > In h4_recv(), if h4_recv_buf() returns error and h4_recv() is > > asynchronously called again before setting rx_skb to NULL, ERR_PTR will > > be dereferenced in h4_recv_buf(). Check return value in a local variable > > before writing to rx_skb. > > > > Reported-by: syzbot+017a32f149406df32703@xxxxxxxxxxxxxxxxxxxxxxxxx > > Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx> > > --- > > drivers/bluetooth/hci_h4.c | 11 +++++++---- > > 1 file changed, 7 insertions(+), 4 deletions(-) > > patch has been applied to bluetooth-next tree. > > Can you actually fix all callers of h4_recv_buf since they all suffer from the same issue. > > Regards > > Marcel > Hi Marcel, Sure, let me check other callers and fix them if applicable. Thanks, Myungho
