On Sat, Jan 19, 2019 at 12:19:20AM -0800, Myungho Jung wrote:
> On Fri, Jan 18, 2019 at 10:19:41AM +0100, Marcel Holtmann wrote:
> > Hi Myungho,
> >
> > > In h4_recv(), if h4_recv_buf() returns error and h4_recv() is
> > > asynchronously called again before setting rx_skb to NULL, ERR_PTR will
> > > be dereferenced in h4_recv_buf(). Check return value in a local variable
> > > before writing to rx_skb.
> > >
> > > Reported-by: syzbot+017a32f149406df32703@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx>
> > > ---
> > > drivers/bluetooth/hci_h4.c | 11 +++++++----
> > > 1 file changed, 7 insertions(+), 4 deletions(-)
> >
> > patch has been applied to bluetooth-next tree.
> >
> > Can you actually fix all callers of h4_recv_buf since they all suffer from the same issue.
> >
> > Regards
> >
> > Marcel
> >
>
> Hi Marcel,
>
> Sure, let me check other callers and fix them if applicable.
>
> Thanks,
> Myungho
>
Hi Marcel,
I found there are many callers that need to be fixed. So, how about checking
error code in h4_recv_buf() instead?
diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
index fb97a3bf069b..dea48090d2dc 100644
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb,
struct hci_uart *hu = hci_get_drvdata(hdev);
u8 alignment = hu->alignment ? hu->alignment : 1;
+ /* Check if socket buffer is not reset yet from previous error */
+ if (IS_ERR(skb))
+ skb = NULL;
+
while (count) {
int i, len;
It is tested and verified by syzbot. The previous commit is no more needed if
this looks better.
Thanks,
Myungho
