Hi Myungho,
>>>> In h4_recv(), if h4_recv_buf() returns error and h4_recv() is
>>>> asynchronously called again before setting rx_skb to NULL, ERR_PTR will
>>>> be dereferenced in h4_recv_buf(). Check return value in a local variable
>>>> before writing to rx_skb.
>>>>
>>>> Reported-by: syzbot+017a32f149406df32703@xxxxxxxxxxxxxxxxxxxxxxxxx
>>>> Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx>
>>>> ---
>>>> drivers/bluetooth/hci_h4.c | 11 +++++++----
>>>> 1 file changed, 7 insertions(+), 4 deletions(-)
>>>
>>> patch has been applied to bluetooth-next tree.
>>>
>>> Can you actually fix all callers of h4_recv_buf since they all suffer from the same issue.
>>>
>>> Regards
>>>
>>> Marcel
>>>
>>
>> Hi Marcel,
>>
>> Sure, let me check other callers and fix them if applicable.
>>
>> Thanks,
>> Myungho
>>
>
> Hi Marcel,
>
> I found there are many callers that need to be fixed. So, how about checking
> error code in h4_recv_buf() instead?
>
> diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
> index fb97a3bf069b..dea48090d2dc 100644
> --- a/drivers/bluetooth/hci_h4.c
> +++ b/drivers/bluetooth/hci_h4.c
> @@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct sk_buff *skb,
> struct hci_uart *hu = hci_get_drvdata(hdev);
> u8 alignment = hu->alignment ? hu->alignment : 1;
>
> + /* Check if socket buffer is not reset yet from previous error */
> + if (IS_ERR(skb))
> + skb = NULL;
> +
> while (count) {
> int i, len;
>
>
> It is tested and verified by syzbot. The previous commit is no more needed if
> this looks better.
please send a proper patch for this and also don’t forget drivers/bluetooth/h4_recv.h since these two are not yet consolidated.
Regards
Marcel
