Hi Myungho, > h4_recv_buf() callers store the return value to socket buffer and > recursively pass the buffer to h4_recv_buf() without protection. So, > ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again > before setting the socket buffer to NULL from previous error. Check if > skb is ERR_PTR in h4_recv_buf(). > > Reported-by: syzbot+017a32f149406df32703@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx> > --- > drivers/bluetooth/h4_recv.h | 4 ++++ > drivers/bluetooth/hci_h4.c | 4 ++++ > 2 files changed, 8 insertions(+) patch has been applied to bluetooth-next tree. Regards Marcel
