Hi Desmond, > Syzbot reported a corrupted list in kobject_add_internal [1]. This > happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with > status 0 are sent for the same HCI connection. This causes us to > register the device more than once which corrupts the kset list. > > As this is forbidden behavior, we add a check for whether we're > trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple > times for one connection. If that's the case, the event is invalid, so > we report an error that the device is misbehaving, and ignore the > packet. > > Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1] > Reported-by: syzbot+66264bf2fd0476be7e6c@xxxxxxxxxxxxxxxxxxxxxxxxx > Tested-by: syzbot+66264bf2fd0476be7e6c@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@xxxxxxxxx> > --- > > v1 -> v2: > - Added more comments to explain the reasoning behind the new check, and > a bt_dev_err message upon detecting the invalid event. As suggested by > Marcel Holtmann. > > net/bluetooth/hci_event.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) I shortened the error message and then applied your patch to bluetooth-next tree. Regards Marcel
