Re: [PATCH] Bluetooth: hci_uart: Add a local variable to store the result of h4_recv_buf()

From: Marcel Holtmann
Date: Fri Jan 18 2019 - 04:19:46 EST

Next message: Jon Hunter: "Re: [PATCH V1] i2c: tegra: increase transfer timeout"
Previous message: Kairui Song: "[PATCH v4 2/2] kexec, KEYS: Make use of platform keyring for signature verify"
Next in thread: Myungho Jung: "Re: [PATCH] Bluetooth: hci_uart: Add a local variable to store the result of h4_recv_buf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Myungho,

> In h4_recv(), if h4_recv_buf() returns error and h4_recv() is
> asynchronously called again before setting rx_skb to NULL, ERR_PTR will
> be dereferenced in h4_recv_buf(). Check return value in a local variable
> before writing to rx_skb.
>
> Reported-by: syzbot+017a32f149406df32703@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx>
> ---
> drivers/bluetooth/hci_h4.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)

patch has been applied to bluetooth-next tree.

Can you actually fix all callers of h4_recv_buf since they all suffer from the same issue.

Regards

Marcel

Next message: Jon Hunter: "Re: [PATCH V1] i2c: tegra: increase transfer timeout"
Previous message: Kairui Song: "[PATCH v4 2/2] kexec, KEYS: Make use of platform keyring for signature verify"
Next in thread: Myungho Jung: "Re: [PATCH] Bluetooth: hci_uart: Add a local variable to store the result of h4_recv_buf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]