Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in hci_conn_drop (2)
From: Hillf Danton
Date: Sat Feb 17 2024 - 06:13:13 EST
On Fri, 16 Feb 2024 18:09:19 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 2c3b09aac00d Add linux-next specific files for 20240214
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c27a58180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -297,6 +297,7 @@ static int sco_connect(struct sock *sk)
sco_sock_set_timer(sk, sk->sk_sndtimeo);
}
+ hci_conn_get(hcon);
release_sock(sk);
unlock:
@@ -439,12 +440,15 @@ static void __sco_sock_close(struct sock
case BT_CONNECTED:
case BT_CONFIG:
if (sco_pi(sk)->conn->hcon) {
+ struct hci_conn *hcon = sco_pi(sk)->conn->hcon;
+
sk->sk_state = BT_DISCONN;
sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
sco_conn_lock(sco_pi(sk)->conn);
- hci_conn_drop(sco_pi(sk)->conn->hcon);
sco_pi(sk)->conn->hcon = NULL;
sco_conn_unlock(sco_pi(sk)->conn);
+
+ hci_conn_put(hcon);
} else
sco_chan_del(sk, ECONNRESET);
break;
--