Hi Myungho, >>>> In h4_recv(), if h4_recv_buf() returns error and h4_recv() is >>>> asynchronously called again before setting rx_skb to NULL, ERR_PTR will >>>> be dereferenced in h4_recv_buf(). Check return value in a local variable >>>> before writing to rx_skb. >>>> >>>> Reported-by: [email protected] >>>> Signed-off-by: Myungho Jung <[email protected]> >>>> --- >>>> drivers/bluetooth/hci_h4.c | 11 +++++++---- >>>> 1 file changed, 7 insertions(+), 4 deletions(-) >>> >>> patch has been applied to bluetooth-next tree. >>> >>> Can you actually fix all callers of h4_recv_buf since they all suffer from >>> the same issue. >>> >>> Regards >>> >>> Marcel >>> >> >> Hi Marcel, >> >> Sure, let me check other callers and fix them if applicable. >> >> Thanks, >> Myungho >> > > Hi Marcel, > > I found there are many callers that need to be fixed. So, how about checking > error code in h4_recv_buf() instead? > > diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c > index fb97a3bf069b..dea48090d2dc 100644 > --- a/drivers/bluetooth/hci_h4.c > +++ b/drivers/bluetooth/hci_h4.c > @@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_dev *hdev, struct > sk_buff *skb, > struct hci_uart *hu = hci_get_drvdata(hdev); > u8 alignment = hu->alignment ? hu->alignment : 1; > > + /* Check if socket buffer is not reset yet from previous error */ > + if (IS_ERR(skb)) > + skb = NULL; > + > while (count) { > int i, len; > > > It is tested and verified by syzbot. The previous commit is no more needed if > this looks better.
please send a proper patch for this and also don’t forget drivers/bluetooth/h4_recv.h since these two are not yet consolidated. Regards Marcel
