On Mon, Jan 25, 2016 at 7:59 AM, Dmitry Vyukov wrote:
> It seems that skb can be freed after skb_put() and spinlock unlock,
> but ircomm_param_request reads skb->len afterwards:
>
> int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush)
> {
> ...
> skb_put(skb, count);
>
Hello,
I've hit the following use-after-free report while running syzkaller fuzzer:
==
BUG: KASAN: use-after-free in ircomm_param_request+0x514/0x570 at addr
880035732c78
Read of size 4 by task syz-executor/10736
