All of lore.kernel.org
 help / color / mirror / Atom feed
* [syzbot] Test on mainline
@ 2023-11-16 14:03 syzbot
  2023-11-17  1:01 ` [syzbot] [PATCH] test uaf in sco_sock_timeout syzbot
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: syzbot @ 2023-11-16 14:03 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test on mainline
Author: yuran.pereira@hotmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [syzbot] [PATCH] test uaf in sco_sock_timeout
  2023-11-16 14:03 [syzbot] Test on mainline syzbot
@ 2023-11-17  1:01 ` syzbot
  2023-11-18  3:25 ` [syzbot] [PATCH] Test " syzbot
  2023-12-06  3:58 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write " syzbot
  2 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2023-11-17  1:01 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] test uaf in sco_sock_timeout
Author: lizhi.xu@windriver.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 8de1e7afcc1c

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index c736186aba26..515b52e14b5f 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -415,6 +415,8 @@ static void sco_sock_cleanup_listen(struct sock *parent)
  */
 static void sco_sock_kill(struct sock *sk)
 {
+	struct sco_conn *conn = container_of(sk, struct sco_conn, sk);
+
 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
 		return;
 
@@ -423,6 +425,9 @@ static void sco_sock_kill(struct sock *sk)
 	/* Kill poor orphan */
 	bt_sock_unlink(&sco_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);
+	sco_conn_lock(conn);
+	conn->sk = NULL;
+	sco_conn_unlock(conn);
 	sock_put(sk);
 }
 

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [syzbot] [PATCH] Test uaf in sco_sock_timeout
  2023-11-16 14:03 [syzbot] Test on mainline syzbot
  2023-11-17  1:01 ` [syzbot] [PATCH] test uaf in sco_sock_timeout syzbot
@ 2023-11-18  3:25 ` syzbot
  2023-12-06  3:58 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write " syzbot
  2 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2023-11-18  3:25 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Test uaf in sco_sock_timeout
Author: eadavis@qq.com

please test 8de1e7afcc1c

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 8de1e7afcc1c

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index c736186aba26..c05fb9d41a63 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -300,7 +300,8 @@ static int sco_connect(struct sock *sk)
 
 unlock:
 	hci_dev_unlock(hdev);
-	hci_dev_put(hdev);
+	if (err)
+		hci_dev_put(hdev);
 	return err;
 }
 


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Write in sco_sock_timeout
  2023-11-16 14:03 [syzbot] Test on mainline syzbot
  2023-11-17  1:01 ` [syzbot] [PATCH] test uaf in sco_sock_timeout syzbot
  2023-11-18  3:25 ` [syzbot] [PATCH] Test " syzbot
@ 2023-12-06  3:58 ` syzbot
  2 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2023-12-06  3:58 UTC (permalink / raw)
  To: davem, eadavis, edumazet, hdanton, johan.hedberg, kuba,
	linux-bluetooth, linux-kernel, lizhi.xu, luiz.dentz,
	luiz.von.dentz, marcel, netdev, pabeni, syzkaller-bugs,
	yuran.pereira

syzbot has bisected this issue to:

commit 9a8ec9e8ebb5a7c0cfbce2d6b4a6b67b2b78e8f3
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Thu Mar 30 21:15:50 2023 +0000

    Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=179a65d2e80000
start commit:   bee0e7762ad2 Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=145a65d2e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=105a65d2e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b50bd31249191be8
dashboard link: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1504504ae80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14685f54e80000

Reported-by: syzbot+4c0d0c4cde787116d465@syzkaller.appspotmail.com
Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-12-06  3:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-16 14:03 [syzbot] Test on mainline syzbot
2023-11-17  1:01 ` [syzbot] [PATCH] test uaf in sco_sock_timeout syzbot
2023-11-18  3:25 ` [syzbot] [PATCH] Test " syzbot
2023-12-06  3:58 ` [syzbot] [bluetooth?] KASAN: slab-use-after-free Write " syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.