Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7142427imu; Tue, 22 Jan 2019 00:51:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN4IIch63EL2owSehV70yUU32N15Fa78OMKN2MZwSBXYB+LsoBRkPQBCsAasJivDxt6pOqtZ X-Received: by 2002:a17:902:a60f:: with SMTP id u15mr31891397plq.275.1548147064649; Tue, 22 Jan 2019 00:51:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548147064; cv=none; d=google.com; s=arc-20160816; b=WONG/djULRaGkPchtAbHZU7vFKZEpUzFXVpMosfb7Ta0Bv/IZbIGherfNHqg/AQ8I8 BpYypHNYaXCugvIGkJT7ZaAaNekrBDGJphoBofE7s3F4klXk6lOJw/dRnZnX8h9LKyno tbMsbxLWnqFEaWHAkZlJOkUEd27WRzu7tKrZ0iukDaGUvedXTunoao5kOzy9VMMKXFm4 F68YI6Hz4Le3pB/TS6J4l6tGXVyQzY8kzjGN8UoQK7EyrJs0h7if7eu8rTh6okDkYH9M 0wLnS5VOcJPH2vU/EJFhoAeMK5lkbMWJxPibccf9rdwlDXPxtG4wcsNaDPpAOorxjZ8E JQOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=ZIh7SvpbZ9gs+p4prBcrd5X2yhGHjWxEvEBaFZGhl8U=; b=TuxLhnAgBpISIdsvSJErxD4Lp7PyPYLYmTpdShKnWLkL/19YptWcz+MsKxAhgYBO9b nq+Q6M6/NzS84Y6fljsIMBArwcERdnNg84LPJwt80Y65O4TzY4HK2+ejeqVc87xBmiwq aooXgh4i/Hwk9COkSciRD/FXNCFIf9f6Ob6ckrp5PRS4RwRr7JYuSA63HqD01tteh6tt a/X5z/0NjHryumG7evg3/dWsD5Z/S71m/v+w5zhzCTvuC2oEcxTxGZNoU+DtDMJvlZeW SnmRBYikoEuciQVN1FZthLlNp68R/SF0E/iiD9X4hLG0nEfjMwAG4qwGWGBIhqVtoiPB wf9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l5si14268566plt.5.2019.01.22.00.50.49; Tue, 22 Jan 2019 00:51:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727537AbfAVItV (ORCPT + 99 others); Tue, 22 Jan 2019 03:49:21 -0500 Received: from coyote.holtmann.net ([212.227.132.17]:40814 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727208AbfAVItT (ORCPT ); Tue, 22 Jan 2019 03:49:19 -0500 Received: from marcel-macpro.fritz.box (p4FF9FD60.dip0.t-ipconnect.de [79.249.253.96]) by mail.holtmann.org (Postfix) with ESMTPSA id 6ABC9CEEB3; Tue, 22 Jan 2019 09:57:03 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: [PATCH] Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() From: Marcel Holtmann In-Reply-To: <20190122083323.GA22508@myunghoj-Precision-5530> Date: Tue, 22 Jan 2019 09:49:15 +0100 Cc: Johan Hedberg , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: 7bit Message-Id: References: <20190122083323.GA22508@myunghoj-Precision-5530> To: Myungho Jung X-Mailer: Apple Mail (2.3445.102.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Myungho, > h4_recv_buf() callers store the return value to socket buffer and > recursively pass the buffer to h4_recv_buf() without protection. So, > ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again > before setting the socket buffer to NULL from previous error. Check if > skb is ERR_PTR in h4_recv_buf(). > > Reported-by: syzbot+017a32f149406df32703@syzkaller.appspotmail.com > Signed-off-by: Myungho Jung > --- > drivers/bluetooth/h4_recv.h | 4 ++++ > drivers/bluetooth/hci_h4.c | 4 ++++ > 2 files changed, 8 insertions(+) patch has been applied to bluetooth-next tree. Regards Marcel