Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp55342rdh;
        Wed, 22 Nov 2023 18:06:33 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHWvK96vjN4MmUdeCkLW6Q9dNZbtY/wIHPMw3EKFg/Cae6vsYNeHpEzzW4EltHHPcRlJt4v
X-Received: by 2002:a17:90b:149:b0:280:39f2:2f12 with SMTP id em9-20020a17090b014900b0028039f22f12mr4272118pjb.26.1700705193597;
        Wed, 22 Nov 2023 18:06:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700705193; cv=none;
        d=google.com; s=arc-20160816;
        b=i9VwmIrnxioYDjMZUGZJWzLAWSOKpaynbMn39YPhfdjpQWLq7e3zORlOR/Sh+xhpRw
         xsZ25auY1e6G5nH4F+ubTuLU/mtm7AA+Hwl9Px6xMP4SrWOXrQ6UEHMTtwz2rA5BfICH
         I8L9L/GSJ8Vweu2Vq6ND7I+96goMDA3UkyJniyaVkjPzfGjYdVw4obialE21Ih98vpBh
         TdbDI5bbKxIDW4exSJ3GljVjexb20iYYcdnHqic4sSWDTFHYgaZJHBXafumYXy67f30J
         WhGtHcTWDw66QXxFdoiw44WyUtPZecgIX392iImzifeyexsweDL5kxAaCUJlhrv6DjxZ
         Lh/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:from:subject:message-id:in-reply-to:date
         :mime-version;
        bh=4amVbv3Q09Okt69QNEidmRw6msqxlnAWNcQv8Svc/2E=;
        fh=V9AeBafJgTW96HdC48wsxGAfd7Fe9P2uAL8tLCjpUN4=;
        b=YaMVVPfsXYQrfd4a3g8UfqeFww0Y6rXv74qdQtNpOf1/VkuTWyHbSDlIYzhrpKPQHq
         Bz7db+0lPdLAzL9vmsdBMsRYTOBhMNPSHjtoBvTT5vS0wEEyjM1o4kCiS9YD4FCB0fay
         UBg6HqOFclF7EiVHTOOtwZPKXtUSOoMvnX4fylK/F/AJJ5ZNaPXA0sNVAGHxzJGZILEi
         1bc4qzUhcaaZSLfebiuS53ZcV6FXit7bhLmKEaaO9tOWHBKIADue8V+0PjIadUzfDpc3
         SAOHfPnGeISq6XPoV532MGcrWb7x9Uo01BX5Cuc+wVBfpXf8gaIsUFNZ+6tCOvUVgD5l
         M3qQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id i6-20020a17090a4b8600b002801dcb4761si308811pjh.136.2023.11.22.18.06.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 Nov 2023 18:06:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 72618829BC4F;
	Wed, 22 Nov 2023 18:06:32 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232705AbjKWCGW (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Wed, 22 Nov 2023 21:06:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39674 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229789AbjKWCGR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Nov 2023 21:06:17 -0500
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E4F2AA3
        for <linux-kernel@vger.kernel.org>; Wed, 22 Nov 2023 18:06:23 -0800 (PST)
Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-1ccdf149e60so4020265ad.0
        for <linux-kernel@vger.kernel.org>; Wed, 22 Nov 2023 18:06:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700705183; x=1701309983;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=4amVbv3Q09Okt69QNEidmRw6msqxlnAWNcQv8Svc/2E=;
        b=kjzbEGgrezsQeVOgfV+1ZiEfBs6Mw7cKXg4+MWKIlFMpAk98vWMpGQ0nR3cK2Kl422
         zn1XOZna95PeJwXbOFaNeTEETSqZhkmdIFdSoxF1O0OwLo6UolU2rZOa4GkBT5IuT0EQ
         +JM09V0cgM+nqSw83XN14XXHJ4MbPNZ0ZHoZRZ4d2MxqkyXzm420USH11widrImXquFl
         c4hT/C4zQftNR4NlA3fRoqKXMZ+IfZOj2o7YWsI/qN7y63ZDmaKRXrrioWW+YIOxkYCJ
         ddHq6VpEY5l1QurSri2OKPmZWOkjrFYhfquBS6GgOw0d7DQ4Vp2Czroths5SQpzz5bc4
         Po+A==
X-Gm-Message-State: AOJu0YyyBzpQE02N23vjrjxj7Gn22KGOIr3tRWWW07LneH54cFNCwddU
        kWc53aobBAsTaWeUkcPKLDqgLi738tbkhOVezSC7BDZTKDptllY=
MIME-Version: 1.0
X-Received: by 2002:a17:902:ced1:b0:1cf:6910:3b8c with SMTP id
 d17-20020a170902ced100b001cf69103b8cmr1014626plg.8.1700705183518; Wed, 22 Nov
 2023 18:06:23 -0800 (PST)
Date:   Wed, 22 Nov 2023 18:06:23 -0800
In-Reply-To: <0000000000007b84a2060ac7d84b@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <00000000000054dd20060ac84858@google.com>
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock
From:   syzbot <syzbot+60bfed6b415fbd1fbb87@syzkaller.appspotmail.com>
To:     linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,FROM_LOCAL_HEX,
        HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,
        RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 22 Nov 2023 18:06:32 -0800 (PST)

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock
Author: eadavis@qq.com

please test uaf in __lock_sock

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 8de1e7afcc1c

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index c736186aba26..82e50c215386 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -270,6 +270,7 @@ static int sco_connect(struct sock *sk)
 		goto unlock;
 	}
 
+	hci_conn_get(hcon);
 	conn = sco_conn_add(hcon);
 	if (!conn) {
 		hci_conn_drop(hcon);
@@ -438,12 +439,13 @@ static void __sco_sock_close(struct sock *sk)
 	case BT_CONNECTED:
 	case BT_CONFIG:
 		if (sco_pi(sk)->conn->hcon) {
+			struct hci_conn *hcon = sco_pi(sk)->conn->hcon;
 			sk->sk_state = BT_DISCONN;
 			sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
 			sco_conn_lock(sco_pi(sk)->conn);
-			hci_conn_drop(sco_pi(sk)->conn->hcon);
 			sco_pi(sk)->conn->hcon = NULL;
 			sco_conn_unlock(sco_pi(sk)->conn);
+			hci_conn_put(hcon);
 		} else
 			sco_chan_del(sk, ECONNRESET);
 		break;