Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp1629725rdh;
        Fri, 24 Nov 2023 19:23:08 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFGQpYpnaEsEXfjjV2EacRMWYkaTYazi8Mh8MEeIdU6jfj4VeNrV1YQ7m3Sr4lGpCFPZpQ1
X-Received: by 2002:a05:6808:199d:b0:3b8:3ba9:b14b with SMTP id bj29-20020a056808199d00b003b83ba9b14bmr6644518oib.43.1700882588314;
        Fri, 24 Nov 2023 19:23:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700882587; cv=none;
        d=google.com; s=arc-20160816;
        b=hwaWkOwMT62x7RA9SxKUj4Fmm0jo6ZY7ZiRrq1z/f3bfntxKUuCWqw62AwO1b9vOQe
         +7Q23MhXynOB41gVa8xN2nV9gB9UUZBbTWa2NQoYEvpoI1H2tJWOSaPW1FKHziqcaDrQ
         6URHcoxpsEq2iaF0k+Jjmjv6ZMm3N1ofkZtt+IUj701NeAokOBNC0sJBAokW5wv1ldKU
         /vKh3d8I3Sb2/PEHf4ZGoux2tpUokKpzTy1FsAglNVi0G4bIJLNdnmcUczBX5kLwWewZ
         veV27IW45oMLI7AxGYZrOr8wE0L3JUFEANeo7EKyLsgo7ll0mkRv0f/gs51KK4GiPsRi
         Lauw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:to:from:subject:message-id:in-reply-to:date
         :mime-version;
        bh=TPtFm4aNlsL28hzwfoClasUPy/BDeRiM4ySI31Qf8/8=;
        fh=V9AeBafJgTW96HdC48wsxGAfd7Fe9P2uAL8tLCjpUN4=;
        b=o9sjbM3reJctHaXj+Vus+PTWpKSrtWgCqLN8MB/4JZgO7DiEsecmQCKgpZL5Y8fwnT
         I55oXQ1YchbWPjq0a5GBd/TI/DPwFXIZQyc3o8rYCXLVQXDBOsX92+SSMNj/Vt/ibZjy
         3DzjNke2nyV1A0eFCOne5b5BsonH2i98qNFGYiXVaE5c4GJDGQKe08rSmLJJeozJoGJD
         UxVk1e3WjkwxwVyV1BbIdjPq5CK/LjbnlU0l+GH+lmtN/LLs7wnGU0+Ce/ox8h28kqFD
         X+qwE5hdJwGWgX8pKFGgk+CN1es6Hrp1DuxUWaERT4wzV6F+iBz87dcp66goeleViUbW
         FhXA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8])
        by mx.google.com with ESMTPS id j15-20020a63e74f000000b005c2786b7e32si5183188pgk.812.2023.11.24.19.23.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 24 Nov 2023 19:23:07 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id 6F49480D5E4C;
	Fri, 24 Nov 2023 19:22:33 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231646AbjKYDU0 (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Fri, 24 Nov 2023 22:20:26 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60898 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229462AbjKYDUZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Nov 2023 22:20:25 -0500
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AB441988
        for <linux-kernel@vger.kernel.org>; Fri, 24 Nov 2023 19:20:32 -0800 (PST)
Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-1cf7ff75820so29668345ad.1
        for <linux-kernel@vger.kernel.org>; Fri, 24 Nov 2023 19:20:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700882431; x=1701487231;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=TPtFm4aNlsL28hzwfoClasUPy/BDeRiM4ySI31Qf8/8=;
        b=xMjh/9bwZIy0NJC66eQBIwiFx/kLXc6yHhx6v4+zFGV976pkkdie8c5EPGQ62e/5XD
         /vmziSO3INNzC5r5XDtgR3Z3fqT4wtP08I7Z4730bPgg3FyUfdDAXzkD94ynm1muXF5R
         Y2Mb+alHsSwNgkApxWad/TvXiiKLbg9saG0FLSD4DQHjJd3QauUN6e8P+bO/Jpn0EHWy
         rn5CiJK9nj/0S1D4Xi0JAWiKVFqSZ9a6KNLdNTGDO2yeZplv5wYIoEB1PqzqO3+Fwo24
         cLmPjSipA8xFXQ9pg866aqwaBp6Bx+6+uNUWMZc7/9GQEvIQxxUA9Nlf2GFEmhNeyytD
         K83g==
X-Gm-Message-State: AOJu0Yzj9YL7kvtJej/eQCWvzMkTSXEBYDTm34dthDWiXqmqgGqx6YB2
        lKf4zb89p+EXD76YSk2AseDMSpzAgdSGm5WiLDCa9PDgGEHOVWE=
MIME-Version: 1.0
X-Received: by 2002:a17:903:41cf:b0:1cf:a2e7:f84e with SMTP id
 u15-20020a17090341cf00b001cfa2e7f84emr900903ple.3.1700882431654; Fri, 24 Nov
 2023 19:20:31 -0800 (PST)
Date:   Fri, 24 Nov 2023 19:20:31 -0800
In-Reply-To: <0000000000007b84a2060ac7d84b@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <00000000000024c34e060af18d39@google.com>
Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock
From:   syzbot <syzbot+60bfed6b415fbd1fbb87@syzkaller.appspotmail.com>
To:     linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-0.4 required=5.0 tests=FROM_LOCAL_HEX,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Fri, 24 Nov 2023 19:22:33 -0800 (PST)

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [bluetooth?] KASAN: slab-use-after-free Read in __lock_sock
Author: eadavis@qq.com

please test uaf in __lock_sock

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 8de1e7afcc1c

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index c736186aba26..236da4241620 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -285,6 +285,7 @@ static int sco_connect(struct sock *sk)
 		goto unlock;
 	}
 
+	hci_conn_get(hcon);
 	/* Update source addr of the socket */
 	bacpy(&sco_pi(sk)->src, &hcon->src);
 
@@ -297,10 +298,13 @@ static int sco_connect(struct sock *sk)
 	}
 
 	release_sock(sk);
+	printk("hd: %s, hcd: %s, hko: %p, hcko: %p\n", hdev->dev.kobj.name, 
+			hcon->dev.kobj.name, &hdev->dev.kobj, &hcon->dev.kobj);
 
 unlock:
 	hci_dev_unlock(hdev);
-	hci_dev_put(hdev);
+	if (err)
+		hci_dev_put(hdev);
 	return err;
 }
 
@@ -438,12 +442,13 @@ static void __sco_sock_close(struct sock *sk)
 	case BT_CONNECTED:
 	case BT_CONFIG:
 		if (sco_pi(sk)->conn->hcon) {
+			struct hci_conn *hcon = sco_pi(sk)->conn->hcon;
 			sk->sk_state = BT_DISCONN;
 			sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
 			sco_conn_lock(sco_pi(sk)->conn);
-			hci_conn_drop(sco_pi(sk)->conn->hcon);
 			sco_pi(sk)->conn->hcon = NULL;
 			sco_conn_unlock(sco_pi(sk)->conn);
+			hci_conn_put(hcon);
 		} else
 			sco_chan_del(sk, ECONNRESET);
 		break;