Received: by 2002:a89:413:0:b0:1fd:dba5:e537 with SMTP id m19csp1158796lqs;
        Fri, 14 Jun 2024 18:31:44 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXrCwDmc0C9C5SPwFqb5SnWpvtc7a4nzwH0QVlMSJi8RF4/XhOTjd3FtrNhKpqP0CNPl46/uanZxpbwuXxM4QqjXNH5smZMAUzeS+Llsg==
X-Google-Smtp-Source: AGHT+IEeI2qk1LrhYCwt1VcqOYzBC8r0+5rxJEonzBTp4F4tEinRkpCAdR5Z0pGS+7IGrD07UgGU
X-Received: by 2002:a05:622a:587:b0:441:5675:5d47 with SMTP id d75a77b69052e-44216b03556mr50110421cf.46.1718415103739;
        Fri, 14 Jun 2024 18:31:43 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1718415103; cv=pass;
        d=google.com; s=arc-20160816;
        b=CT3VwcbFOhliAvvgCl9VMkAJQKjWuP9Gv13r/8rSVOsad/mcyG4iz57Uh9SNh1+pMJ
         IfUbDIXxvBhQHMF0Hr+N9djKfwM1o5b6hnn4g7fRh7o+9Ma+OwmUIJqSLsC3ILunyt84
         ubOQ/Mbpkh0lm4elAPTW3DEl7oPBLQsev09YfrCskYiITquwbqBBKkUR46yw9diGrnei
         Ms4wYeeNgpSJiqKbUWXpm++GTxCkg9vqk3mwEG2XLtrxqboK7Vx0jyglKv3dQLyCJB+5
         iTxcnd7VCx+YAu03PZAOqHV4tQiHq4T38fMZ7J6HbUV4gvFKqeNQp5AKAZpQIrxEy2hq
         +KHg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=aPzxEe2AT3dF0AMQYc5JgGBhkzh96nnm8qimgTmA7Fs=;
        fh=Vhtjlf9qW+b+keliPC7rP87WA/m6ovz35r9ZgOf2G0s=;
        b=pEKRNi1EaLr1cGKNGe3TJxjTMenxAaC5POELW5LDOlQ98uB6H4CfQ5O3MjkBQ0QzEs
         23ppcAEe48onKBcmdvCidgRHzVcvrCSgvBhhA8VgBr4IuHj4kElhn067LrfdC1No1eKW
         z0VJDMWWgyPoa2FhIX3a6Iv575WB9sZTw+cMAgexcHiLdkIv8woABRnLQcYXejxqnSJh
         SjiXbzE9La+ap5wi38z76wzYpkTVyW1yQL/8mZ36Xd3GTahPo5pF8zmiO4dIBTQEk+6V
         RzDbqFTk/zMx30r9LCxh9IfH/+HbDjDhbSe0pKz54KdsQFw/V+Pv46++2zMbh0QZAEZD
         SrJw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=QIaPCYc3;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-215633-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-215633-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-215633-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id d75a77b69052e-441f30f6398si43915871cf.645.2024.06.14.18.31.43
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 14 Jun 2024 18:31:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-215633-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=QIaPCYc3;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-215633-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-215633-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 672DE1C216E1
	for <linux.lists.archive@gmail.com>; Sat, 15 Jun 2024 01:31:43 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1923833F7;
	Sat, 15 Jun 2024 01:31:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="QIaPCYc3"
Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32175635
	for <linux-kernel@vger.kernel.org>; Sat, 15 Jun 2024 01:31:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.49
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1718415096; cv=none; b=qjmZfZndY74dsig2H/mLkzdxTDggJ4BTMNh/Z+nSIoHM7CaSqSLRfQCanQW7FzTvRH3WTSUQN2qXmU0WxecpQVcOWFJDEh4zP0+5E0EMXmQ1kcL/JHrlNejpA9dUfBSal5L1IX0m4oOu6qGkPjPoUf4LWhCbzfgBB0hviWn1cDc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1718415096; c=relaxed/simple;
	bh=nehH3T81ejemlLKx/jrzh+9n4GlSlk++MOZyKeiA9U8=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=sFQmy76o4iy3PpmpXJVsKoMKxWWZyCI/OfUPDIhCkxtk20ILTHRbu09k/kEhHRTx8h81PVn9asTVYq8wyDEIM0pAQLQf1dbhwXkt1abFKANvISLToROhku+1shg21W3U5pSWTt0fMAOVe9GXwHl2HMpU1ZqCNdME406+dwnmilg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=QIaPCYc3; arc=none smtp.client-ip=162.62.57.49
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1718415083; bh=aPzxEe2AT3dF0AMQYc5JgGBhkzh96nnm8qimgTmA7Fs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=QIaPCYc3Ho13EYA59vk+2rfu/NUbKVBjbP2LY6ElZggR2XRuzuYAPIaDuSBd4JSIi
	 YZ+JQx2Hq19JW63IviP7rbtVyTbdmugXeGYOnV0cjvpqqeFxTE1GJl5g7caHAQORPQ
	 aBuY1uIARsGHX+RRFdoxu4JYmbizYzf9crs6q5+I=
Received: from pek-lxu-l1.wrs.com ([111.198.228.103])
	by newxmesmtplogicsvrszb9-1.qq.com (NewEsmtp) with SMTP
	id 64B878E0; Sat, 15 Jun 2024 09:25:11 +0800
X-QQ-mid: xmsmtpt1718414711t2bhippe3
Message-ID: <tencent_7C660A3DDB361896D036564A16742F776B09@qq.com>
X-QQ-XMAILINFO: MR/iVh5QLeie32sTzZtrFxyKLDjhbnhGkBODtguGQBHuy6ebPnJKRujjB9Ijnu
	 4Z0Hhb7CUAl6FMu3CZXaiS4zw58tYgH1V4j8gvTlbYuxAJsucXcs91Xar+GC53AaTPIFpDdjVpfv
	 p2Mg53LvPeihMtWcU/O0WMlD6Jr4PZieJojcJL6LWgsr7qrW7nyx2r8xU2V3Py01WReSAN2D5esm
	 Dypxrly2WolME4wrCUzaLrODKXSJK7qzrifdzX+qsXtL2cUI3JSMbeU0/OUaI4lR1Db1YM4TL/Gs
	 efmImw37nUe/UI6SHgYgKMb08HpL5mY3NnjWn5DyM3CMJlgkhbFZmeD2YPi1yX6Y6ODMN86LT9V5
	 iszhONPKWsO1YhhGEbcOAAtvOWnCtIuna+RMSaJdXMYuWokSviUOxYdm2vh3dlht4yfg0UHAnEe/
	 IwQAaBZza1JwR/RrzGcTcNvnPy41SzBXYJcZY68QEoubZgZdajiPdvHKYLXifUCQoAKn0OhvpyQ3
	 xuztlprQJHZn9U+9S12LyKLVqsCvcnFb/lFq+J58vEE+ZYzXxbaLlWdN3ZqCiZDZokSH56cV+8ux
	 9Q5B3mf3npmjJOqMgsmEY1uaoZQQglbq7rG9wxvMGP4ew8NJBFPv71QxQwmeMoqfZQ/L30pUZFDE
	 qzAOI0V+0Cay3AbPluVow0b7xaNNPtYwA585O5PKNdE4K/pt+cYGcqszYSFbwJZOsD6NQHKTNdtN
	 +vBMsUqfL0fvpo8guRV3UXpue5FRyygk9yNmqw1/nKSl2uhIX3F/Q6HbePoRS15lfb2FZ4VDwZDC
	 Ou3dfVldKBEQR2Qcyfu1WuClLW0C5I9I93ejnBoMsAdNjGKZTJUeOmxcJFIZ9zkpERjvk8WvLq9r
	 HLYM83+1OiulsSkO3JDFwj9VZmubkAy0FsJ/LJgWpHGZTw92XqZ88=
X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+b7f6f8c9303466e16c8a@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] general protection fault in l2cap_sock_recv_cb
Date: Sat, 15 Jun 2024 09:25:12 +0800
X-OQ-MSGID: <20240615012511.3389653-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <000000000000b0906d061a468b93@google.com>
References: <000000000000b0906d061a468b93@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test null ptr defref in l2cap_sock_recv_cb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cc8ed4d0a848

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 6db60946c627..d6c2394f0235 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1241,6 +1241,7 @@ static void l2cap_sock_kill(struct sock *sk)
 
 	/* Kill poor orphan */
 
+	l2cap_pi(sk)->chan->data = NULL;
 	l2cap_chan_put(l2cap_pi(sk)->chan);
 	sock_set_flag(sk, SOCK_DEAD);
 	sock_put(sk);
@@ -1413,6 +1414,7 @@ static int l2cap_sock_release(struct socket *sock)
 	l2cap_chan_hold(chan);
 	l2cap_chan_lock(chan);
 
+	printk("err: %d, sk refcnt: %u, %s\n", err, refcount_read(&sk->sk_refcnt), __func__);
 	sock_orphan(sk);
 	l2cap_sock_kill(sk);
 
@@ -1481,12 +1483,23 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
 
 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
 {
-	struct sock *sk = chan->data;
-	struct l2cap_pinfo *pi = l2cap_pi(sk);
+	struct sock *sk;
+	struct l2cap_pinfo *pi;
 	int err;
 
-	lock_sock(sk);
+	l2cap_chan_hold(chan);
+	l2cap_chan_lock(chan);
+	sk = chan->data;
+
+	if (!sk) {
+		printk("%s\n", __func__);
+		l2cap_chan_unlock(chan);
+		l2cap_chan_put(chan);
+		return -ENXIO;
+	}
 
+	pi = l2cap_pi(sk);
+	lock_sock(sk);
 	if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
 		err = -ENOMEM;
 		goto done;
@@ -1535,6 +1548,8 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
 
 done:
 	release_sock(sk);
+	l2cap_chan_unlock(chan);
+	l2cap_chan_put(chan);
 
 	return err;
 }