please test null ptr defref in l2cap_sock_recv_cb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cc8ed4d0a848
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 6db60946c627..278cc4db922f 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1486,7 +1486,14 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
int err;
lock_sock(sk);
-
+ sock_hold(sk);
+ l2cap_chan_hold(chan);
+ l2cap_chan_lock(chan);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ENXIO;
+ goto done;
+ }
+
if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
err = -ENOMEM;
goto done;
@@ -1534,7 +1541,11 @@ static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
}
done:
- release_sock(sk);
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
+ sock_put(sk);
+ if (err != -ENXIO)
+ release_sock(sk);
return err;
}
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: held lock freed in l2cap_sock_recv_cb
=========================
WARNING: held lock freed!
6.10.0-rc1-syzkaller-00267-gcc8ed4d0a848-dirty #0 Not tainted
-------------------------
kworker/u9:3/6458 is freeing memory ffff88802f212000-ffff88802f2127ff, with a lock still held there!
ffff88802f212258 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1602 [inline]
ffff88802f212258 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_recv_cb+0x58/0x6f0 net/bluetooth/l2cap_sock.c:1488
3 locks held by kworker/u9:3/6458:
#0: ffff888079178148 ((wq_completion)hci1#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
#0: ffff888079178148 ((wq_completion)hci1#2){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
#1: ffffc90004347d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
#1: ffffc90004347d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
#2: ffff88802f212258 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1602 [inline]
#2: ffff88802f212258 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_recv_cb+0x58/0x6f0 net/bluetooth/l2cap_sock.c:1488
stack backtrace:
CPU: 0 PID: 6458 Comm: kworker/u9:3 Not tainted 6.10.0-rc1-syzkaller-00267-gcc8ed4d0a848-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: hci1 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_freed_lock_bug kernel/locking/lockdep.c:6538 [inline]
debug_check_no_locks_freed+0x3c5/0x4a0 kernel/locking/lockdep.c:6571
slab_free_hook mm/slub.c:2159 [inline]
slab_free mm/slub.c:4436 [inline]
kfree+0xfa/0x360 mm/slub.c:4557
sk_prot_free net/core/sock.c:2116 [inline]
__sk_destruct+0x476/0x5f0 net/core/sock.c:2208
sock_put include/net/sock.h:1879 [inline]
l2cap_sock_recv_cb+0x596/0x6f0 net/bluetooth/l2cap_sock.c:1546
l2cap_conless_channel net/bluetooth/l2cap_core.c:6780 [inline]
l2cap_recv_frame+0x8b6d/0x10670 net/bluetooth/l2cap_core.c:6833
hci_acldata_packet net/bluetooth/hci_core.c:3842 [inline]
hci_rx_work+0x50f/0xca0 net/bluetooth/hci_core.c:4079
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Bluetooth: hci1: command tx timeout
Tested on:
commit: cc8ed4d0 Merge tag 'drm-fixes-2024-06-01' of https://g..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1082c82e980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47d282ddffae809f
dashboard link: https://syzkaller.appspot.com/bug?extid=b7f6f8c9303466e16c8a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1706587a980000