Hi,
ma, 2025-06-16 kello 10:37 -0700, Kuniyuki Iwashima kirjoitti:
> From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
>
> syzbot reported use-after-free in vhci_flush() without repro. [0]
>
[clip]
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 07a8b4281a39..d648b514e2df 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -64,9 +64,9 @@ static DEFINE_IDA(hci_index_ida);
>
> /* Get HCI device by index.
> * Device is held on return. */
> -struct hci_dev *hci_dev_get(int index)
> +static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
> {
> - struct hci_dev *hdev = NULL, *d;
> + struct hci_dev *hdev = NULL;
>
> BT_DBG("%d", index);
>
> @@ -74,9 +74,11 @@ struct hci_dev *hci_dev_get(int index)
> return NULL;
>
> read_lock(&hci_dev_list_lock);
> - list_for_each_entry(d, &hci_dev_list, list) {
> - if (d->id == index) {
> - hdev = hci_dev_hold(d);
> + list_for_each_entry(hdev, &hci_dev_list, list) {
> + if (hdev->id == index) {
> + hci_dev_hold(hdev);
> + if (srcu_index)
> + *srcu_index = srcu_read_lock(&hdev->srcu);
> break;
> }
> }
> @@ -84,6 +86,22 @@ struct hci_dev *hci_dev_get(int index)
> return hdev;
> }
If no list item has `hdev->id == index`, doesn't this now return the
list head -> crash?
--
Pauli Virtanen
