From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2A541C433FE
	for <linux-mm@archiver.kernel.org>; Sun, 23 Oct 2022 08:30:05 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 74B91900003; Sun, 23 Oct 2022 04:30:05 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6FAD4900002; Sun, 23 Oct 2022 04:30:05 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5E971900003; Sun, 23 Oct 2022 04:30:05 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 4B523900002
	for <linux-mm@kvack.org>; Sun, 23 Oct 2022 04:30:05 -0400 (EDT)
Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id 0FA6F804D1
	for <linux-mm@kvack.org>; Sun, 23 Oct 2022 08:30:05 +0000 (UTC)
X-FDA: 80051541570.05.31B9D86
Received: from mail3-165.sinamail.sina.com.cn (mail3-165.sinamail.sina.com.cn [202.108.3.165])
	by imf24.hostedemail.com (Postfix) with ESMTP id AC33F180006
	for <linux-mm@kvack.org>; Sun, 23 Oct 2022 08:30:02 +0000 (UTC)
Received: from unknown (HELO localhost.localdomain)([114.249.57.88])
	by sina.com (172.16.97.32) with ESMTP
	id 6354FB070000B1C3; Sun, 23 Oct 2022 16:27:52 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
X-SMAIL-MID: 690491628969
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+03450dacbc626061c3a3@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in l2cap_conn_del
Date: Sun, 23 Oct 2022 16:29:48 +0800
Message-Id: <20221023082948.2403-1-hdanton@sina.com>
In-Reply-To: <000000000000fa882f05e9973a36@google.com>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666513804; a=rsa-sha256;
	cv=none;
	b=grnWtfKb90nthngVChrY7YU3HomG8NvsAojEQcSRLFGvdeYWT/VJY3O91zS7Kjfedah4gg
	c3WpsHeFc8kMgjC3xoo0jN+q6CgzsBhOPyJr9guGCnnDlXPX7bOCLFEKZc5Sr8aJea4g/A
	fybODLUH43pAuVpbIDqsdihLmN6+l18=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=none;
	spf=pass (imf24.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.165 as permitted sender) smtp.mailfrom=hdanton@sina.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1666513804;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YVQ+LURZE4hXLUVD3sJxII8vh9QOAI6ug3yQwFSk/QQ=;
	b=EwMbPqu7MiDsjAPSqHXqDTKdqJgS+nrDTx/pYogysx/5zcrdskXk8rlmbb/ETcHE1/etpv
	qjiT/CJhO5pVa3WB8ugTacku+oY4YAuvP7/VwKHP6riVcYJerkQAUt3yptOa46G6ehluO8
	YfArzPGrG+L7KgoJ8Zf1Xh2qhbwEZ+g=
Authentication-Results: imf24.hostedemail.com;
	dkim=none;
	spf=pass (imf24.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.165 as permitted sender) smtp.mailfrom=hdanton@sina.com;
	dmarc=none
X-Stat-Signature: ijdr87eb4tccz9btkndssi56wh9ktzid
X-Rspamd-Server: rspam08
X-Rspamd-Queue-Id: AC33F180006
X-Rspam-User: 
X-HE-Tag: 1666513802-479192
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 26 Sep 2022 09:43:42 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    aaa11ce2ffc8 Add linux-next specific files for 20220923
> git tree:       linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14b32754880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=186d1ff305f10294
> dashboard link: https://syzkaller.appspot.com/bug?extid=03450dacbc626061c3a3
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d389c4880000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14269e38880000

Put refcount in balance for channel in bid to fix uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git  aaa11ce2ffc8 

--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -896,6 +896,8 @@ struct l2cap_chan *a2mp_channel_create(s
 		BT_ERR("Could not create AMP manager");
 		return NULL;
 	}
+	/* pair with put in l2cap_data_channel() */
+	l2cap_chan_hold(mgr->a2mp_chan);
 
 	BT_DBG("mgr: %p chan %p", mgr, mgr->a2mp_chan);
 
--