[lvc-project] [PATCH v2] Bluetooth: fix use-after-free in device_for_each_child()

Luiz Augusto von Dentz luiz.dentz at gmail.com
Fri Nov 1 20:37:52 MSK 2024


Hi Dmitry,

On Fri, Nov 1, 2024 at 11:31 AM Luiz Augusto von Dentz
<luiz.dentz at gmail.com> wrote:
>
> Hi Dmitry,
>
> On Fri, Nov 1, 2024 at 11:17 AM Dmitry Antipov <dmantipov at yandex.ru> wrote:
> >
> > On 11/1/24 6:12 PM, Luiz Augusto von Dentz wrote:
> >
> > > There is no Tested-by thus why I assumed it wasn't tested by syzbot yet.
> >
> > Ugh. Until today I've assumed that Tested-by: is applicable to human-driven
> > testing only :-).
>
> Nope, in fact it is very handy to have syzbot test your changes since
> it may hit other problems as well.

Looks like this doesn't solve the problem, in fact I think you are
getting it backwards, you are trying to reparent the parent dev not
the child and I assume by destroying the parent device there should be
some way to reset the parent which seems to be the intent the
following code in hci_conn_del_sysfs:

    while (1) {
        struct device *dev;

        dev = device_find_child(&conn->dev, NULL, __match_tty);
        if (!dev)
            break;
        device_move(dev, NULL, DPM_ORDER_DEV_LAST);
        put_device(dev);
    }

But note that it only does that after matching tty, but I guess we
want to do it regardless otherwise we may have the child objects still
access it, that said we should probably use device_for_each_child
though if that is safe to do calls to device_move under its callback.

> > Dmitry
> >
>
>
> --
> Luiz Augusto von Dentz



-- 
Luiz Augusto von Dentz



More information about the lvc-project mailing list