[lvc-project] [PATCH v2] Bluetooth: fix use-after-free in device_for_each_child()
Luiz Augusto von Dentz
luiz.dentz at gmail.com
Fri Nov 1 22:30:23 MSK 2024
On Fri, Nov 1, 2024 at 1:37 PM Luiz Augusto von Dentz
<luiz.dentz at gmail.com> wrote:
>
> Hi Dmitry,
>
> On Fri, Nov 1, 2024 at 11:31 AM Luiz Augusto von Dentz
> <luiz.dentz at gmail.com> wrote:
> >
> > Hi Dmitry,
> >
> > On Fri, Nov 1, 2024 at 11:17 AM Dmitry Antipov <dmantipov at yandex.ru> wrote:
> > >
> > > On 11/1/24 6:12 PM, Luiz Augusto von Dentz wrote:
> > >
> > > > There is no Tested-by thus why I assumed it wasn't tested by syzbot yet.
> > >
> > > Ugh. Until today I've assumed that Tested-by: is applicable to human-driven
> > > testing only :-).
> >
> > Nope, in fact it is very handy to have syzbot test your changes since
> > it may hit other problems as well.
>
> Looks like this doesn't solve the problem, in fact I think you are
> getting it backwards, you are trying to reparent the parent dev not
> the child and I assume by destroying the parent device there should be
> some way to reset the parent which seems to be the intent the
> following code in hci_conn_del_sysfs:
>
> while (1) {
> struct device *dev;
>
> dev = device_find_child(&conn->dev, NULL, __match_tty);
> if (!dev)
> break;
> device_move(dev, NULL, DPM_ORDER_DEV_LAST);
> put_device(dev);
> }
>
> But note that it only does that after matching tty, but I guess we
> want to do it regardless otherwise we may have the child objects still
> access it, that said we should probably use device_for_each_child
> though if that is safe to do calls to device_move under its callback.
#syz test
> > > Dmitry
> > >
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v1-0001-Bluetooth-fix-use-after-free-in-device_for_each_c.patch
Type: text/x-patch
Size: 4216 bytes
Desc: not available
URL: <http://linuxtesting.org/pipermail/lvc-project/attachments/20241101/2efc5f42/attachment.bin>
More information about the lvc-project
mailing list