[Linux-kernel-mentees] How does syzkaller manage to create Bluetooth connections in a VM which doesn't have a Bluetooth device

Coiby Xu coiby.xu at gmail.com
Fri Sep 4 14:19:54 UTC 2020


Hi,

I have been trying to fix this issue [1] found by syzbot. I notice the
extracted syzkaller reproducer could connect to another Bluetooth device
successfully because l2cap_chan_connect successfully returns.

// net/Bluetooth/l2cap_sock.c
static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
			      int alen, int flags)
{
	err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
				 &la.l2_bdaddr, la.l2_bdaddr_type);
}

However, if I use syz-prog2c to convert the syzkaller reproducer to a
C reproducer, the C reproducer could never make a socket connect call
successfully. So how does syzkaller manage to create Bluetooth connections
for the sykaller reproducer? I've understood why this issue [1] occurs
but haven't figured out how it occurs, i.e., what is the subtle race
condition. So I want to write a C reproducer to experiment on it.

[1] INFO: trying to register non-static key in l2cap_chan_del: https://syzkaller.appspot.com/bug?id=aca31fd1ef0cbf898bd37115e2c4c66fa37f4a20

--
Best regards,
Coiby


More information about the Linux-kernel-mentees mailing list