| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Jan 2024 19:28:15 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+a984066a63e9c1e62662@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] INFO: task hung in hci_conn_failed
On Sat, 27 Jan 2024 15:34:31 -0800
> HEAD commit: 7ed2632ec7d7 drm/ttm: fix ttm pool initialization for no-d..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116e5bbfe80000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/net/bluetooth/hci_conn.c
+++ y/net/bluetooth/hci_conn.c
@@ -2819,16 +2819,13 @@ void hci_chan_del(struct hci_chan *chan)
BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
list_del_rcu(&chan->list);
-
- synchronize_rcu();
-
/* Prevent new hci_chan's to be created for this hci_conn */
set_bit(HCI_CONN_DROP, &conn->flags);
hci_conn_put(conn);
skb_queue_purge(&chan->data_q);
- kfree(chan);
+ kfree_rcu(chan, rcu);
}
void hci_chan_list_flush(struct hci_conn *conn)
--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -797,7 +797,10 @@ struct hci_chan {
struct list_head list;
__u16 handle;
struct hci_conn *conn;
- struct sk_buff_head data_q;
+ union {
+ struct sk_buff_head data_q;
+ struct rcu_head rcu;
+ };
unsigned int sent;
__u8 state;
bool amp;
--
Powered by blists - more mailing lists