lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260202011251.2533-1-hdanton@sina.com>
Date: Mon,  2 Feb 2026 09:12:49 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+5897b3c764f5989ea942@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] WARNING in hci_connect_sco

> Date: Sat, 31 Jan 2026 05:50:28 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    ad9a728a3388 Merge tag 'for-linus-iommufd' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15513c5a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=5897b3c764f5989ea942
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17b45322580000

#syz test

--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -1687,6 +1687,7 @@ static inline void hci_conn_drop(struct
 
 	if (atomic_dec_and_test(&conn->refcnt)) {
 		unsigned long timeo;
+		struct hci_dev *hdev;
 
 		switch (conn->type) {
 		case ACL_LINK:
@@ -1707,8 +1708,14 @@ static inline void hci_conn_drop(struct
 		}
 
 		cancel_delayed_work(&conn->disc_work);
-		queue_delayed_work(conn->hdev->workqueue,
-				   &conn->disc_work, timeo);
+		hdev = conn->hdev;
+		rcu_read_lock();
+		if (test_bit(HCI_RESET, &hdev->flags) ||
+		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+			;
+		else
+			queue_delayed_work(hdev->workqueue, &conn->disc_work, timeo);
+		rcu_read_unlock();
 	}
 }
 
--- x/net/bluetooth/hci_sync.c
+++ y/net/bluetooth/hci_sync.c
@@ -5307,10 +5307,13 @@ int hci_dev_close_sync(struct hci_dev *h
 			cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
 	}
 
+	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
+	synchronize_rcu();
 	/* Avoid potential lockdep warnings from the *_flush() calls by
 	 * ensuring the workqueue is empty up front.
 	 */
 	drain_workqueue(hdev->workqueue);
+	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
 
 	hci_dev_lock(hdev);
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ