lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250831095915.6269-1-hdanton@sina.com>
Date: Sun, 31 Aug 2025 17:59:14 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+535bbe83dfc3ae8d4be3@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	Yunseong Kim <ysk@...lloc.com>,
	Krzysztof Kozlowski <krzk@...nel.org>,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] [nfc?] WARNING in nfc_rfkill_set_block

> Date: Sun, 31 Aug 2025 00:02:33 -0700
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    c8bc81a52d5a Merge tag 'arm64-fixes' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1508ce34580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bd9738e00c1bbfb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=535bbe83dfc3ae8d4be3
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11019a62580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1308ce34580000

Test Kim's patch.

#syz test

--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -1154,6 +1154,7 @@ EXPORT_SYMBOL(nfc_register_device);
 void nfc_unregister_device(struct nfc_dev *dev)
 {
 	int rc;
+	struct rfkill *rfk = NULL;
 
 	pr_debug("dev_name=%s\n", dev_name(&dev->dev));
 
@@ -1163,14 +1164,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
 			 "was removed\n", dev_name(&dev->dev));
 
 	device_lock(&dev->dev);
+	dev->shutting_down = true;
 	if (dev->rfkill) {
-		rfkill_unregister(dev->rfkill);
-		rfkill_destroy(dev->rfkill);
+		rfk = dev->rfkill;
 		dev->rfkill = NULL;
 	}
-	dev->shutting_down = true;
 	device_unlock(&dev->dev);
 
+	if (rfk) {
+		rfkill_unregister(rfk);
+		rfkill_destroy(rfk);
+	}
+
 	if (dev->ops->check_presence) {
 		timer_delete_sync(&dev->check_pres_timer);
 		cancel_work_sync(&dev->check_pres_work);
--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -1476,8 +1476,14 @@ static void hci_cmd_timeout(struct work_
 	if (hdev->reset)
 		hdev->reset(hdev);
 
+	rcu_read_lock();
+	if (hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
+		rcu_read_unlock();
+		return;
+	}
 	atomic_set(&hdev->cmd_cnt, 1);
 	queue_work(hdev->workqueue, &hdev->cmd_work);
+	rcu_read_unlock();
 }
 
 /* HCI ncmd timer function */
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ