From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot <syzbot+da0a9c9721e36db712e8@syzkaller.appspotmail.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 22/33] Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
Date: Thu, 25 Jul 2024 16:36:45 +0200 [thread overview]
Message-ID: <20240725142729.353753188@linuxfoundation.org> (raw)
In-Reply-To: <20240725142728.511303502@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 0d151a103775dd9645c78c97f77d6e2a5298d913 ]
syzbot is reporting that calling hci_release_dev() from hci_error_reset()
due to hci_dev_put() from hci_error_reset() can cause deadlock at
destroy_workqueue(), for hci_error_reset() is called from
hdev->req_workqueue which destroy_workqueue() needs to flush.
We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are
queued into hdev->workqueue and hdev->{power_on,error_reset} which are
queued into hdev->req_workqueue are no longer running by the moment
destroy_workqueue(hdev->workqueue);
destroy_workqueue(hdev->req_workqueue);
are called from hci_release_dev().
Call cancel_work_sync() on these work items from hci_unregister_dev()
as soon as hdev->list is removed from hci_dev_list.
Reported-by: syzbot <syzbot+da0a9c9721e36db712e8@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=da0a9c9721e36db712e8
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 47f1eec0eb35f..504f6aa4e95db 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3288,7 +3288,11 @@ void hci_unregister_dev(struct hci_dev *hdev)
list_del(&hdev->list);
write_unlock(&hci_dev_list_lock);
+ cancel_work_sync(&hdev->rx_work);
+ cancel_work_sync(&hdev->cmd_work);
+ cancel_work_sync(&hdev->tx_work);
cancel_work_sync(&hdev->power_on);
+ cancel_work_sync(&hdev->error_reset);
hci_dev_do_close(hdev);
--
2.43.0
next prev parent reply other threads:[~2024-07-25 14:40 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 14:36 [PATCH 4.19 00/33] 4.19.319-rc1 review Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 01/33] gcc-plugins: Rename last_stmt() for GCC 14+ Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 02/33] scsi: qedf: Set qed_slowpath_params to zero before use Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 03/33] ACPI: EC: Abort address space access upon error Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 04/33] ACPI: EC: Avoid returning AE_OK on errors in address space handler Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 05/33] wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 06/33] wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 07/33] Input: silead - Always support 10 fingers Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 08/33] ila: block BH in ila_output() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 09/33] kconfig: gconf: give a proper initial state to the Save button Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 10/33] kconfig: remove wrong expr_trans_bool() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 11/33] fs/file: fix the check in find_next_fd() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 12/33] mei: demote client disconnect warning on suspend to debug Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 13/33] wifi: cfg80211: wext: add extra SIOCSIWSCAN data check Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 14/33] Input: elantech - fix touchpad state on resume for Lenovo N24 Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 15/33] bytcr_rt5640 : inverse jack detect for Archos 101 cesium Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 16/33] can: kvaser_usb: fix return value for hif_usb_send_regout Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 17/33] gpio: pca953x: fix pca953x_irq_bus_sync_unlock race Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 18/33] s390/sclp: Fix sclp_init() cleanup on failure Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 19/33] ALSA: dmaengine_pcm: terminate dmaengine before synchronize Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 20/33] net: usb: qmi_wwan: add Telit FN912 compositions Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 21/33] net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() Greg Kroah-Hartman
2024-07-25 14:36 ` Greg Kroah-Hartman [this message]
2024-07-25 14:36 ` [PATCH 4.19 23/33] fs: better handle deep ancestor chains in is_subdir() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 24/33] spi: imx: Dont expect DMA for i.MX{25,35,50,51,53} cspi devices Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 25/33] selftests/vDSO: fix clang build errors and warnings Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 26/33] hfsplus: fix uninit-value in copy_name Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 27/33] filelock: Remove locks reliably when fcntl/close race is detected Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 28/33] ARM: 9324/1: fix get_user() broken with veneer Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 29/33] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 30/33] net: relax socket state check at accept time Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 31/33] ocfs2: add bounds checking to ocfs2_check_dir_entry() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 32/33] jfs: dont walk off the end of ealist Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 4.19 33/33] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 17:10 ` [PATCH 4.19 00/33] 4.19.319-rc1 review Naresh Kamboju
2024-07-26 8:13 ` Pavel Machek
2024-07-26 5:25 ` Harshit Mogalapalli
2024-07-26 16:41 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725142729.353753188@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=luiz.von.dentz@intel.com \
--cc=patches@lists.linux.dev \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+da0a9c9721e36db712e8@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.