[PATCH 0/6] Bluetooth: don't call kfree_skb() under spin_lock_irqsave()

[PATCH 0/6] Bluetooth: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. This patchset is
trying to call kfree_skb() after spin_lock_irqsave().

Yang Yingliang (6):
  Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
  Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
  Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
  Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
  Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
  Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()

 drivers/bluetooth/hci_bcsp.c | 6 +++++-
 drivers/bluetooth/hci_h5.c   | 6 +++++-
 drivers/bluetooth/hci_ll.c   | 3 ++-
 drivers/bluetooth/hci_qca.c  | 3 ++-
 net/bluetooth/hci_core.c     | 6 +++++-
 net/bluetooth/rfcomm/core.c  | 4 +++-
 6 files changed, 22 insertions(+), 6 deletions(-)

-- 
2.25.1

[PATCH 1/6] Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. Call it after the
spin_unlock_irqrestore().

Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/bluetooth/hci_qca.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 8df11016fd51..69c5cedda6d2 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -912,8 +912,9 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb)
 	default:
 		BT_ERR("Illegal tx state: %d (losing packet)",
 		       qca->tx_ibs_state);
+		spin_unlock_irqrestore(&qca->hci_ibs_lock, flags);
 		kfree_skb(skb);
-		break;
+		return 0;
 	}
 
 	spin_unlock_irqrestore(&qca->hci_ibs_lock, flags);
-- 
2.25.1

[PATCH 2/6] Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. Call it after the
spin_unlock_irqrestore().

Fixes: 166d2f6a4332 ("[Bluetooth] Add UART driver for Texas Instruments' BRF63xx chips")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/bluetooth/hci_ll.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 4eb420a9ed04..5f8a267fd8a5 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -345,8 +345,9 @@ static int ll_enqueue(struct hci_uart *hu, struct sk_buff *skb)
 	default:
 		BT_ERR("illegal hcill state: %ld (losing packet)",
 		       ll->hcill_state);
+		spin_unlock_irqrestore(&ll->hcill_lock, flags);
 		kfree_skb(skb);
-		break;
+		return 0;
 	}
 
 	spin_unlock_irqrestore(&ll->hcill_lock, flags);
-- 
2.25.1

[PATCH 3/6] Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So add all skb to
a free list, then free them after spin_unlock_irqrestore() at
once.

Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/bluetooth/hci_h5.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index c5a0409ef84f..2b97296abb88 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -283,11 +283,13 @@ static int h5_setup(struct hci_uart *hu)
 
 static void h5_pkt_cull(struct h5 *h5)
 {
+	struct sk_buff_head free_list;
 	struct sk_buff *skb, *tmp;
 	unsigned long flags;
 	int i, to_remove;
 	u8 seq;
 
+	skb_queue_head_init(&free_list);
 	spin_lock_irqsave(&h5->unack.lock, flags);
 
 	to_remove = skb_queue_len(&h5->unack);
@@ -313,7 +315,7 @@ static void h5_pkt_cull(struct h5 *h5)
 			break;
 
 		__skb_unlink(skb, &h5->unack);
-		kfree_skb(skb);
+		__skb_queue_tail(&free_list, skb);
 	}
 
 	if (skb_queue_empty(&h5->unack))
@@ -321,6 +323,8 @@ static void h5_pkt_cull(struct h5 *h5)
 
 unlock:
 	spin_unlock_irqrestore(&h5->unack.lock, flags);
+
+	__skb_queue_purge(&free_list);
 }
 
 static void h5_handle_internal_rx(struct hci_uart *hu)
-- 
2.25.1

[PATCH 4/6] Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So add all skb to
a free list, then free them after spin_unlock_irqrestore() at
once.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/bluetooth/hci_bcsp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index cf4a56095817..c47ddb2fb22b 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -347,11 +347,13 @@ static int bcsp_flush(struct hci_uart *hu)
 /* Remove ack'ed packets */
 static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
 {
+	struct sk_buff_head free_list;
 	struct sk_buff *skb, *tmp;
 	unsigned long flags;
 	int i, pkts_to_be_removed;
 	u8 seqno;
 
+	skb_queue_head_init(&free_list);
 	spin_lock_irqsave(&bcsp->unack.lock, flags);
 
 	pkts_to_be_removed = skb_queue_len(&bcsp->unack);
@@ -378,7 +380,7 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
 		i++;
 
 		__skb_unlink(skb, &bcsp->unack);
-		kfree_skb(skb);
+		__skb_queue_tail(&free_list, skb);
 	}
 
 	if (skb_queue_empty(&bcsp->unack))
@@ -386,6 +388,8 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
 
 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
 
+	__skb_queue_purge(&free_list);
+
 	if (i != pkts_to_be_removed)
 		BT_ERR("Removed only %u out of %u pkts", i, pkts_to_be_removed);
 }
-- 
2.25.1

[PATCH 5/6] Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So add all skb to
a tmp list, then free them after spin_unlock_irqrestore() at
once.

Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 net/bluetooth/hci_core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 9d9fb3dff22a..09295ac6b77b 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3925,6 +3925,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
 			  hci_req_complete_t *req_complete,
 			  hci_req_complete_skb_t *req_complete_skb)
 {
+	struct sk_buff_head tmp;
 	struct sk_buff *skb;
 	unsigned long flags;
 
@@ -3970,6 +3971,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
 	}
 
 	/* Remove all pending commands belonging to this request */
+	skb_queue_head_init(&tmp);
 	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
 	while ((skb = __skb_dequeue(&hdev->cmd_q))) {
 		if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
@@ -3981,9 +3983,11 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
 			*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
 		else
 			*req_complete = bt_cb(skb)->hci.req_complete;
-		kfree_skb(skb);
+		__skb_queue_tail(&tmp, skb);
 	}
 	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+
+	__skb_queue_purge(&tmp);
 }
 
 static void hci_rx_work(struct work_struct *work)
-- 
2.25.1

[PATCH 6/6] Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()

[Yang Yingliang]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. Call it after the
spin_unlock_irqrestore().

Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 net/bluetooth/rfcomm/core.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 7324764384b6..b15d7c57dfc5 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -590,8 +590,9 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 
 		ret = rfcomm_dlc_send_frag(d, frag);
 		if (ret < 0) {
+			spin_unlock_irqrestore(&d->tx_queue.lock, flags);
 			kfree_skb(frag);
-			goto unlock;
+			goto out;
 		}
 
 		len += ret;
@@ -600,6 +601,7 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 unlock:
 	spin_unlock_irqrestore(&d->tx_queue.lock, flags);
 
+out:
 	if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 		rfcomm_schedule();
 	return len;
-- 
2.25.1

RE: Bluetooth: don't call kfree_skb() under spin_lock_irqsave()

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1258 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=701842

---Test result---

Test Summary:
CheckPatch                    PASS      3.46 seconds
GitLint                       PASS      1.70 seconds
SubjectPrefix                 PASS      0.57 seconds
BuildKernel                   PASS      33.24 seconds
BuildKernel32                 PASS      28.37 seconds
TestRunnerSetup               PASS      404.37 seconds
TestRunner_l2cap-tester       PASS      15.09 seconds
TestRunner_iso-tester         PASS      14.79 seconds
TestRunner_bnep-tester        PASS      5.12 seconds
TestRunner_mgmt-tester        PASS      100.60 seconds
TestRunner_rfcomm-tester      PASS      8.91 seconds
TestRunner_sco-tester         PASS      8.29 seconds
TestRunner_ioctl-tester       PASS      10.00 seconds
TestRunner_mesh-tester        PASS      7.11 seconds
TestRunner_smp-tester         PASS      8.63 seconds
TestRunner_userchan-tester    PASS      5.54 seconds
IncrementalBuild              PASS      60.74 seconds



---
Regards,
Linux Bluetooth

RE: Bluetooth: don't call kfree_skb() under spin_lock_irqsave()

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1257 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=702385

---Test result---

Test Summary:
CheckPatch                    PASS      3.86 seconds
GitLint                       PASS      2.04 seconds
SubjectPrefix                 PASS      0.73 seconds
BuildKernel                   PASS      33.83 seconds
BuildKernel32                 PASS      29.74 seconds
TestRunnerSetup               PASS      419.28 seconds
TestRunner_l2cap-tester       PASS      15.69 seconds
TestRunner_iso-tester         PASS      15.34 seconds
TestRunner_bnep-tester        PASS      5.32 seconds
TestRunner_mgmt-tester        PASS      103.24 seconds
TestRunner_rfcomm-tester      PASS      9.19 seconds
TestRunner_sco-tester         PASS      8.62 seconds
TestRunner_ioctl-tester       PASS      9.78 seconds
TestRunner_mesh-tester        PASS      6.68 seconds
TestRunner_smp-tester         PASS      8.49 seconds
TestRunner_userchan-tester    PASS      5.56 seconds
IncrementalBuild              PASS      59.18 seconds



---
Regards,
Linux Bluetooth