Forwarded: Re: Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)

[syzbot <syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)
Author: abysamross@gmail.com

#syz test

======================================================================

From 006a3d0d3cc1b5e7be6d4eec2cbafacdbd40816c Mon Sep 17 00:00:00 2001
From: Aby Sam Ross <abysamross@gmail.com>
Date: Tue, 17 Mar 2026 00:21:32 +0530
Subject: [PATCH v1 1/1] Bluetooth: hci_release_dev: cancel coredump work

The hci device's coredump timeout work remains active when the memory
associated with the hci device is freed up in hci_release_dev(), causing
an active object to be freed.
Cancel all hci coredump related work while in hci_release_dev().

Signed-off-by: Aby Sam Ross <abysamross@gmail.com>
---
 include/net/bluetooth/coredump.h | 3 +++
 net/bluetooth/coredump.c         | 7 +++++++
 net/bluetooth/hci_core.c         | 1 +
 3 files changed, 11 insertions(+)

diff --git a/include/net/bluetooth/coredump.h b/include/net/bluetooth/coredump.h
index 72f51b587a04..18318a1f8e1a 100644
--- a/include/net/bluetooth/coredump.h
+++ b/include/net/bluetooth/coredump.h
@@ -71,6 +71,7 @@ int hci_devcd_append(struct hci_dev *hdev, struct sk_buff *skb);
 int hci_devcd_append_pattern(struct hci_dev *hdev, u8 pattern, u32 len);
 int hci_devcd_complete(struct hci_dev *hdev);
 int hci_devcd_abort(struct hci_dev *hdev);
+void hci_devcd_cancel_work_sync(struct hci_dev *hdev);
 
 #else
 
@@ -111,6 +112,8 @@ static inline int hci_devcd_abort(struct hci_dev *hdev)
 	return -EOPNOTSUPP;
 }
 
+static inline void hci_devcd_cancel_work_sync(struct hci_dev *hdev) {}
+
 #endif /* CONFIG_DEV_COREDUMP */
 
 #endif /* __COREDUMP_H */
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 720cb79adf96..e3b65d627019 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -84,6 +84,13 @@ static void hci_devcd_notify(struct hci_dev *hdev, int state)
 		hdev->dump.notify_change(hdev, state);
 }
 
+
+void hci_devcd_cancel_work_sync(struct hci_dev *hdev)
+{
+    cancel_work_sync(&hdev->dump.dump_rx);
+    cancel_delayed_work_sync(&hdev->dump.dump_timeout);
+}
+
 /* Call with hci_dev_lock only. */
 void hci_devcd_reset(struct hci_dev *hdev)
 {
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 31308c1de4ec..95416cd0d580 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2749,6 +2749,7 @@ void hci_release_dev(struct hci_dev *hdev)
 
 	destroy_workqueue(hdev->workqueue);
 	destroy_workqueue(hdev->req_workqueue);
+    hci_devcd_cancel_work_sync(hdev);
 
 	hci_dev_lock(hdev);
 	hci_bdaddr_list_clear(&hdev->reject_list);
-- 
2.53.0