From: syzbot <syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: test fix for syzbot+b170dbf55520ebf5969a
Date: Sat, 21 Mar 2026 04:28:19 -0700 [thread overview]
Message-ID: <69be80d3.050a0220.3bf4de.004d.GAE@google.com> (raw)
In-Reply-To: <000000000000cd69c7061dfe35d2@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: test fix for syzbot+b170dbf55520ebf5969a
Author: abysamross@gmail.com
#syz test
===============================
From 4c574f30487b7aa767f29689692e1e54d672c508 Mon Sep 17 00:00:00 2001
From: Aby Sam Ross <abysamross@gmail.com>
Date: Sat, 21 Mar 2026 15:12:16 +0530
Subject: [PATCH v1 1/1] Bluetooth: hci_release_dev: disable delayed hci
devcoredump timeout work
It is not necessary that the pending delayed hci devcoredump timeout
work, hdev->dump.dump_timeout, submitted to the hdev->workqueue by the
bluetooth devcoredump state machine, hci_devcd_rx() ( -->
hci_devcd_handle_pkt_init()) will be reset by it or by the timeout func
hci_devcd_timeout() before destroying the workqueue or before the hci
device is freed up in hci_release_dev().
In this bug the active delayed devcoredump timeout work's timer object
is active when the memory associated with the hci device is freed up in
hci_release_dev() causing the ODEBUG WARNING.
Make sure that the delayed devcoredump timeout work is disabled before
the hdev->workqueue is destroyed and before the hdev memory is freed in
hci_release_dev().
Tested the change with the syzbot reproducer that uses a vhci device
locally on x86_64 and on syzbot portal as well.
Closes: https://syzkaller.appspot.com/bug?extid=b170dbf55520ebf5969a
Tested-by: syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com
Reported-by: syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com
Signed-off-by: Aby Sam Ross <abysamross@gmail.com>
---
net/bluetooth/hci_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 31308c1de4ec..3e7b4c8576b2 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2747,6 +2747,9 @@ void hci_release_dev(struct hci_dev *hdev)
kfree_const(hdev->hw_info);
kfree_const(hdev->fw_info);
+ if (hdev->dump.supported) {
+ disable_delayed_work_sync(&hdev->dump.dump_timeout);
+ }
destroy_workqueue(hdev->workqueue);
destroy_workqueue(hdev->req_workqueue);
--
2.53.0
prev parent reply other threads:[~2026-03-21 11:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 13:25 [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2) syzbot
2024-10-14 23:11 ` syzbot
2024-12-21 14:19 ` syzbot
2026-03-16 16:07 ` Forwarded: " syzbot
2026-03-17 15:12 ` Forwarded: " syzbot
2026-03-21 10:49 ` Forwarded: test syzbot+b170dbf55520ebf5969a syzbot
2026-03-21 11:28 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69be80d3.050a0220.3bf4de.004d.GAE@google.com \
--to=syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.