* [PATCH] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock
@ 2026-06-17 15:36 Runyu Xiao
2026-06-17 18:04 ` bluez.test.bot
2026-06-22 17:00 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Runyu Xiao @ 2026-06-17 15:36 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: Jukka Taimisto, linux-bluetooth, linux-kernel, jianhao.xu,
runyu.xiao, stable
l2cap_conn_del() takes conn->lock and then calls cancel_work_sync() for
pending_rx_work. process_pending_rx() takes the same mutex, so teardown
can deadlock against the worker it is flushing.
This issue was found by our static analysis tool and then manually
reviewed against the current tree.
The grounded PoC kept the l2cap_conn_ready() -> queue_work(...,
&conn->pending_rx_work) submit path, the l2cap_conn_del() ->
cancel_work_sync(&conn->pending_rx_work) teardown path, and the
process_pending_rx() -> mutex_lock(&conn->lock) worker edge. Lockdep
reported:
WARNING: possible circular locking dependency detected
process_pending_rx+0x21/0x2a [vuln_msv]
l2cap_conn_del.constprop.0+0x3f/0x4e [vuln_msv]
*** DEADLOCK ***
Cancel pending_rx_work before taking conn->lock, matching the existing
lock-before-drain ordering used for the two delayed works in the same
teardown path. The pending_rx queue is still purged after the work has
been cancelled and conn->lock has been acquired.
Fixes: 7ab56c3a6ecc ("Bluetooth: Fix deadlock in l2cap_conn_del()")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
---
net/bluetooth/l2cap_core.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 29e23f20dc43..0dad72716cca 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1774,19 +1774,13 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
disable_delayed_work_sync(&conn->info_timer);
disable_delayed_work_sync(&conn->id_addr_timer);
+ cancel_work_sync(&conn->pending_rx_work);
+
mutex_lock(&conn->lock);
kfree_skb(conn->rx_skb);
skb_queue_purge(&conn->pending_rx);
-
- /* We can not call flush_work(&conn->pending_rx_work) here since we
- * might block if we are running on a worker from the same workqueue
- * pending_rx_work is waiting on.
- */
- if (work_pending(&conn->pending_rx_work))
- cancel_work_sync(&conn->pending_rx_work);
-
ida_destroy(&conn->tx_ida);
l2cap_unregister_all_users(conn);
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock
2026-06-17 15:36 [PATCH] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock Runyu Xiao
@ 2026-06-17 18:04 ` bluez.test.bot
2026-06-22 17:00 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-17 18:04 UTC (permalink / raw)
To: linux-bluetooth, runyu.xiao
[-- Attachment #1: Type: text/plain, Size: 1355 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1113030
---Test result---
Test Summary:
CheckPatch PASS 0.66 seconds
VerifyFixes PASS 0.46 seconds
VerifySignedoff PASS 0.16 seconds
GitLint PASS 0.28 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 26.65 seconds
CheckAllWarning PASS 29.50 seconds
CheckSparse PASS 27.53 seconds
BuildKernel32 PASS 25.54 seconds
CheckKernelLLVM SKIP 0.00 seconds
TestRunnerSetup PASS 588.69 seconds
TestRunner_l2cap-tester PENDING 57.76 seconds
IncrementalBuild PASS 24.84 seconds
Details
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
##############################
Test: TestRunner_l2cap-tester - PENDING
Desc: Run l2cap-tester with test-runner
Output:
https://github.com/bluez/bluetooth-next/pull/327
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock
2026-06-17 15:36 [PATCH] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock Runyu Xiao
2026-06-17 18:04 ` bluez.test.bot
@ 2026-06-22 17:00 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-22 17:00 UTC (permalink / raw)
To: Runyu Xiao
Cc: marcel, johan.hedberg, luiz.dentz, jtt, linux-bluetooth,
linux-kernel, jianhao.xu, stable
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 17 Jun 2026 23:36:13 +0800 you wrote:
> l2cap_conn_del() takes conn->lock and then calls cancel_work_sync() for
> pending_rx_work. process_pending_rx() takes the same mutex, so teardown
> can deadlock against the worker it is flushing.
>
> This issue was found by our static analysis tool and then manually
> reviewed against the current tree.
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock
https://git.kernel.org/bluetooth/bluetooth-next/c/cfa697b22dad
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-22 17:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 15:36 [PATCH] Bluetooth: L2CAP: cancel pending_rx_work before taking conn->lock Runyu Xiao
2026-06-17 18:04 ` bluez.test.bot
2026-06-22 17:00 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox