* [PATCH] Bluetooth: hci_core: Don't queue tx_work while draining workqueue
@ 2026-05-13 18:55 Heitor Alves de Siqueira
2026-05-13 20:45 ` bluez.test.bot
2026-05-14 2:04 ` [PATCH] " Hillf Danton
0 siblings, 2 replies; 4+ messages in thread
From: Heitor Alves de Siqueira @ 2026-05-13 18:55 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz, Gustavo Padovan
Cc: linux-bluetooth, linux-kernel, kernel-dev,
syzbot+97721dd81f792e838ba0
Syzbot reported a warning when L2CAP calls queue_work() on the hdev
workqueue while it's being drained. This can happen during device reset or
close paths for hci_send_acl(), hci_send_sco() and hci_send_iso().
The workqueue is drained in hci_dev_do_reset() and in hci_dev_close_sync():
- hci_dev_close_sync() clears the HCI_UP bit before draining
- hci_dev_do_reset() sets HCI_CMD_DRAIN_WORKQUEUE before draining
Add these checks before queuing tx_work, and free the SKB if it's not
queued for transmission.
Fixes: 3eff45eaf817 ("Bluetooth: convert tx_task to workqueue")
Reported-by: syzbot+97721dd81f792e838ba0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=97721dd81f792e838ba0
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
net/bluetooth/hci_core.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..5d5f8ad7d1a8 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3278,6 +3278,12 @@ void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
+ if (!test_bit(HCI_UP, &hdev->flags) ||
+ hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
+ kfree_skb(skb);
+ return;
+ }
+
hci_queue_acl(chan, &chan->data_q, skb, flags);
queue_work(hdev->workqueue, &hdev->tx_work);
@@ -3291,6 +3297,12 @@ void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
BT_DBG("%s len %d", hdev->name, skb->len);
+ if (!test_bit(HCI_UP, &hdev->flags) ||
+ hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
+ kfree_skb(skb);
+ return;
+ }
+
hdr.handle = cpu_to_le16(conn->handle);
hdr.dlen = skb->len;
@@ -3374,6 +3386,12 @@ void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb)
BT_DBG("%s len %d", hdev->name, skb->len);
+ if (!test_bit(HCI_UP, &hdev->flags) ||
+ hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
+ kfree_skb(skb);
+ return;
+ }
+
hci_queue_iso(conn, &conn->data_q, skb);
queue_work(hdev->workqueue, &hdev->tx_work);
---
base-commit: 1f63dd8ca0dc05a8272bb8155f643c691d29bb11
change-id: 20260513-hci_send-640290de7acc
Best regards,
--
Heitor Alves de Siqueira <halves@igalia.com>
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: Bluetooth: hci_core: Don't queue tx_work while draining workqueue
2026-05-13 18:55 [PATCH] Bluetooth: hci_core: Don't queue tx_work while draining workqueue Heitor Alves de Siqueira
@ 2026-05-13 20:45 ` bluez.test.bot
2026-05-14 2:04 ` [PATCH] " Hillf Danton
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-13 20:45 UTC (permalink / raw)
To: linux-bluetooth, halves
[-- Attachment #1: Type: text/plain, Size: 2039 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1094429
---Test result---
Test Summary:
CheckPatch PASS 0.74 seconds
GitLint FAIL 0.34 seconds
SubjectPrefix PASS 0.22 seconds
BuildKernel PASS 25.24 seconds
CheckAllWarning PASS 27.80 seconds
CheckSparse PASS 26.72 seconds
BuildKernel32 PASS 24.56 seconds
TestRunnerSetup PASS 528.86 seconds
TestRunner_l2cap-tester PASS 374.94 seconds
TestRunner_iso-tester PASS 604.66 seconds
TestRunner_bnep-tester PASS 19.00 seconds
TestRunner_mgmt-tester PASS 2024.13 seconds
TestRunner_rfcomm-tester PASS 63.77 seconds
TestRunner_sco-tester PASS 141.62 seconds
TestRunner_ioctl-tester PASS 134.21 seconds
TestRunner_mesh-tester PASS 59.93 seconds
TestRunner_smp-tester PASS 18.06 seconds
TestRunner_userchan-tester PASS 19.33 seconds
TestRunner_6lowpan-tester PASS 51.00 seconds
IncrementalBuild PASS 24.65 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
Bluetooth: hci_core: Don't queue tx_work while draining workqueue
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
27: B2 Line has trailing whitespace: "-- "
https://github.com/bluez/bluetooth-next/pull/185
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: hci_core: Don't queue tx_work while draining workqueue
2026-05-13 18:55 [PATCH] Bluetooth: hci_core: Don't queue tx_work while draining workqueue Heitor Alves de Siqueira
2026-05-13 20:45 ` bluez.test.bot
@ 2026-05-14 2:04 ` Hillf Danton
2026-05-14 14:53 ` Heitor Alves de Siqueira
1 sibling, 1 reply; 4+ messages in thread
From: Hillf Danton @ 2026-05-14 2:04 UTC (permalink / raw)
To: Heitor Alves de Siqueira
Cc: Marcel Holtmann, Luiz Augusto von Dentz, Gustavo Padovan,
linux-bluetooth, linux-kernel, kernel-dev, syzkaller-bugs,
syzbot+97721dd81f792e838ba0
On Wed, 13 May 2026 15:55:23 -0300 Heitor Alves de Siqueira wrote:
> Syzbot reported a warning when L2CAP calls queue_work() on the hdev
> workqueue while it's being drained. This can happen during device reset or
> close paths for hci_send_acl(), hci_send_sco() and hci_send_iso().
>
> The workqueue is drained in hci_dev_do_reset() and in hci_dev_close_sync():
> - hci_dev_close_sync() clears the HCI_UP bit before draining
> - hci_dev_do_reset() sets HCI_CMD_DRAIN_WORKQUEUE before draining
>
> Add these checks before queuing tx_work, and free the SKB if it's not
> queued for transmission.
>
> Fixes: 3eff45eaf817 ("Bluetooth: convert tx_task to workqueue")
> Reported-by: syzbot+97721dd81f792e838ba0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=97721dd81f792e838ba0
> Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
> ---
> net/bluetooth/hci_core.c | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index c46c1236ebfa..5d5f8ad7d1a8 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -3278,6 +3278,12 @@ void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
>
> BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
>
> + if (!test_bit(HCI_UP, &hdev->flags) ||
> + hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
> + kfree_skb(skb);
> + return;
> + }
> +
> hci_queue_acl(chan, &chan->data_q, skb, flags);
>
> queue_work(hdev->workqueue, &hdev->tx_work);
>
What you add is not enough, go and see how HCI_CMD_DRAIN_WORKQUEUE is
checked in hci_cmd_work(), and in hci_dev_do_reset() for why.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: hci_core: Don't queue tx_work while draining workqueue
2026-05-14 2:04 ` [PATCH] " Hillf Danton
@ 2026-05-14 14:53 ` Heitor Alves de Siqueira
0 siblings, 0 replies; 4+ messages in thread
From: Heitor Alves de Siqueira @ 2026-05-14 14:53 UTC (permalink / raw)
To: Hillf Danton
Cc: Marcel Holtmann, Luiz Augusto von Dentz, Gustavo Padovan,
linux-bluetooth, linux-kernel, kernel-dev, syzkaller-bugs,
syzbot+97721dd81f792e838ba0
On Wed May 13, 2026 at 11:04 PM -03, Hillf Danton wrote:
> On Wed, 13 May 2026 15:55:23 -0300 Heitor Alves de Siqueira wrote:
>> Syzbot reported a warning when L2CAP calls queue_work() on the hdev
>> workqueue while it's being drained. This can happen during device reset or
>> close paths for hci_send_acl(), hci_send_sco() and hci_send_iso().
>>
>> The workqueue is drained in hci_dev_do_reset() and in hci_dev_close_sync():
>> - hci_dev_close_sync() clears the HCI_UP bit before draining
>> - hci_dev_do_reset() sets HCI_CMD_DRAIN_WORKQUEUE before draining
>>
>> Add these checks before queuing tx_work, and free the SKB if it's not
>> queued for transmission.
>>
>> Fixes: 3eff45eaf817 ("Bluetooth: convert tx_task to workqueue")
>> Reported-by: syzbot+97721dd81f792e838ba0@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=97721dd81f792e838ba0
>> Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
>> ---
>> net/bluetooth/hci_core.c | 18 ++++++++++++++++++
>> 1 file changed, 18 insertions(+)
>>
>> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
>> index c46c1236ebfa..5d5f8ad7d1a8 100644
>> --- a/net/bluetooth/hci_core.c
>> +++ b/net/bluetooth/hci_core.c
>> @@ -3278,6 +3278,12 @@ void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
>>
>> BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
>>
>> + if (!test_bit(HCI_UP, &hdev->flags) ||
>> + hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
>> + kfree_skb(skb);
>> + return;
>> + }
>> +
>> hci_queue_acl(chan, &chan->data_q, skb, flags);
>>
>> queue_work(hdev->workqueue, &hdev->tx_work);
>>
> What you add is not enough, go and see how HCI_CMD_DRAIN_WORKQUEUE is
> checked in hci_cmd_work(), and in hci_dev_do_reset() for why.
I see, I missed the RCU guards for the device flags. Sorry about that,
I'll add them to v2.
Thanks for the catch!
Best,
Heitor
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-14 14:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-13 18:55 [PATCH] Bluetooth: hci_core: Don't queue tx_work while draining workqueue Heitor Alves de Siqueira
2026-05-13 20:45 ` bluez.test.bot
2026-05-14 2:04 ` [PATCH] " Hillf Danton
2026-05-14 14:53 ` Heitor Alves de Siqueira
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox