From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com [209.85.161.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F39F2848BA for ; Thu, 14 May 2026 10:08:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.71 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778753282; cv=none; b=nI4eYmIeLMpgGkuuKYAQmsilf6tCCgRKb0aLS8EJycRcohhCQ/nNzqZiXXNVlSwlcM97WidRTBKnYwhUKe10l479NfUBAvlI5kdxw+nrmHYDER5OVB4IDGnYOKEDl8Zg4cmRluFIZ1y49k1pXz7xPKUIfLN4THORV09pzTITwr4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778753282; c=relaxed/simple; bh=3TLxCwYKlRqRUlsaaV12P3N3QEgYgpcc/GTbdEhp688=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:Cc: Content-Type; b=PsJKnfid9N0EcP1MpF2PTKCABzr4FRVmkiAqAa6Q2woQ64SQ88matEkY+VWiAY3Aqo+bzG+Ys2vy+V+hsRBVxm3y5l8WC9/UXR/QPucKgaQc7ueyqga7zjL2yaG8Ta4rBjE7mQmME14wf1789pz5bX/lUkBSLg8xCPYuGkbtaxc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f71.google.com with SMTP id 006d021491bc7-69b90f1a51fso303445eaf.3 for ; Thu, 14 May 2026 03:08:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778753280; x=1779358080; h=cc:to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=n+pTaDEUBIEzRNhzsqbo3SAMK6hlzYPugcx2UMvEN2k=; b=sAfeABsxSnT8V2V4ukbCqJl+DqZgHXoe0XGDPAy4Txmjas/TvzjGNkodosB9iFujAy 6Ao9DLh8Oq52K/elAzDzl7Kt5E9RrODSJd8APFFRgPHYBy0JFGRzHB2XjvsRKjQvf7tu AKbZkyQskBb+50Cjyk8nYT/NkoYm/6zqcrR5TbRBOfNKnvnJU1dkMkIh7AfEGh72t7jF DdeU8smUZBUXcfvi+5xVa2Gj/KwHdJUKQgWlcZVaYhHBWOO7YD/EI8ki7+dDOVW2srFv W5SJSTnTkTfNgqHFEsWLFGe6HGmeTFv2I7NrOqCiJPjPUF3b6XrQQqkBF0+Qovr1NOJq ZhEQ== X-Forwarded-Encrypted: i=1; AFNElJ/k+vmasWsYHQCdNX2BL+7mRLL3DcGp+gBdZCrHRnKOCuNOE0Qp9aPcWOinYOj6MI8nvB/yd3TahKLJ4eY=@vger.kernel.org X-Gm-Message-State: AOJu0YxSweBAKoPpF8ccGbEnKf6DTDUEZa2TpJr8sT2x41I4bNXhhZIv uWQKAapCnqwci+aTt+jki17kLScQ1/xcO9sN+nb6B/NnWJJWTV0RYJinoV5B9BEgkA12mWFLQAb yETToKXIvw1p0bFmlaHGMKag7s+GC6GWKCX3iPArS6uKMb540oEjccVM4JqM= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:604:b0:694:8b08:b916 with SMTP id 006d021491bc7-69b78e10f01mr3612676eaf.35.1778753280325; Thu, 14 May 2026 03:08:00 -0700 (PDT) Date: Thu, 14 May 2026 03:08:00 -0700 In-Reply-To: <20260514100742.830572-1-wuyankun@uniontech.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a059f00.170a0220.290639.01c6.GAE@google.com> Subject: Re: [PATCH] Bluetooth: hci_uart: serialize close flush with write_work From: syzbot To: wuyankun@uniontech.com Cc: syzkaller-bugs@googlegroups.com, wuyankun@uniontech.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" > Please test this patch. > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master This crash does not have a reproducer. I cannot test it. > > From 48d953a6ee4c2e4e1e58cdf7da3d3647316e4802 Mon Sep 17 00:00:00 2001 > From: wuyankun > Date: Sat, 9 May 2026 15:41:19 +0800 > Subject: [PATCH] Bluetooth: hci_uart: serialize close flush with write_work > > hci_uart_close() calls hci_uart_flush(), and flush may free hu->tx_skb. > At the same time, hci_uart_write_work() can still be running and access > the same skb (for example through skb_pull()), which leads to a > use-after-free. > > Fix this by canceling write_work before calling hci_uart_flush(), so the > tx_skb lifetime is fully serialized against the TX worker. > > Reported-by: syzbot+da2717d5c64bf7975268@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=da2717d5c64bf7975268 > Cc: stable@vger.kernel.org > Signed-off-by: wuyankun > --- > drivers/bluetooth/hci_ldisc.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c > index 275ea865bc29..51cc9af0f7e8 100644 > --- a/drivers/bluetooth/hci_ldisc.c > +++ b/drivers/bluetooth/hci_ldisc.c > @@ -263,8 +263,11 @@ static int hci_uart_open(struct hci_dev *hdev) > /* Close device */ > static int hci_uart_close(struct hci_dev *hdev) > { > + struct hci_uart *hu = hci_get_drvdata(hdev); > BT_DBG("hdev %p", hdev); > > + /* Ensure write_work is not touching tx_skb while flush frees it. */ > + cancel_work_sync(&hu->write_work); > hci_uart_flush(hdev); > hdev->flush = NULL; > return 0; > -- > 2.20.1 >