Hi, We need to revise this patch after a local test failure. I will update after finding the cause. Thanks, Zhengping On Tue, Feb 21, 2023 at 4:09 PM Zhengping Jiang <jiangzp@xxxxxxxxxx> wrote: > > Clear cmd_sync_work queue before clearing the mgmt cmd list to avoid > racing conditions which cause use-after-free. > > When powering off the adapter, the mgmt cmd list will be cleared. If a > work is queued in the cmd_sync_work queue at the same time, it will > cause the risk of use-after-free, as the cmd pointer is not checked > before use. > > Signed-off-by: Zhengping Jiang <jiangzp@xxxxxxxxxx> > --- > > Changes in v1: > - Clear cmd_sync_work queue before clearing the mgmt cmd list > > net/bluetooth/hci_sync.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c > index 117eedb6f709..6609434e3125 100644 > --- a/net/bluetooth/hci_sync.c > +++ b/net/bluetooth/hci_sync.c > @@ -4840,6 +4840,8 @@ int hci_dev_close_sync(struct hci_dev *hdev) > > auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF); > > + hci_cmd_sync_clear(hdev); > + > if (!auto_off && hdev->dev_type == HCI_PRIMARY && > !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && > hci_dev_test_flag(hdev, HCI_MGMT)) > -- > 2.39.2.637.g21b0678d19-goog >
