On Sun, 23 Jun 2024 13:30:50 +0300, Pauli Virtanen wrote: > > cpu1 cpu2 > > ==== ==== > > sock_ioctl > > sock_do_ioctl > > hci_sock_ioctl > > hci_rx_work hci_dev_cmd > > hci_event_packet hci_req_sync > > req_complete_skb __hci_req_sync > > hci_req_sync_complete > > > > If hci_rx_work executes before __hci_req_sync releases req_skb, everything > > is normal, otherwise it will result in double free of req_skb. > > > > Adding NULL check of req_skb before releasing it can avoid double free. > > Do you understand why? > > kfree_skb(NULL) is allowed, so this is logically a no-op. > > Probably it perturbs the timings so syzkaller repro no longer hits the > race window, ie doesn't fix the issue. Good, even if you already know race, let me ask you a question: how to reduce race window? `` Edward
