Hi Edward, On Sun, Jun 23, 2024 at 8:02 AM Edward Adam Davis <eadavis@xxxxxx> wrote: > > On Sun, 23 Jun 2024 13:30:50 +0300, Pauli Virtanen wrote: > > > cpu1 cpu2 > > > ==== ==== > > > sock_ioctl > > > sock_do_ioctl > > > hci_sock_ioctl > > > hci_rx_work hci_dev_cmd > > > hci_event_packet hci_req_sync > > > req_complete_skb __hci_req_sync > > > hci_req_sync_complete > > > > > > If hci_rx_work executes before __hci_req_sync releases req_skb, everything > > > is normal, otherwise it will result in double free of req_skb. > > > > > > Adding NULL check of req_skb before releasing it can avoid double free. > > > > Do you understand why? > > > > kfree_skb(NULL) is allowed, so this is logically a no-op. > > > > Probably it perturbs the timings so syzkaller repro no longer hits the > > race window, ie doesn't fix the issue. > Good, even if you already know race, let me ask you a question: how to reduce race window? We actually need to stop using hci_req_sync since that has been deprecated, instead it shall use hci_cmd_sync_submit, we could for the time being just make hci_req_sync use hci_cmd_sync_submit to avoid such races. > `` > Edward > -- Luiz Augusto von Dentz
