Hi Dmitry,
On Mon, 07. Oct 10:45, Dmitry Antipov wrote:
> Syzbot has observed the following race between 'hci_dev_close()' and
> 'hci_cmd_sync_work()':
>
> T0: T1:
>
> ...
> -> sock_ioctl()
> -> sock_do_ioctl()
> -> hci_dev_close()
> -> hci_dev_close_sync()
> -> __mgmt_power_off() ...
> -> mgmt_pending_foreach() -> process_scheduled_works()
> -> settings_rsp() -> hci_cmd_sync_work()
> -> kfree() -> set_powered_sync()
I guess commit f53e1c9c726d ("Bluetooth: MGMT: Fix possible crash on mgmt_index_removed") [1]
is supposed to fix the observed race. Is there something missing?
[1]: https://git.kernel.org/torvalds/c/f53e1c9c726d83092167f2226f32bd3b73f26c21
> Reported-by: syzbot+03d6270b6425df1605bf@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf
Btw, `Fixes` tag is really desirable if you are fixing bugs in kernel, like
KASAN splats and others.
> Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
> ---
