Hi, I guess problem here is that, if hci_uart_tty_close() will be called between
setting HCI_UART_PROTO_READY and skb_queue_head_init(), in that case mrvl_close()
will access uninitialized data.
hci_uart_set_proto() {
...
set_bit(HCI_UART_PROTO_READY, &hu->flags);
err = hci_uart_register_dev(hu);
mrvl_open()
skb_queue_head_init();
if (err) {
return err;
}
...
}
Thanks
On 10.02.2025 14:26, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit c411c62cc13319533b1861e00cedc4883c3bc1bb
> Author: Arseniy Krasnov <avkrasnov@xxxxxxxxxxxxxxxxx>
> Date: Thu Jan 30 18:43:26 2025 +0000
>
> Bluetooth: hci_uart: fix race during initialization
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=116cebdf980000
> start commit: 40b8e93e17bf Add linux-next specific files for 20250204
> git tree: linux-next
> final oops: https://syzkaller.appspot.com/x/report.txt?x=136cebdf980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=156cebdf980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ec880188a87c6aad
> dashboard link: https://syzkaller.appspot.com/bug?extid=683f8cb11b94b1824c77
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b7eeb0580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f74f64580000
>
> Reported-by: syzbot+683f8cb11b94b1824c77@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: c411c62cc133 ("Bluetooth: hci_uart: fix race during initialization")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
