When L2CAP channel is destroyed by hci_unregister_dev, it will acquire the spin lock of the (struct l2cap_chan *)->tx_q list to delete all the buffers. But sometimes when hci_unregister_dev is being called, this lock may have not bee initialized. Initialize the TX queue lock when creating struct l2cap_chan in 6LOWPAN to fix this problem. Reported-by: syzbot+fadfba6a911f6bf71842@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842 Signed-off-by: Coiby Xu <coiby.xu@xxxxxxxxx> --- net/bluetooth/6lowpan.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index bb55d92691b0..713c618a73df 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -651,6 +651,7 @@ static struct l2cap_chan *chan_create(void) l2cap_chan_set_defaults(chan); + skb_queue_head_init(&chan->tx_q); chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; chan->mode = L2CAP_MODE_LE_FLOWCTL; chan->imtu = 1280; -- 2.27.0
