On 2021/07/18 14:16, Luiz Augusto von Dentz wrote: > Anyway after all these discussion Im even > more convinced that the real problem lies in hci_dev_get/hold, after > all references are usually used to prevent the objects to be freed but > in this case it doesn't and no locking will gonna fix that. If hci_dev_hold() calls atomic_long_add_unless(&file->f_count, 1, 0) under RCU, vhci_release(file) would not be called until all sockets using that hdev drops the reference, and hci_sock_dev_event(hdev, HCI_DEV_UNREG) no longer needs to traverse sockets on hci_sk_list.head list. This requires adding "struct file *" to "struct hci_dev". My patch keeps changes be confined to only hci_sock_dev_event().
