On Mon, Apr 01, 2019 at 10:01:42AM -0700, Zubin Mithra wrote: > From: Myungho Jung <mhjungk@xxxxxxxxx> > > commit e20a2e9c42c9e4002d9e338d74e7819e88d77162 upstream > > When releasing socket, it is possible to enter hci_sock_release() and > hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread. > The reference count of hdev should be decremented only once from one of > them but if storing hdev to local variable in hci_sock_release() before > detached from socket and setting to NULL in hci_sock_dev_event(), > hci_dev_put(hdev) is unexpectedly called twice. This is resolved by > referencing hdev from socket after bt_sock_unlink() in > hci_sock_release(). > > Reported-by: syzbot+fdc00003f4efff43bc5b@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx> > Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx> > Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx> Now applied, thanks. greg k-h
