diff mbox series

[(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()

Message ID 244af2fe-5340-9e63-a354-d5ab7d155dc4@I-love.SAKURA.ne.jp (mailing list archive)
State Accepted
Commit 0659969095f639402613c3b470cef30d51b38420
Headers show
Series [(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed() | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/checkpatch success Checkpatch PASS
tedd_an/gitlint fail [(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed() 1: T1 Title exceeds max length (85>80): "[(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()"
tedd_an/subjectprefix success PASS
tedd_an/buildkernel success Build Kernel PASS
tedd_an/buildkernel32 success Build Kernel32 PASS
tedd_an/incremental_build success Pass
tedd_an/testrunnersetup success Test Runner Setup PASS
tedd_an/testrunnerl2cap-tester success Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnerbnep-tester success Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnermgmt-tester success Total: 494, Passed: 494 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnerrfcomm-tester success Total: 10, Passed: 10 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnersco-tester success Total: 12, Passed: 12 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnersmp-tester success Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunneruserchan-tester success Total: 4, Passed: 4 (100.0%), Failed: 0, Not Run: 0

Commit Message

Tetsuo Handa Aug. 5, 2022, 7:12 a.m. UTC 
syzbot is reporting attempt to cancel uninitialized work at
mgmt_index_removed() [1], for calling cancel_delayed_work_sync() without
INIT_DELAYED_WORK() is not permitted.

INIT_DELAYED_WORK() is called from mgmt_init_hdev() via chan->hdev_init()
 from hci_mgmt_cmd(), but cancel_delayed_work_sync() is unconditionally
called from mgmt_index_removed().

Call cancel_delayed_work_sync() only if HCI_MGMT flag was set, for
mgmt_init_hdev() sets HCI_MGMT flag when calling INIT_DELAYED_WORK().

Link: https://syzkaller.appspot.com/bug?extid=b8ddd338a8838e581b1c [1]
Reported-by: syzbot <syzbot+b8ddd338a8838e581b1c@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 0ef08313cefdd60d ("Bluetooth: Convert delayed discov_off to hci_sync")
---
I can't test this patch due to lack of reproducer. But please review and
send to linux.git as soon as possible, for currently syzbot can't test
changes for 6.0-rc1 due to this problem (please see "Instances:" table at
https://syzkaller.appspot.com/upstream ).

syzbot was unable to test linux-next.git since 20220628 due to a different bug.
As an unfortunate result, this bug (being there since 20220725) which would have
been already found and fixed in linux-next.git arrived at linux.git...

 net/bluetooth/mgmt.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

bluez.test.bot@gmail.com Aug. 5, 2022, 8:02 a.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=665551

---Test result---

Test Summary:
CheckPatch                    PASS      1.63 seconds
GitLint                       FAIL      1.01 seconds
SubjectPrefix                 PASS      0.88 seconds
BuildKernel                   PASS      34.88 seconds
BuildKernel32                 PASS      30.75 seconds
Incremental Build with patchesPASS      41.93 seconds
TestRunner: Setup             PASS      502.14 seconds
TestRunner: l2cap-tester      PASS      17.94 seconds
TestRunner: bnep-tester       PASS      6.99 seconds
TestRunner: mgmt-tester       PASS      105.50 seconds
TestRunner: rfcomm-tester     PASS      10.44 seconds
TestRunner: sco-tester        PASS      10.18 seconds
TestRunner: smp-tester        PASS      10.16 seconds
TestRunner: userchan-tester   PASS      7.21 seconds

Details
##############################
Test: GitLint - FAIL - 1.01 seconds
Run gitlint with rule in .gitlint
[(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()
1: T1 Title exceeds max length (85>80): "[(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()"




---
Regards,
Linux Bluetooth
patchwork-bot+bluetooth@kernel.org Aug. 5, 2022, 10:20 p.m. UTC | #2 
Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri, 5 Aug 2022 16:12:18 +0900 you wrote:
> syzbot is reporting attempt to cancel uninitialized work at
> mgmt_index_removed() [1], for calling cancel_delayed_work_sync() without
> INIT_DELAYED_WORK() is not permitted.
> 
> INIT_DELAYED_WORK() is called from mgmt_init_hdev() via chan->hdev_init()
>  from hci_mgmt_cmd(), but cancel_delayed_work_sync() is unconditionally
> called from mgmt_index_removed().
> 
> [...]

Here is the summary with links:
  - [(urgent)] Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()
    https://git.kernel.org/bluetooth/bluetooth-next/c/0659969095f6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index f0bb2fc883d7..6e31023b84f5 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8935,6 +8935,8 @@  void mgmt_index_removed(struct hci_dev *hdev)
 			 HCI_MGMT_EXT_INDEX_EVENTS);
 
 	/* Cancel any remaining timed work */
+	if (!hci_dev_test_flag(hdev, HCI_MGMT))
+		return;
 	cancel_delayed_work_sync(&hdev->discov_off);
 	cancel_delayed_work_sync(&hdev->service_cache);
 	cancel_delayed_work_sync(&hdev->rpa_expired);