From: Marcel Holtmann <marcel@holtmann.org>
To: Nguyen Dinh Phi <phind.uet@gmail.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-bluetooth <linux-bluetooth@vger.kernel.org>,
"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
Subject: Re: [PATCH] Bluetooth: hci_sock: purge socket queues in the destruct() callback
Date: Tue, 12 Oct 2021 17:38:45 +0200 [thread overview]
Message-ID: <8C82DF3C-98B1-4C41-B9D8-3415DD64138F@holtmann.org> (raw)
In-Reply-To: <20211007190424.196281-1-phind.uet@gmail.com>
Hi Nguyen,
> The receive path may take the socket right before hci_sock_release(),
> but it may enqueue the packets to the socket queues after the call to
> skb_queue_purge(), therefore the socket can be destroyed without clear
> its queues completely.
>
> Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
> issue, because nothing is referencing the socket at this point.
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
> ---
> net/bluetooth/hci_sock.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
WARNING: multiple messages have this Message-ID (diff)
From: Marcel Holtmann <marcel@holtmann.org>
To: Nguyen Dinh Phi <phind.uet@gmail.com>
Cc: Johan Hedberg <johan.hedberg@gmail.com>,
syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com,
"open list:NETWORKING \[GENERAL\]" <netdev@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-bluetooth <linux-bluetooth@vger.kernel.org>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] Bluetooth: hci_sock: purge socket queues in the destruct() callback
Date: Tue, 12 Oct 2021 17:38:45 +0200 [thread overview]
Message-ID: <8C82DF3C-98B1-4C41-B9D8-3415DD64138F@holtmann.org> (raw)
In-Reply-To: <20211007190424.196281-1-phind.uet@gmail.com>
Hi Nguyen,
> The receive path may take the socket right before hci_sock_release(),
> but it may enqueue the packets to the socket queues after the call to
> skb_queue_purge(), therefore the socket can be destroyed without clear
> its queues completely.
>
> Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
> issue, because nothing is referencing the socket at this point.
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
> ---
> net/bluetooth/hci_sock.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2021-10-12 15:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 19:04 [PATCH] Bluetooth: hci_sock: purge socket queues in the destruct() callback Nguyen Dinh Phi
2021-10-07 19:04 ` Nguyen Dinh Phi
2021-10-07 20:02 ` bluez.test.bot
2021-10-12 15:38 ` Marcel Holtmann [this message]
2021-10-12 15:38 ` [PATCH] " Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8C82DF3C-98B1-4C41-B9D8-3415DD64138F@holtmann.org \
--to=marcel@holtmann.org \
--cc=davem@davemloft.net \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=phind.uet@gmail.com \
--cc=syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.