[syzbot] KMSAN: uninit-value in hci_conn_request_evt
14 views
Skip to first unread message
syzbot
Oct 29, 2021, 2:35:21 AM10/29/21
to da...@davemloft.net, gli...@google.com, johan....@gmail.com, ku...@kernel.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 82e66ad2e586 kmsan: core: better comment
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=157ae0e2b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3ea742e10a5398fb
dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
compiler: clang version 14.0.0 (g...@github.com:llvm/llvm-project.git 0996585c8e3b3d409494eb5f1cad714b9e1f7fb5), GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f84cf...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in hci_proto_connect_ind include/net/bluetooth/hci_core.h:1460 [inline]
BUG: KMSAN: uninit-value in hci_conn_request_evt+0x220/0x1290 net/bluetooth/hci_event.c:2783
hci_proto_connect_ind include/net/bluetooth/hci_core.h:1460 [inline]
hci_conn_request_evt+0x220/0x1290 net/bluetooth/hci_event.c:2783
hci_event_packet+0x1489/0x22e0 net/bluetooth/hci_event.c:6315
hci_rx_work+0x6ae/0xd10 net/bluetooth/hci_core.c:5136
process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
kthread+0x66b/0x780 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_alloc_node mm/slub.c:3221 [inline]
__kmalloc_node_track_caller+0x8d2/0x1340 mm/slub.c:4955
kmalloc_reserve net/core/skbuff.c:355 [inline]
__alloc_skb+0x4db/0xe40 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1116 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
vhci_write+0x182/0x8f0 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:2163 [inline]
new_sync_write fs/read_write.c:507 [inline]
vfs_write+0x1295/0x1f20 fs/read_write.c:594
ksys_write+0x28c/0x520 fs/read_write.c:647
__do_sys_write fs/read_write.c:659 [inline]
__se_sys_write fs/read_write.c:656 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:656
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
=====================================================
Kernel panic - not syncing: panic_on_kmsan set ...
CPU: 1 PID: 6390 Comm: kworker/u5:1 Tainted: G B 5.15.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106
dump_stack+0x25/0x28 lib/dump_stack.c:113
panic+0x44f/0xdeb kernel/panic.c:232
kmsan_report+0x2ee/0x300 mm/kmsan/report.c:168
__msan_warning+0xb4/0x100 mm/kmsan/instrumentation.c:199
hci_proto_connect_ind include/net/bluetooth/hci_core.h:1460 [inline]
hci_conn_request_evt+0x220/0x1290 net/bluetooth/hci_event.c:2783
hci_event_packet+0x1489/0x22e0 net/bluetooth/hci_event.c:6315
hci_rx_work+0x6ae/0xd10 net/bluetooth/hci_core.c:5136
process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
kthread+0x66b/0x780 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 82e66ad2e586 kmsan: core: better comment
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=157ae0e2b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3ea742e10a5398fb
dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
compiler: clang version 14.0.0 (g...@github.com:llvm/llvm-project.git 0996585c8e3b3d409494eb5f1cad714b9e1f7fb5), GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f84cf...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in hci_proto_connect_ind include/net/bluetooth/hci_core.h:1460 [inline]
BUG: KMSAN: uninit-value in hci_conn_request_evt+0x220/0x1290 net/bluetooth/hci_event.c:2783
hci_proto_connect_ind include/net/bluetooth/hci_core.h:1460 [inline]
hci_conn_request_evt+0x220/0x1290 net/bluetooth/hci_event.c:2783
hci_event_packet+0x1489/0x22e0 net/bluetooth/hci_event.c:6315
hci_rx_work+0x6ae/0xd10 net/bluetooth/hci_core.c:5136
process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
kthread+0x66b/0x780 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_alloc_node mm/slub.c:3221 [inline]
__kmalloc_node_track_caller+0x8d2/0x1340 mm/slub.c:4955
kmalloc_reserve net/core/skbuff.c:355 [inline]
__alloc_skb+0x4db/0xe40 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1116 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
vhci_write+0x182/0x8f0 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:2163 [inline]
new_sync_write fs/read_write.c:507 [inline]
vfs_write+0x1295/0x1f20 fs/read_write.c:594
ksys_write+0x28c/0x520 fs/read_write.c:647
__do_sys_write fs/read_write.c:659 [inline]
__se_sys_write fs/read_write.c:656 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:656
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
=====================================================
Kernel panic - not syncing: panic_on_kmsan set ...
CPU: 1 PID: 6390 Comm: kworker/u5:1 Tainted: G B 5.15.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106
dump_stack+0x25/0x28 lib/dump_stack.c:113
panic+0x44f/0xdeb kernel/panic.c:232
kmsan_report+0x2ee/0x300 mm/kmsan/report.c:168
__msan_warning+0xb4/0x100 mm/kmsan/instrumentation.c:199
hci_proto_connect_ind include/net/bluetooth/hci_core.h:1460 [inline]
hci_conn_request_evt+0x220/0x1290 net/bluetooth/hci_event.c:2783
hci_event_packet+0x1489/0x22e0 net/bluetooth/hci_event.c:6315
hci_rx_work+0x6ae/0xd10 net/bluetooth/hci_core.c:5136
process_one_work+0xdc7/0x1760 kernel/workqueue.c:2297
worker_thread+0x1101/0x22b0 kernel/workqueue.c:2444
kthread+0x66b/0x780 kernel/kthread.c:319
ret_from_fork+0x1f/0x30
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 2, 2022, 5:23:19 PM1/2/22
to da...@davemloft.net, gli...@google.com, johan....@gmail.com, ku...@kernel.org, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, net...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10051b67b00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12148a3bb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f84cf...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
BUG: KMSAN: uninit-value in hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
hci_event_packet+0x1452/0x23e0 net/bluetooth/hci_event.c:6360
hci_rx_work+0x6a0/0xd00 net/bluetooth/hci_core.c:5084
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:413 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:287 [inline]
vhci_write+0x187/0x8f0 drivers/bluetooth/hci_vhci.c:407
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0x1318/0x2030 fs/read_write.c:590
ksys_write+0x28b/0x510 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:652
HEAD commit: 81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
git tree: https://github.com/google/kmsan.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=103ea4c7b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10051b67b00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12148a3bb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8f84cf...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
hci_event_packet+0x1452/0x23e0 net/bluetooth/hci_event.c:6360
hci_rx_work+0x6a0/0xd00 net/bluetooth/hci_core.c:5084
process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298
worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445
kthread+0x721/0x850 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
Uninit was created at:
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:413 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:287 [inline]
vhci_write+0x187/0x8f0 drivers/bluetooth/hci_vhci.c:407
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0x1318/0x2030 fs/read_write.c:590
ksys_write+0x28b/0x510 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:652
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
CPU: 1 PID: 43 Comm: kworker/u5:0 Not tainted 5.16.0-rc5-syzkaller #0
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
=====================================================
Workqueue: hci0 hci_rx_work
Hillf Danton
Jan 2, 2022, 8:06:39 PM1/2/22
to syzbot, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, net...@vger.kernel.org, Desmond Cheong Zhi Xi, Pavel Skripkin, syzkall...@googlegroups.com
On Sun, 02 Jan 2022 14:23:18 -0800
And to avoid queuing the rx work for every skb received, open code
skb_dequeue() on worker side and skb_queue_tail() on work scheduler side,
and serialize activities on both sides using the lock embedded in rx_q.
Only for thoughts now.
Hillf
+++ y/net/bluetooth/hci_core.c
@@ -4069,6 +4069,23 @@ int hci_reset_dev(struct hci_dev *hdev)
}
EXPORT_SYMBOL(hci_reset_dev);
+static void hci_queue_skb_and_work(struct hci_dev *hdev, struct sk_buff *skb)
+{
+ struct sk_buff_head *list = &hdev->rx_q;
+ bool running = false;
+ unsigned long flags;
+
+ /* open code skb_queue_tail() to avoid queuing work for every skb */
+ spin_lock_irqsave(&list->lock, flags);
+ __skb_queue_tail(list, skb);
+ if (hdev->rx_worker_running)
+ running = true;
+ spin_unlock_irqrestore(&list->lock, flags);
+
+ if (running == false)
+ queue_work(hdev->workqueue, &hdev->rx_work);
+}
+
/* Receive frame from HCI drivers */
int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
{
@@ -4092,8 +4109,7 @@ int hci_recv_frame(struct hci_dev *hdev,
/* Time stamp */
__net_timestamp(skb);
- skb_queue_tail(&hdev->rx_q, skb);
- queue_work(hdev->workqueue, &hdev->rx_work);
+ hci_queue_skb_and_work(hdev, skb);
return 0;
}
@@ -4108,8 +4124,7 @@ int hci_recv_diag(struct hci_dev *hdev,
/* Time stamp */
__net_timestamp(skb);
- skb_queue_tail(&hdev->rx_q, skb);
- queue_work(hdev->workqueue, &hdev->rx_work);
+ hci_queue_skb_and_work(hdev, skb);
return 0;
}
@@ -5041,11 +5056,18 @@ void hci_req_cmd_complete(struct hci_dev
static void hci_rx_work(struct work_struct *work)
{
struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
+ struct sk_buff_head *list = &hdev->rx_q;
+ unsigned long flags;
struct sk_buff *skb;
BT_DBG("%s", hdev->name);
- while ((skb = skb_dequeue(&hdev->rx_q))) {
+ spin_lock_irqsave(&list->lock, flags);
+ hdev->rx_worker_running = 1;
+ /* open code skb_dequeue() to avoid queuing work for every skb */
+ while ((skb = __skb_dequeue(list))) {
+ spin_unlock_irqrestore(&list->lock, flags);
+
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);
@@ -5063,6 +5085,7 @@ static void hci_rx_work(struct work_stru
if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
!test_bit(HCI_INIT, &hdev->flags)) {
kfree_skb(skb);
+ spin_lock_irqsave(&list->lock, flags);
continue;
}
@@ -5073,6 +5096,7 @@ static void hci_rx_work(struct work_stru
case HCI_SCODATA_PKT:
case HCI_ISODATA_PKT:
kfree_skb(skb);
+ spin_lock_irqsave(&list->lock, flags);
continue;
}
}
@@ -5098,7 +5122,11 @@ static void hci_rx_work(struct work_stru
kfree_skb(skb);
break;
}
+ spin_lock_irqsave(&list->lock, flags);
}
+
+ hdev->rx_worker_running = 0;
+ spin_unlock_irqrestore(&list->lock, flags);
}
static void hci_cmd_work(struct work_struct *work)
+++ y/include/net/bluetooth/hci_core.h
@@ -456,6 +456,7 @@ struct hci_dev {
__u8 le_tx_def_phys;
__u8 le_rx_def_phys;
+ __u8 rx_worker_running;
struct workqueue_struct *workqueue;
struct workqueue_struct *req_workqueue;
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=103ea4c7b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
> dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
> compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10051b67b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12148a3bb00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8f84cf...@syzkaller.appspotmail.com
>
> =====================================================
> BUG: KMSAN: uninit-value in hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
> BUG: KMSAN: uninit-value in hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
> hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
Given the default -EINVAL there, this can not hurt in practice.
>
> HEAD commit: 81c325bbf94e kmsan: hooks: do not check memory in kmsan_in..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=103ea4c7b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2d8b9a11641dc9aa
> dashboard link: https://syzkaller.appspot.com/bug?extid=8f84cf3ec5c288e779ef
> compiler: clang version 14.0.0 (/usr/local/google/src/llvm-git-monorepo 2b554920f11c8b763cd9ed9003f4e19b919b8e1f), GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10051b67b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12148a3bb00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8f84cf...@syzkaller.appspotmail.com
>
> =====================================================
> BUG: KMSAN: uninit-value in hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
> BUG: KMSAN: uninit-value in hci_conn_request_evt+0x22b/0x13c0 net/bluetooth/hci_event.c:2827
> hci_proto_connect_ind include/net/bluetooth/hci_core.h:1485 [inline]
skb_dequeue() on worker side and skb_queue_tail() on work scheduler side,
and serialize activities on both sides using the lock embedded in rx_q.
Only for thoughts now.
Hillf
+++ y/net/bluetooth/hci_core.c
@@ -4069,6 +4069,23 @@ int hci_reset_dev(struct hci_dev *hdev)
}
EXPORT_SYMBOL(hci_reset_dev);
+static void hci_queue_skb_and_work(struct hci_dev *hdev, struct sk_buff *skb)
+{
+ struct sk_buff_head *list = &hdev->rx_q;
+ bool running = false;
+ unsigned long flags;
+
+ /* open code skb_queue_tail() to avoid queuing work for every skb */
+ spin_lock_irqsave(&list->lock, flags);
+ __skb_queue_tail(list, skb);
+ if (hdev->rx_worker_running)
+ running = true;
+ spin_unlock_irqrestore(&list->lock, flags);
+
+ if (running == false)
+ queue_work(hdev->workqueue, &hdev->rx_work);
+}
+
/* Receive frame from HCI drivers */
int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
{
@@ -4092,8 +4109,7 @@ int hci_recv_frame(struct hci_dev *hdev,
/* Time stamp */
__net_timestamp(skb);
- skb_queue_tail(&hdev->rx_q, skb);
- queue_work(hdev->workqueue, &hdev->rx_work);
+ hci_queue_skb_and_work(hdev, skb);
return 0;
}
@@ -4108,8 +4124,7 @@ int hci_recv_diag(struct hci_dev *hdev,
/* Time stamp */
__net_timestamp(skb);
- skb_queue_tail(&hdev->rx_q, skb);
- queue_work(hdev->workqueue, &hdev->rx_work);
+ hci_queue_skb_and_work(hdev, skb);
return 0;
}
@@ -5041,11 +5056,18 @@ void hci_req_cmd_complete(struct hci_dev
static void hci_rx_work(struct work_struct *work)
{
struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
+ struct sk_buff_head *list = &hdev->rx_q;
+ unsigned long flags;
struct sk_buff *skb;
BT_DBG("%s", hdev->name);
- while ((skb = skb_dequeue(&hdev->rx_q))) {
+ spin_lock_irqsave(&list->lock, flags);
+ hdev->rx_worker_running = 1;
+ /* open code skb_dequeue() to avoid queuing work for every skb */
+ while ((skb = __skb_dequeue(list))) {
+ spin_unlock_irqrestore(&list->lock, flags);
+
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);
@@ -5063,6 +5085,7 @@ static void hci_rx_work(struct work_stru
if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
!test_bit(HCI_INIT, &hdev->flags)) {
kfree_skb(skb);
+ spin_lock_irqsave(&list->lock, flags);
continue;
}
@@ -5073,6 +5096,7 @@ static void hci_rx_work(struct work_stru
case HCI_SCODATA_PKT:
case HCI_ISODATA_PKT:
kfree_skb(skb);
+ spin_lock_irqsave(&list->lock, flags);
continue;
}
}
@@ -5098,7 +5122,11 @@ static void hci_rx_work(struct work_stru
kfree_skb(skb);
break;
}
+ spin_lock_irqsave(&list->lock, flags);
}
+
+ hdev->rx_worker_running = 0;
+ spin_unlock_irqrestore(&list->lock, flags);
}
static void hci_cmd_work(struct work_struct *work)
+++ y/include/net/bluetooth/hci_core.h
@@ -456,6 +456,7 @@ struct hci_dev {
__u8 le_tx_def_phys;
__u8 le_rx_def_phys;
+ __u8 rx_worker_running;
struct workqueue_struct *workqueue;
struct workqueue_struct *req_workqueue;
syzbot
Sep 26, 2022, 7:49:32 PM9/26/22
to gli...@google.com, syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages