On 5/20/25 7:03 PM, Luiz Augusto von Dentz wrote:
Afaik that is no different to hci_chan_create/hci_chan_del, and other
versions, which don't seem to have any problems with and they have
been around for quite a while
Maybe it's just because the related paths wasn't tried hard enough
by syzkaller or something else?
I assume that is because of the usage of synchronize_rcu.
IIUC synchronize_rcu() is used to wait for ongoing RCU read-side critical
sections to complete, which is pretty enough for lock-free cooperation
with _the only_ write-side critical section. But for the case with
'mgmt_pending', it's possible to have more than one concurrent writers
running from the very different contexts, including invocations of
'mgmt_pending_remove()' from callbacks scheduled via 'cmd_sync_work'
by using 'hci_cmd_sync_submit()'. Note calls to 'mgmt_pending_add()'
are always issued under 'lock' of 'struct hci_dev', but this is not
true for the aforementioned calls to 'mgmt_pending_remove()'.
As of time this writing, syzbot has spotted at least three crashes
caused by an unsynchronized updates of 'mgmt_pending':
https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
https://syzkaller.appspot.com/bug?extid=0a7039d5d9986ff4ecec
https://syzkaller.appspot.com/bug?extid=cc0cc52e7f43dc9e6df1
and https://syzkaller.appspot.com/text?tag=Patch&x=17561df4580000
is known to (hopefully) fix all of them, also keeping the changes
relatively small and simple.
Dmitry
