Received: by 2002:a05:7412:9c07:b0:fa:6e18:a558 with SMTP id lr7csp622616rdb;
        Sun, 28 Jan 2024 01:18:13 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHJ13FIIl8+EjUrhXwEqPgV9GT5rRR4qmhZ5aX3rn1QBb13k0qlOjeHYtdU1yJUU71q9EeK
X-Received: by 2002:a50:a6d5:0:b0:55d:dda4:94b0 with SMTP id f21-20020a50a6d5000000b0055ddda494b0mr3933647edc.15.1706433492872;
        Sun, 28 Jan 2024 01:18:12 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706433492; cv=pass;
        d=google.com; s=arc-20160816;
        b=Buduz92c084nvfX1rNHjrA7qlQ0cp7s4EiqRSVMnA0vpJLJ4q9LHvqGU44PcwFVnLA
         atL288nn5YlXjMCOrpUXv7IwNpb6u9733WMEtdtKZi4jYabnrCLqDFoqMSz5fEbzOLX/
         wIpMP9HDeLVbXs+mJkPTuXYh3rZgA340Du9qCDzItyzsO/Q0J9XPHKMmvNE7ZpkcbHNu
         XeZjgC7okBjnieqDbRMCgEyaeDbUiww7KdgpJ4ygHL4nSlBLwkqaHnMts/8LGGjG+GtX
         6Pj2DDcFQ89Cjc0GtDinV3GL2Ow7buMNJXnesdmKaK7m9Poi9EJhq8B8eNeDDCkVeFel
         c6yQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=xl5syoN81LjjBr19rfXjwng07eQrjZS95KHKSZkgl5o=;
        fh=+/7J+KeFlSdhiAXcMFDOrnKB64C386Z3VHWZeYjoQ54=;
        b=aHdTsjpkGVzw+/bRK1YyWfeb2IB3BFSrDjbZFe7ihsvhuV4kZXBFrRBHqIGg9KZjgk
         H2cqIflaZtctszK/Pj4B/vltnyOf9qNdAKtUW75OCdZJk2bKwUDnMWqPkXy0oeQTssG7
         sdpVO8CdA5yLG4GxQxQt6oGdbV0OCjtgqqAftSXXkVpP8QdoX+gjYUIThDaVxUKOUz3F
         5IxCC+VUerjnlkbbiFb8IMg9KZHON4lYe8U7Ug6FVQwz/8LXwT3jr+Rwa6rljXyp18E9
         H9rKv4Q1yiT8r1eceCpcsBJwJJlrVe74b71WsW3Yel3+90f0fc3kygP76bW+v8PcFkm/
         6pKw==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-41575-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41575-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-41575-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id a4-20020a50ff04000000b0055c227bc716si2392877edu.171.2024.01.28.01.18.12
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 28 Jan 2024 01:18:12 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-41575-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-41575-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41575-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 9D5861F21CE0
	for <linux.lists.archive@gmail.com>; Sun, 28 Jan 2024 09:18:12 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9F4DBDF66;
	Sun, 28 Jan 2024 09:18:05 +0000 (UTC)
Received: from mail78-36.sinamail.sina.com.cn (mail78-36.sinamail.sina.com.cn [219.142.78.36])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 681BBDF4D
	for <linux-kernel@vger.kernel.org>; Sun, 28 Jan 2024 09:17:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=219.142.78.36
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706433485; cv=none; b=Z/9KKY0BQQcr4GERh+epVG9erXTUX/vEFPFOBq3WLFffvoG711HJ/vXs+AXtPKw9R+46HhYQCCBCkCpF/XZU+clOI0mctBx9Dq9zzCFEnz1TnC89naXAisXA8m3fSLN/nf9+nmFX5oTKjhX7S5oxORCilxmqLa4voYxJRUc6t0A=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706433485; c=relaxed/simple;
	bh=A3N8OrusEIYjLUn0naVced/+/Z2BwOQ7Z06AKu8bBl0=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=QcK/teCKbXWIXyS6ZDQW7DuqV3EJWzn+Hk0bC1Gyafrp/aTCIB6o3EWjmZg/BnS6x6rV4lJREy111cRvixZNH/AGIR1ah/qt0hwMr8wDBlF6myUhR7GPX1iYL75wZtiBx4kA+YgwiTN1jeTW1v2J09jU+DJOTEe7b/jZ0WupELU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=219.142.78.36
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com
X-SMAIL-HELO: localhost.localdomain
Received: from unknown (HELO localhost.localdomain)([113.118.68.210])
	by sina.com (172.16.235.25) with ESMTP
	id 65B61B2F000025A1; Sun, 28 Jan 2024 17:15:31 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=hdanton@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=hdanton@sina.com
X-SMAIL-MID: 43148934210408
X-SMAIL-UIID: 381565D755044C2587314952ADBB638B-20240128-171531-1
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+a984066a63e9c1e62662@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] INFO: task hung in hci_conn_failed
Date: Sun, 28 Jan 2024 17:15:21 +0800
Message-Id: <20240128091521.1102-1-hdanton@sina.com>
In-Reply-To: <000000000000ba736b060ff5da23@google.com>
References: <000000000000ba736b060ff5da23@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

On Sat, 27 Jan 2024 15:34:31 -0800
> HEAD commit:    7ed2632ec7d7 drm/ttm: fix ttm pool initialization for no-d..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=116e5bbfe80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  master

--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -758,7 +758,10 @@ struct hci_conn {
 
 	unsigned int	sent;
 
-	struct sk_buff_head data_q;
+	union {
+		struct sk_buff_head 	data_q;
+		struct rcu_head 	rcu;
+	};
 	struct list_head chan_list;
 
 	struct delayed_work disc_work;
--- x/net/bluetooth/hci_conn.c
+++ y/net/bluetooth/hci_conn.c
@@ -2819,16 +2819,13 @@ void hci_chan_del(struct hci_chan *chan)
 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
 
 	list_del_rcu(&chan->list);
-
-	synchronize_rcu();
-
 	/* Prevent new hci_chan's to be created for this hci_conn */
 	set_bit(HCI_CONN_DROP, &conn->flags);
 
 	hci_conn_put(conn);
 
 	skb_queue_purge(&chan->data_q);
-	kfree(chan);
+	kfree_rcu(chan, rcu);
 }
 
 void hci_chan_list_flush(struct hci_conn *conn)
--