Received: by 2002:a05:7412:9c07:b0:fa:6e18:a558 with SMTP id lr7csp658850rdb;
        Sun, 28 Jan 2024 03:28:51 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFHQhU1IFx4z9EDIr44l74ur0QS5YAEeQLCaeD7PI+1RJMlIMsCG94jyK0bC6rL5ne82Ilx
X-Received: by 2002:a92:d688:0:b0:360:780c:d2a2 with SMTP id p8-20020a92d688000000b00360780cd2a2mr4187276iln.30.1706441330938;
        Sun, 28 Jan 2024 03:28:50 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706441330; cv=pass;
        d=google.com; s=arc-20160816;
        b=E8R3Y9EOO3mQW9SZ94tCsrrddM/kwayVlUmaxQi2CKC56E2YkL6Gp7tFLG1HiNqvyO
         F4IV2w0dHUGjiXEJfD+VGrOiyxXZJEPUWGydxGd9rlpkK+Ux5ONPWk1bNT/x0qBb0f6D
         BotR17bvxDTflKQ6pLMRkiCdcWcrwxNoC/nhydH0G0f7XQFJpdyykTAytQTQxqOZmgBl
         tHJpH6jwyXg4WY8HtVZ1fF24BtVuGJ0RwVAJBSYcHEF57+lvkjITVJCqWFSpnBDHZfso
         QScqaaSCajQzFpXQ6enJLrhDVfMaELrNNhlLcjF24CPIsUMREZnlQu6+Ocwj2M7WMlaa
         8Ckg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=nn0y/ePRLp3xPh9v4a/SLERTgJ8eNh80hajgcz616vg=;
        fh=+/7J+KeFlSdhiAXcMFDOrnKB64C386Z3VHWZeYjoQ54=;
        b=eX8qUboWTkrM+vNPN8WamIgfnFx7HkMmiLDCPmco7s2WwOiGeLk1Gqg7PoyQvI/2ut
         MLfzpRlblkulxc7oXH4/64eBS9IprlzabmtuFi1Bp8VwVDOQ2SY+LrcYZiLggahyGYFp
         O1JyBXW8z8L/1cQYzGrA8wsAfwwLaaTNU/oVf/2WIMv1eSJOhr7kBbeBt8h/xbiNv1Fv
         xQTLrxEh1pUK4+DcAV783P9+bLp2tSHt1wqNqkmpAyKZlxvgI8ngQ051DxdhPm8AxTUZ
         HbEs7Qre00V2KdKnL1cBdadPDEhNqo0VnyFCWAR0kMxTR5w0bKmMpz/1jScKInemkf8N
         htOg==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-41600-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41600-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-41600-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id b37-20020a630c25000000b005d3adb65694si3920777pgl.757.2024.01.28.03.28.50
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 28 Jan 2024 03:28:50 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-41600-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-41600-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41600-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 74274B219CA
	for <linux.lists.archive@gmail.com>; Sun, 28 Jan 2024 11:28:47 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id DEB3E200B7;
	Sun, 28 Jan 2024 11:28:40 +0000 (UTC)
Received: from mail115-95.sinamail.sina.com.cn (mail115-95.sinamail.sina.com.cn [218.30.115.95])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DE981F60B
	for <linux-kernel@vger.kernel.org>; Sun, 28 Jan 2024 11:28:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=218.30.115.95
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706441320; cv=none; b=if6APmdKwEBoOAuZl105U04cjWfXozmPdt39MaRdN+x2W9VJYB7yv7Gl60Rv8ALAsvI8p6UlhL0aA66BJxIqtHFhNuAbJKOodZH0cwYHbtMd5cCmxte9Sgu7MSEIMXBNxrGuS6mYvWrFadJoF2Qm1dANFkR9tBX58WdFJd4NvUE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706441320; c=relaxed/simple;
	bh=pgM5f+lftG3/Fldgk+3owBs7XN3I/60sQYwS/xInNkQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=NNlAevycfnal8SwMx22ojzUiYlJwXZTrPb1fPLHg4/Fx6O4uQfIa4AQplL21UTwNk3Ioc/JgjaMOyu7cQNvkEiIb2Va6oO2m78NTXW6XuEs16vJ+Wl9ZUZ4BerBWBo8dWQBNKPUtIAVI0bXTKOV97VLV+ggIR2rM/3myIVMlTC8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=218.30.115.95
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com
X-SMAIL-HELO: localhost.localdomain
Received: from unknown (HELO localhost.localdomain)([113.118.68.210])
	by sina.com (172.16.235.24) with ESMTP
	id 65B63A5500003E03; Sun, 28 Jan 2024 19:28:24 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=hdanton@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=hdanton@sina.com
X-SMAIL-MID: 74785645089398
X-SMAIL-UIID: A654D357F48240759A5F1057ED89CDA1-20240128-192824-1
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+a984066a63e9c1e62662@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] INFO: task hung in hci_conn_failed
Date: Sun, 28 Jan 2024 19:28:15 +0800
Message-Id: <20240128112815.1161-1-hdanton@sina.com>
In-Reply-To: <000000000000ba736b060ff5da23@google.com>
References: <000000000000ba736b060ff5da23@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

On Sat, 27 Jan 2024 15:34:31 -0800
> HEAD commit:    7ed2632ec7d7 drm/ttm: fix ttm pool initialization for no-d..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=116e5bbfe80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  master

--- x/net/bluetooth/hci_conn.c
+++ y/net/bluetooth/hci_conn.c
@@ -2819,16 +2819,13 @@ void hci_chan_del(struct hci_chan *chan)
 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
 
 	list_del_rcu(&chan->list);
-
-	synchronize_rcu();
-
 	/* Prevent new hci_chan's to be created for this hci_conn */
 	set_bit(HCI_CONN_DROP, &conn->flags);
 
 	hci_conn_put(conn);
 
 	skb_queue_purge(&chan->data_q);
-	kfree(chan);
+	kfree_rcu(chan, rcu);
 }
 
 void hci_chan_list_flush(struct hci_conn *conn)
--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -797,7 +797,10 @@ struct hci_chan {
 	struct list_head list;
 	__u16 handle;
 	struct hci_conn *conn;
-	struct sk_buff_head data_q;
+	union {
+		struct sk_buff_head 	data_q;
+		struct rcu_head 	rcu;
+	};
 	unsigned int	sent;
 	__u8		state;
 	bool		amp;
--