Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp881649pxb; Wed, 6 Apr 2022 03:06:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyLQfLQAYed/gPhG1JRYXo3h8wP9T74bNDF1laQu6LfZeMhTqu9CNUYuRdaBFVyZJIzKAXh X-Received: by 2002:a63:6204:0:b0:399:dea:3d20 with SMTP id w4-20020a636204000000b003990dea3d20mr6598152pgb.152.1649239574690; Wed, 06 Apr 2022 03:06:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649239574; cv=none; d=google.com; s=arc-20160816; b=aaMAI2M6S7MZqvoh9+QivyND3cm3fbNOemDgmT5RN33C6ft64kGVhU0MHU9XcLC4NM 6sang/Wj5HwUr+z54QP2DOoO1Lfmtxkvc9F3keFjakMvFyMKmsho4MtEKw38PRklxB5p bycDEOMvUXnMt9+pEzfeAt34Jn8KPuIt8OV8CNX1plbo7FjEaBYsKqix/EhdawLLCoJL CYoYFPvjVEEAk/88hynAf0uEYrYYNqVm+/1KFmaOPF7jYghNEvesa0z5WsnS4ginsdLx XUDClaIIVr7/liPCG0rEwCeDq+ejUQ8ZQHACqWSAtBlgp/kS0qnnmaweh4oBk0BLDqE3 L7aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:subject:cc:to:from:date; bh=0gjjl8PTVwC+vObf3IgXSNCgHEyXqlWuyLHRsuw1iPM=; b=lh1sp+ZL4HGqeQB+DpJdnBFtVEHT2N+KBMaCSFAVLyQaZckGfwP6T0f+8H07ZSYv7Y ZZt4u/9qHKjsrKKLGTN7sITuiIUZz7LNgiJacQCEkRcm2qPSrHDgSR+dbCP9TiDYPR/0 poqqoHDpH6t+vwv5bQJPiGqjukNl8bmBdzMQ/9b81BGeqcD46syOPqeWIqRd8hMXaPyh GLJvFbL0q25YChuxslXbiXxndcizn4x39EO2FSvkVwkGYtcDa0Ju/pviXzpg5s0CI7ld wIGeRe3BFFTJ0RJ8K8lV/4d1Rok4o2kFM12RzSD7kn0ZK9Q76BynM58r0I7699WAol+w 4Ytw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n8-20020a654cc8000000b003982828d932si15285150pgt.628.2022.04.06.03.06.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 03:06:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3167E17FD33; Wed, 6 Apr 2022 01:23:54 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1382894AbiDFAlu (ORCPT + 99 others); Tue, 5 Apr 2022 20:41:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443899AbiDEPk0 (ORCPT ); Tue, 5 Apr 2022 11:40:26 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CBD214DFC5; Tue, 5 Apr 2022 07:02:06 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B2E30B81BA9; Tue, 5 Apr 2022 14:02:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7BBD4C385A0; Tue, 5 Apr 2022 14:02:02 +0000 (UTC) Date: Tue, 5 Apr 2022 10:02:00 -0400 From: Steven Rostedt To: LKML Cc: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Ben Young Tae Kim , Thomas Gleixner , Eric Dumazet , linux-bluetooth@vger.kernel.org Subject: [PATCH v2] Bluetooth: hci_qca: Use del_timer_sync() before freeing Message-ID: <20220405100200.64f56e50@gandalf.local.home> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Steven Rostedt While looking at a crash report on a timer list being corrupted, which usually happens when a timer is freed while still active. This is commonly triggered by code calling del_timer() instead of del_timer_sync() just before freeing. One possible culprit is the hci_qca driver, which does exactly that. Eric mentioned that wake_retrans_timer could be rearmed via the work queue, so also move the destruction of the work queue before del_timer_sync(). Cc: Eric Dumazet Cc: stable@vger.kernel.org Fixes: 0ff252c1976da ("Bluetooth: hciuart: Add support QCA chipset for UART") Signed-off-by: Steven Rostedt (Google) --- Changes since v1: https://lkml.kernel.org/r/20220404182236.1caa174e@rorschach.local.home - Moved destroy_workqueue() before del_timer_sync() calls (Eric Dumazet). drivers/bluetooth/hci_qca.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index f6e91fb432a3..eab34e24d944 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -696,9 +696,9 @@ static int qca_close(struct hci_uart *hu) skb_queue_purge(&qca->tx_wait_q); skb_queue_purge(&qca->txq); skb_queue_purge(&qca->rx_memdump_q); - del_timer(&qca->tx_idle_timer); - del_timer(&qca->wake_retrans_timer); destroy_workqueue(qca->workqueue); + del_timer_sync(&qca->tx_idle_timer); + del_timer_sync(&qca->wake_retrans_timer); qca->hu = NULL; kfree_skb(qca->rx_skb); -- 2.35.1