Re: [syzbot] [bluetooth?] BUG: corrupted list in _hci_cmd_sync_cancel_entry
From: Hillf Danton
Date: Wed Jun 25 2025 - 20:30:29 EST
> Date: Wed, 25 Jun 2025 10:14:27 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 7595b66ae9de Merge tag 'selinux-pr-20250624' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10ed4f0c580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=641bc01f4fbdccd4
> dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bc9b70580000
#syz test
--- x/net/bluetooth/hci_sync.c
+++ y/net/bluetooth/hci_sync.c
@@ -862,14 +862,17 @@ bool hci_cmd_sync_dequeue_once(struct hc
void *data, hci_cmd_sync_work_destroy_t destroy)
{
struct hci_cmd_sync_work_entry *entry;
+ bool ret = false;
- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
- if (!entry)
- return false;
+ mutex_lock(&hdev->cmd_sync_work_lock);
+ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+ if (entry) {
+ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+ ret = true;
+ }
+ mutex_unlock(&hdev->cmd_sync_work_lock);
- hci_cmd_sync_cancel_entry(hdev, entry);
-
- return true;
+ return ret;
}
EXPORT_SYMBOL(hci_cmd_sync_dequeue_once);
--