Re: [syzbot] WARNING in call_timer_fn

From: Thomas Gleixner
Date: Thu Nov 17 2022 - 06:54:36 EST

Next message: Peter Chen: "Re: [PATCH v3] usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1"
Previous message: Zhen Lei: "[PATCH] pipe: fix potential use-after-free in pipe_read()"
In reply to: Thomas Gleixner: "Re: [syzbot] WARNING in call_timer_fn"
Next in thread: Thomas Gleixner: "Re: [syzbot] WARNING in call_timer_fn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 17 2022 at 10:45, Hillf Danton wrote:
> On 16 Nov 2022 19:29:27 +0100 Thomas Gleixner <tglx@xxxxxxxxxxxxx>
>>
>
> I doubt your fix helps in the domain of workqueue in general, and in this
> report if it is delayed work that triggered the warning.

Indeed. I misread the backtrace and my brain connected the wrong dots
here. It's a different bluethooth hickup.

> --- x/net/bluetooth/hci_sync.c
> +++ y/net/bluetooth/hci_sync.c
> @@ -4806,6 +4806,7 @@ int hci_dev_close_sync(struct hci_dev *h
> /* Avoid potential lockdep warnings from the *_flush() calls by
> * ensuring the workqueue is empty up front.
> */
> + cancel_delayed_work_sync(&hdev->cmd_timer);
> drain_workqueue(hdev->workqueue);

The work has been canceled already before in the same function and there
are some more delayed works which can trigger this.

So no, this whole close_sync() function is prone to teardown races and
just slapping a single cancel here without deeper analysis does not cut
it.

Thanks,

tglx

Next message: Peter Chen: "Re: [PATCH v3] usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1"
Previous message: Zhen Lei: "[PATCH] pipe: fix potential use-after-free in pipe_read()"
In reply to: Thomas Gleixner: "Re: [syzbot] WARNING in call_timer_fn"
Next in thread: Thomas Gleixner: "Re: [syzbot] WARNING in call_timer_fn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]