Re: [PATCH v1] Bluetooth: hci_release_dev: disable delayed devcoredump work

[Luiz Augusto von Dentz]

Hi Aby,

On Sun, Mar 22, 2026 at 5:09 PM Aby Sam Ross <abysamross@xxxxxxxxx> wrote:
>
> It is not necessary that the pending delayed hci devcoredump timeout
> work, hdev->dump.dump_timeout, submitted to the hdev->workqueue by the
> bluetooth devcoredump state machine,
>         hci_devcd_rx()
>                 hci_devcd_handle_pkt_init()
> will be reset by it or by the timeout func hci_devcd_timeout(), using
> hci_devcd_reset(), before destroying the workqueue or before the hci
> device is freed up in hci_release_dev().
>
> In this bug the active delayed devcoredump timeout work's timer object
> is active when the memory associated with the hci device is freed up in
> hci_release_dev() causing the ODEBUG WARNING.
>
> Make sure that the delayed devcoredump timeout work is disabled before
> the hdev->workqueue is destroyed and before the hdev memory is freed in
> hci_release_dev().
>
> Tested the change with the syzbot reproducer that uses vhci device
> locally on x86_64 and on syzbot portal as well. Ran kselftest with net
> target.
>
> Fixes: 9695ef876fd1 ("Bluetooth: Add support for hci devcoredump")
> Reported-by: syzbot+b170dbf55520ebf5969a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=b170dbf55520ebf5969a
> Tested-by: syzbot+b170dbf55520ebf5969a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Aby Sam Ross <abysamross@xxxxxxxxx>
> ---
>  net/bluetooth/hci_core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 01f8ceeb1c0c..1c7ee2a33337 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -2747,6 +2747,9 @@ void hci_release_dev(struct hci_dev *hdev)
>         kfree_const(hdev->hw_info);
>         kfree_const(hdev->fw_info);
>
> +       if (hdev->dump.supported)
> +               disable_delayed_work_sync(&hdev->dump.dump_timeout);
> +
>         destroy_workqueue(hdev->workqueue);
>         destroy_workqueue(hdev->req_workqueue);
>
> --
> 2.53.0
>

https://sashiko.dev/#/patchset/20260322210849.68743-1-abysamross%40gmail.com

Both points seems valid, that perhaps the dump shouldn't be attached
to hdev object since it maybe necessary to unregister the hdev as part
of devcoredump handling, anyway if it is required then upon unregister
it shall actually cleanup the dump object as well.

-- 
Luiz Augusto von Dentz