From 72ef98445aca568a81c2da050532500a8345ad3a Mon Sep 17 00:00:00 2001

From: Steven Rostedt <rostedt@goodmis.org>

Date: Tue, 5 Apr 2022 10:02:00 -0400

Subject: [PATCH] Bluetooth: hci_qca: Use del_timer_sync() before freeing

Git-commit: 72ef98445aca568a81c2da050532500a8345ad3a

References: git-fixes

Patch-mainline: v5.19-rc1

While looking at a crash report on a timer list being corrupted, which

usually happens when a timer is freed while still active. This is

commonly triggered by code calling del_timer() instead of

del_timer_sync() just before freeing.

One possible culprit is the hci_qca driver, which does exactly that.

Eric mentioned that wake_retrans_timer could be rearmed via the work

queue, so also move the destruction of the work queue before

del_timer_sync().

Cc: Eric Dumazet <eric.dumazet@gmail.com>

Cc: stable@vger.kernel.org

Fixes: 0ff252c1976da ("Bluetooth: hciuart: Add support QCA chipset for UART")

Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Signed-off-by: Oliver Neukum <oneukum@suse.com>

---

 drivers/bluetooth/hci_qca.c |    4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/bluetooth/hci_qca.c

+++ b/drivers/bluetooth/hci_qca.c

@@ -524,9 +524,9 @@ static int qca_close(struct hci_uart *hu

 	skb_queue_purge(&qca->tx_wait_q);

 	skb_queue_purge(&qca->txq);

-	del_timer(&qca->tx_idle_timer);

-	del_timer(&qca->wake_retrans_timer);

 	destroy_workqueue(qca->workqueue);

+	del_timer_sync(&qca->tx_idle_timer);

+	del_timer_sync(&qca->wake_retrans_timer);

 	qca->hu = NULL;

 	kfree_skb(qca->rx_skb);