* [PATCH] Bluetooth: bcm203x: Fix use-after-free and memory leak in device lifecycle
@ 2025-07-26 6:23 Salah Triki
2025-07-26 7:12 ` bluez.test.bot
2025-07-27 8:29 ` [PATCH] " Paul Menzel
0 siblings, 2 replies; 3+ messages in thread
From: Salah Triki @ 2025-07-26 6:23 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz, linux-bluetooth,
linux-kernel
Cc: salah.triki
The driver stores a reference to the `usb_device` structure (`udev`)
in its private data (`data->udev`), which can persist beyond the
immediate context of the `bcm203x_probe()` function.
Without proper reference count management, this can lead to two issues:
1. A `use-after-free` scenario if `udev` is accessed after its main
reference count drops to zero (e.g., if the device is disconnected
and the `data` structure is still active).
2. A `memory leak` if `udev`'s reference count is not properly
decremented during driver disconnect, preventing the `usb_device`
object from being freed.
To correctly manage the `udev` lifetime, explicitly increment its
reference count with `usb_get_dev(udev)` when storing it in the
driver's private data. Correspondingly, decrement the reference count
with `usb_put_dev(data->udev)` in the `bcm203x_disconnect()` callback.
This ensures `udev` remains valid while referenced by the driver's
private data and is properly released when no longer needed.
Signed-off-by: Salah Triki <salah.triki@gmail.com>
---
drivers/bluetooth/bcm203x.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/bcm203x.c b/drivers/bluetooth/bcm203x.c
index c738ad0408cb..c91eaba33905 100644
--- a/drivers/bluetooth/bcm203x.c
+++ b/drivers/bluetooth/bcm203x.c
@@ -165,7 +165,7 @@ static int bcm203x_probe(struct usb_interface *intf, const struct usb_device_id
if (!data)
return -ENOMEM;
- data->udev = udev;
+ data->udev = usb_get_dev(udev);
data->state = BCM203X_LOAD_MINIDRV;
data->urb = usb_alloc_urb(0, GFP_KERNEL);
@@ -243,6 +243,8 @@ static void bcm203x_disconnect(struct usb_interface *intf)
usb_set_intfdata(intf, NULL);
+ usb_put_dev(data->udev);
+
usb_free_urb(data->urb);
kfree(data->fw_data);
kfree(data->buffer);
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: bcm203x: Fix use-after-free and memory leak in device lifecycle
2025-07-26 6:23 [PATCH] Bluetooth: bcm203x: Fix use-after-free and memory leak in device lifecycle Salah Triki
@ 2025-07-26 7:12 ` bluez.test.bot
2025-07-27 8:29 ` [PATCH] " Paul Menzel
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-07-26 7:12 UTC (permalink / raw)
To: linux-bluetooth, salah.triki
[-- Attachment #1: Type: text/plain, Size: 2296 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=986087
---Test result---
Test Summary:
CheckPatch PENDING 0.26 seconds
GitLint PENDING 0.23 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 24.27 seconds
CheckAllWarning PASS 27.03 seconds
CheckSparse PASS 30.43 seconds
BuildKernel32 PASS 24.47 seconds
TestRunnerSetup PASS 483.66 seconds
TestRunner_l2cap-tester PASS 24.91 seconds
TestRunner_iso-tester PASS 35.99 seconds
TestRunner_bnep-tester PASS 6.10 seconds
TestRunner_mgmt-tester FAIL 129.17 seconds
TestRunner_rfcomm-tester PASS 9.36 seconds
TestRunner_sco-tester PASS 14.84 seconds
TestRunner_ioctl-tester PASS 10.30 seconds
TestRunner_mesh-tester FAIL 11.43 seconds
TestRunner_smp-tester PASS 8.74 seconds
TestRunner_userchan-tester PASS 6.23 seconds
IncrementalBuild PENDING 0.50 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 485 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
LL Privacy - Set Flags 2 (Enable RL) Failed 0.164 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.961 seconds
Mesh - Send cancel - 2 Timed out 1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: bcm203x: Fix use-after-free and memory leak in device lifecycle
2025-07-26 6:23 [PATCH] Bluetooth: bcm203x: Fix use-after-free and memory leak in device lifecycle Salah Triki
2025-07-26 7:12 ` bluez.test.bot
@ 2025-07-27 8:29 ` Paul Menzel
1 sibling, 0 replies; 3+ messages in thread
From: Paul Menzel @ 2025-07-27 8:29 UTC (permalink / raw)
To: Salah Triki
Cc: Marcel Holtmann, Luiz Augusto von Dentz, linux-bluetooth,
linux-kernel
Dear Salah,
Thank you for your patch.
Am 26.07.25 um 08:23 schrieb Salah Triki:
> The driver stores a reference to the `usb_device` structure (`udev`)
> in its private data (`data->udev`), which can persist beyond the
> immediate context of the `bcm203x_probe()` function.
>
> Without proper reference count management, this can lead to two issues:
>
> 1. A `use-after-free` scenario if `udev` is accessed after its main
> reference count drops to zero (e.g., if the device is disconnected
> and the `data` structure is still active).
> 2. A `memory leak` if `udev`'s reference count is not properly
> decremented during driver disconnect, preventing the `usb_device`
> object from being freed.
>
> To correctly manage the `udev` lifetime, explicitly increment its
> reference count with `usb_get_dev(udev)` when storing it in the
> driver's private data. Correspondingly, decrement the reference count
> with `usb_put_dev(data->udev)` in the `bcm203x_disconnect()` callback.
>
> This ensures `udev` remains valid while referenced by the driver's
> private data and is properly released when no longer needed.
>
Please add a Fixes: tag.
> Signed-off-by: Salah Triki <salah.triki@gmail.com>
> ---
> drivers/bluetooth/bcm203x.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/bcm203x.c b/drivers/bluetooth/bcm203x.c
> index c738ad0408cb..c91eaba33905 100644
> --- a/drivers/bluetooth/bcm203x.c
> +++ b/drivers/bluetooth/bcm203x.c
> @@ -165,7 +165,7 @@ static int bcm203x_probe(struct usb_interface *intf, const struct usb_device_id
> if (!data)
> return -ENOMEM;
>
> - data->udev = udev;
> + data->udev = usb_get_dev(udev);
> data->state = BCM203X_LOAD_MINIDRV;
>
> data->urb = usb_alloc_urb(0, GFP_KERNEL);
> @@ -243,6 +243,8 @@ static void bcm203x_disconnect(struct usb_interface *intf)
>
> usb_set_intfdata(intf, NULL);
>
> + usb_put_dev(data->udev);
> +
> usb_free_urb(data->urb);
> kfree(data->fw_data);
> kfree(data->buffer);
The diff looks good to me, though other Bluetooth drivers seem to use
`interface_to_usbdev(intf)`.
Kind regards,
Paul
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-27 8:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-26 6:23 [PATCH] Bluetooth: bcm203x: Fix use-after-free and memory leak in device lifecycle Salah Triki
2025-07-26 7:12 ` bluez.test.bot
2025-07-27 8:29 ` [PATCH] " Paul Menzel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.