From: Zhao Dongdong <winter91@foxmail.com>
To: amitkumar.karwar@nxp.com, neeraj.sanjaykale@nxp.com, marcel@holtmann.org
Cc: linux-bluetooth@vger.kernel.org, Zhao Dongdong <zhaodongdong@kylinos.cn>
Subject: [PATCH v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path
Date: Fri, 15 May 2026 08:46:07 +0800 [thread overview]
Message-ID: <tencent_F2E2AF1B6F510577B10C6897ED768BBBAF07@qq.com> (raw)
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
fails, the error path jumps to 'probe_fail' which only calls
hci_free_dev() and asserts the reset GPIO, but does NOT call
hci_unregister_dev() first.
This leaves the HCI device registered in the system with its backing
memory freed, leading to a use-after-free when userspace subsequently
accesses the device (e.g. via hciconfig or bluetoothd).
Fix by adding a 'probe_fail_unregister' label that calls
hci_unregister_dev() before falling through to the existing
'probe_fail' label. The original 'probe_fail' label is preserved
for the case where hci_register_dev() itself fails (device was
never registered, so no unregister is needed).
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
v3: fix gitlint WARNING
v2: fix SubjectPrefix
---
drivers/bluetooth/btnxpuart.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index e7036a48ce48..a4d7747e5be0 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1907,13 +1907,15 @@ static int nxp_serdev_probe(struct serdev_device *serdev)
}
if (ps_setup(hdev))
- goto probe_fail;
+ goto probe_fail_unregister;
hci_devcd_register(hdev, nxp_coredump, nxp_coredump_hdr,
nxp_coredump_notify);
return 0;
+probe_fail_unregister:
+ hci_unregister_dev(hdev);
probe_fail:
reset_control_assert(nxpdev->pdn);
hci_free_dev(hdev);
--
2.25.1
next reply other threads:[~2026-05-15 0:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 0:46 Zhao Dongdong [this message]
2026-05-15 1:53 ` [v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_F2E2AF1B6F510577B10C6897ED768BBBAF07@qq.com \
--to=winter91@foxmail.com \
--cc=amitkumar.karwar@nxp.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=neeraj.sanjaykale@nxp.com \
--cc=zhaodongdong@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.