[PATCH BlueZ v1 1/3] tools/tester: Fix crash when hciemu_new fails

[PATCH BlueZ v1 1/3] tools/tester: Fix crash when hciemu_new fails

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

When hciemu_new returns NULL, the mgmt object was not being unreferenced
before returning from the pre-setup failure path. This could lead to a
NULL dereference in read_info_callback when it later calls
hciemu_get_address on the NULL hciemu pointer.

Add mgmt_unref and return to the error path across all testers.
---
 tools/6lowpan-tester.c  | 2 ++
 tools/bnep-tester.c     | 3 +++
 tools/ioctl-tester.c    | 3 +++
 tools/iso-tester.c      | 2 ++
 tools/l2cap-tester.c    | 3 +++
 tools/mesh-tester.c     | 3 +++
 tools/mgmt-tester.c     | 3 +++
 tools/rfcomm-tester.c   | 3 +++
 tools/sco-tester.c      | 2 ++
 tools/smp-tester.c      | 3 +++
 tools/userchan-tester.c | 3 +++
 11 files changed, 30 insertions(+)

diff --git a/tools/6lowpan-tester.c b/tools/6lowpan-tester.c
index 65dba173b18e..2b43719f153e 100644
--- a/tools/6lowpan-tester.c
+++ b/tools/6lowpan-tester.c
@@ -181,6 +181,8 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
 		return;
 	}
 
diff --git a/tools/bnep-tester.c b/tools/bnep-tester.c
index 2a9b843098f4..581f54c20829 100644
--- a/tools/bnep-tester.c
+++ b/tools/bnep-tester.c
@@ -162,6 +162,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/ioctl-tester.c b/tools/ioctl-tester.c
index e0627eef5bdc..969fbd955b76 100644
--- a/tools/ioctl-tester.c
+++ b/tools/ioctl-tester.c
@@ -230,6 +230,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/iso-tester.c b/tools/iso-tester.c
index 4c30e9951bcb..8dfea0b417f0 100644
--- a/tools/iso-tester.c
+++ b/tools/iso-tester.c
@@ -637,6 +637,8 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
 		return;
 	}
 
diff --git a/tools/l2cap-tester.c b/tools/l2cap-tester.c
index c3aa96f84ea0..5c013d4704e5 100644
--- a/tools/l2cap-tester.c
+++ b/tools/l2cap-tester.c
@@ -217,6 +217,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/mesh-tester.c b/tools/mesh-tester.c
index 7c42dff76fb1..27628b627957 100644
--- a/tools/mesh-tester.c
+++ b/tools/mesh-tester.c
@@ -419,6 +419,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		test_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index 90dfa35272c0..213fd996b032 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -431,6 +431,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		test_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/rfcomm-tester.c b/tools/rfcomm-tester.c
index 25b3a41e0f4f..06e9fbdd6143 100644
--- a/tools/rfcomm-tester.c
+++ b/tools/rfcomm-tester.c
@@ -167,6 +167,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/sco-tester.c b/tools/sco-tester.c
index 3d6b590924db..f09ba04aeaf7 100644
--- a/tools/sco-tester.c
+++ b/tools/sco-tester.c
@@ -195,6 +195,8 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
 		return;
 	}
 
diff --git a/tools/smp-tester.c b/tools/smp-tester.c
index 04b7ee088705..aaf149c0deb7 100644
--- a/tools/smp-tester.c
+++ b/tools/smp-tester.c
@@ -185,6 +185,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
diff --git a/tools/userchan-tester.c b/tools/userchan-tester.c
index f61d2779ed26..a03f64d84c0b 100644
--- a/tools/userchan-tester.c
+++ b/tools/userchan-tester.c
@@ -156,6 +156,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
+		mgmt_unref(data->mgmt);
+		data->mgmt = NULL;
+		return;
 	}
 
 	if (tester_use_debug())
-- 
2.53.0

[PATCH BlueZ v1 2/3] emulator/hciemu: Add hciemu_new_debug/hciemu_new_num_debug

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Add new constructors that accept debug callback and user_data parameters,
setting them up immediately after allocation so errors during early
initialization (create_vhci, hciemu_client_new) are captured by the debug
output.
---
 emulator/hciemu.c | 20 +++++++++++++++++++-
 emulator/hciemu.h | 11 +++++++++--
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/emulator/hciemu.c b/emulator/hciemu.c
index 9534d82bac39..15d806a62aa6 100644
--- a/emulator/hciemu.c
+++ b/emulator/hciemu.c
@@ -396,7 +396,9 @@ static struct hciemu_client *hciemu_client_new(struct hciemu *hciemu,
 	return client;
 }
 
-struct hciemu *hciemu_new_num(enum hciemu_type type, uint8_t num)
+struct hciemu *hciemu_new_num_debug(enum hciemu_type type, uint8_t num,
+			hciemu_debug_func_t callback, void *user_data,
+			hciemu_destroy_func_t destroy)
 {
 
 	struct hciemu *hciemu;
@@ -409,6 +411,10 @@ struct hciemu *hciemu_new_num(enum hciemu_type type, uint8_t num)
 	if (!hciemu)
 		return NULL;
 
+	hciemu->debug_callback = callback;
+	hciemu->debug_destroy = destroy;
+	hciemu->debug_data = user_data;
+
 	switch (type) {
 	case HCIEMU_TYPE_BREDRLE:
 		hciemu->btdev_type = BTDEV_TYPE_BREDRLE;
@@ -465,11 +471,23 @@ struct hciemu *hciemu_new_num(enum hciemu_type type, uint8_t num)
 	return hciemu_ref(hciemu);
 }
 
+struct hciemu *hciemu_new_num(enum hciemu_type type, uint8_t num)
+{
+	return hciemu_new_num_debug(type, num, NULL, NULL, NULL);
+}
+
 struct hciemu *hciemu_new(enum hciemu_type type)
 {
 	return hciemu_new_num(type, 1);
 }
 
+struct hciemu *hciemu_new_debug(enum hciemu_type type,
+			hciemu_debug_func_t callback, void *user_data,
+			hciemu_destroy_func_t destroy)
+{
+	return hciemu_new_num_debug(type, 1, callback, user_data, destroy);
+}
+
 struct hciemu *hciemu_ref(struct hciemu *hciemu)
 {
 	if (!hciemu)
diff --git a/emulator/hciemu.h b/emulator/hciemu.h
index 1164be6510a3..e832d6350bb3 100644
--- a/emulator/hciemu.h
+++ b/emulator/hciemu.h
@@ -31,8 +31,17 @@ enum hciemu_hook_type {
 	HCIEMU_HOOK_POST_EVT,
 };
 
+typedef void (*hciemu_debug_func_t)(const char *str, void *user_data);
+typedef void (*hciemu_destroy_func_t)(void *user_data);
+
 struct hciemu *hciemu_new(enum hciemu_type type);
 struct hciemu *hciemu_new_num(enum hciemu_type type, uint8_t num);
+struct hciemu *hciemu_new_debug(enum hciemu_type type,
+			hciemu_debug_func_t callback, void *user_data,
+			hciemu_destroy_func_t destroy);
+struct hciemu *hciemu_new_num_debug(enum hciemu_type type, uint8_t num,
+			hciemu_debug_func_t callback, void *user_data,
+			hciemu_destroy_func_t destroy);
 
 struct hciemu *hciemu_ref(struct hciemu *hciemu);
 void hciemu_unref(struct hciemu *hciemu);
@@ -43,8 +52,6 @@ const uint8_t *hciemu_client_bdaddr(struct hciemu_client *client);
 bool hciemu_set_client_bdaddr(struct hciemu_client *client,
 				const uint8_t *bdaddr);
 
-typedef void (*hciemu_debug_func_t)(const char *str, void *user_data);
-typedef void (*hciemu_destroy_func_t)(void *user_data);
 bool hciemu_set_debug(struct hciemu *hciemu, hciemu_debug_func_t callback,
 			void *user_data, hciemu_destroy_func_t destroy);
 
-- 
2.53.0

[PATCH BlueZ v1 3/3] tools/tester: Retry with debug on hciemu_new failure

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

When hciemu_new fails, retry using hciemu_new_debug to capture early
initialization errors before reporting the failure. This helps diagnose
issues like vhci or client creation failures in CI.
---
 tools/6lowpan-tester.c  | 3 +++
 tools/bnep-tester.c     | 3 +++
 tools/ioctl-tester.c    | 3 +++
 tools/iso-tester.c      | 4 ++++
 tools/l2cap-tester.c    | 3 +++
 tools/mesh-tester.c     | 3 +++
 tools/mgmt-tester.c     | 3 +++
 tools/rfcomm-tester.c   | 3 +++
 tools/sco-tester.c      | 3 +++
 tools/smp-tester.c      | 3 +++
 tools/userchan-tester.c | 3 +++
 11 files changed, 34 insertions(+)

diff --git a/tools/6lowpan-tester.c b/tools/6lowpan-tester.c
index 2b43719f153e..95fdf206fc0c 100644
--- a/tools/6lowpan-tester.c
+++ b/tools/6lowpan-tester.c
@@ -178,6 +178,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(HCIEMU_TYPE_LE);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(HCIEMU_TYPE_LE, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/bnep-tester.c b/tools/bnep-tester.c
index 581f54c20829..1c53d024c0f8 100644
--- a/tools/bnep-tester.c
+++ b/tools/bnep-tester.c
@@ -159,6 +159,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/ioctl-tester.c b/tools/ioctl-tester.c
index 969fbd955b76..e957b0d01bfa 100644
--- a/tools/ioctl-tester.c
+++ b/tools/ioctl-tester.c
@@ -227,6 +227,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/iso-tester.c b/tools/iso-tester.c
index 8dfea0b417f0..767ee0c57c47 100644
--- a/tools/iso-tester.c
+++ b/tools/iso-tester.c
@@ -634,6 +634,10 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new_num(HCIEMU_TYPE_BREDRLE52, data->client_num);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_num_debug(HCIEMU_TYPE_BREDRLE52,
+						data->client_num, hciemu_debug,
+						"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/l2cap-tester.c b/tools/l2cap-tester.c
index 5c013d4704e5..a8cac3902b32 100644
--- a/tools/l2cap-tester.c
+++ b/tools/l2cap-tester.c
@@ -214,6 +214,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/mesh-tester.c b/tools/mesh-tester.c
index 27628b627957..4412bfdb727e 100644
--- a/tools/mesh-tester.c
+++ b/tools/mesh-tester.c
@@ -416,6 +416,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 			index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		test_pre_setup_failed();
diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index 213fd996b032..4d28090271e9 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -428,6 +428,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		test_pre_setup_failed();
diff --git a/tools/rfcomm-tester.c b/tools/rfcomm-tester.c
index 06e9fbdd6143..b7f7d9ebd794 100644
--- a/tools/rfcomm-tester.c
+++ b/tools/rfcomm-tester.c
@@ -164,6 +164,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/sco-tester.c b/tools/sco-tester.c
index f09ba04aeaf7..a2185b8ef198 100644
--- a/tools/sco-tester.c
+++ b/tools/sco-tester.c
@@ -192,6 +192,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(HCIEMU_TYPE_BREDRLE);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(HCIEMU_TYPE_BREDRLE, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/smp-tester.c b/tools/smp-tester.c
index aaf149c0deb7..581f3a233704 100644
--- a/tools/smp-tester.c
+++ b/tools/smp-tester.c
@@ -182,6 +182,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_removed_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, print_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
diff --git a/tools/userchan-tester.c b/tools/userchan-tester.c
index a03f64d84c0b..9164fc33f5d9 100644
--- a/tools/userchan-tester.c
+++ b/tools/userchan-tester.c
@@ -153,6 +153,9 @@ static void read_index_list_callback(uint8_t status, uint16_t length,
 					index_added_callback, NULL, NULL);
 
 	data->hciemu = hciemu_new(data->hciemu_type);
+	if (!data->hciemu)
+		data->hciemu = hciemu_new_debug(data->hciemu_type, mgmt_debug,
+							"hciemu: ", NULL);
 	if (!data->hciemu) {
 		tester_warn("Failed to setup HCI emulation");
 		tester_pre_setup_failed();
-- 
2.53.0

RE: [BlueZ,v1,1/3] tools/tester: Fix crash when hciemu_new fails

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2246 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1090665

---Test result---

Test Summary:
CheckPatch                    FAIL      1.10 seconds
GitLint                       PASS      0.74 seconds
BuildEll                      PASS      20.80 seconds
BluezMake                     PASS      652.47 seconds
CheckSmatch                   WARNING   352.56 seconds
bluezmakeextell               PASS      184.99 seconds
IncrementalBuild              PASS      680.38 seconds
ScanBuild                     PASS      1001.16 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v1,3/3] tools/tester: Retry with debug on hciemu_new failure
WARNING:LONG_LINE: line length of 81 exceeds 80 columns
#241: FILE: tools/sco-tester.c:196:
+		data->hciemu = hciemu_new_debug(HCIEMU_TYPE_BREDRLE, print_debug,

/github/workspace/src/patch/14557929.patch total: 0 errors, 1 warnings, 100 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14557929.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
tools/sco-tester.c: note: in included file:./lib/bluetooth/bluetooth.h:232:15: warning: array of flexible structures./lib/bluetooth/bluetooth.h:237:31: warning: array of flexible structurestools/sco-tester.c: note: in included file:./lib/bluetooth/bluetooth.h:232:15: warning: array of flexible structures./lib/bluetooth/bluetooth.h:237:31: warning: array of flexible structures


https://github.com/bluez/bluez/pull/2103

---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ v1 1/3] tools/tester: Fix crash when hciemu_new fails

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed,  6 May 2026 15:41:48 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> When hciemu_new returns NULL, the mgmt object was not being unreferenced
> before returning from the pre-setup failure path. This could lead to a
> NULL dereference in read_info_callback when it later calls
> hciemu_get_address on the NULL hciemu pointer.
> 
> [...]

Here is the summary with links:
  - [BlueZ,v1,1/3] tools/tester: Fix crash when hciemu_new fails
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=acd0a49506a1
  - [BlueZ,v1,2/3] emulator/hciemu: Add hciemu_new_debug/hciemu_new_num_debug
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=a068db99c46f
  - [BlueZ,v1,3/3] tools/tester: Retry with debug on hciemu_new failure
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e3dec62da2a5

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html