* [PATCH] Bluetooth: hci_uart: serialize close flush with write_work
@ 2026-05-09 8:31 wuyankun
2026-05-09 10:17 ` bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: wuyankun @ 2026-05-09 8:31 UTC (permalink / raw)
To: marcel, luiz.dentz
Cc: linux-bluetooth, linux-kernel, wuyankun,
syzbot+da2717d5c64bf7975268, stable
hci_uart_close() calls hci_uart_flush(), and flush may free hu->tx_skb.
At the same time, hci_uart_write_work() can still be running and access
the same skb (for example through skb_pull()), which leads to a
use-after-free.
Fix this by canceling write_work before calling hci_uart_flush(), so the
tx_skb lifetime is fully serialized against the TX worker.
Reported-by: syzbot+da2717d5c64bf7975268@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=da2717d5c64bf7975268
Cc: stable@vger.kernel.org
Signed-off-by: wuyankun <wuyankun@uniontech.com>
---
drivers/bluetooth/hci_ldisc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 275ea865bc29..51cc9af0f7e8 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -263,8 +263,11 @@ static int hci_uart_open(struct hci_dev *hdev)
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
+ struct hci_uart *hu = hci_get_drvdata(hdev);
BT_DBG("hdev %p", hdev);
+ /* Ensure write_work is not touching tx_skb while flush frees it. */
+ cancel_work_sync(&hu->write_work);
hci_uart_flush(hdev);
hdev->flush = NULL;
return 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: Bluetooth: hci_uart: serialize close flush with write_work
2026-05-09 8:31 [PATCH] Bluetooth: hci_uart: serialize close flush with write_work wuyankun
@ 2026-05-09 10:17 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-09 10:17 UTC (permalink / raw)
To: linux-bluetooth, wuyankun
[-- Attachment #1: Type: text/plain, Size: 1799 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1091961
---Test result---
Test Summary:
CheckPatch FAIL 0.92 seconds
GitLint PASS 0.23 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 26.57 seconds
CheckAllWarning PASS 29.35 seconds
CheckSparse PASS 27.96 seconds
BuildKernel32 PASS 25.93 seconds
TestRunnerSetup PASS 570.70 seconds
IncrementalBuild PASS 25.68 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: hci_uart: serialize close flush with write_work
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#97:
Reported-by: syzbot+da2717d5c64bf7975268@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=da2717d5c64bf7975268
WARNING: The commit message has 'stable@', perhaps it also needs a 'Fixes:' tag?
total: 0 errors, 2 warnings, 11 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14562736.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluetooth-next/pull/158
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-09 10:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-09 8:31 [PATCH] Bluetooth: hci_uart: serialize close flush with write_work wuyankun
2026-05-09 10:17 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox