From: Johan Hovold <johan@kernel.org>
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
Marcel Holtmann <marcel@holtmann.org>
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Johan Hovold <johan@kernel.org>, Rajat Jain <rajatja@google.com>
Subject: [PATCH v4 4/5] Bluetooth: btusb: fix wakeup irq devres lifetime
Date: Thu, 4 Jun 2026 08:37:39 +0200 [thread overview]
Message-ID: <20260604063740.2595260-5-johan@kernel.org> (raw)
In-Reply-To: <20260604063740.2595260-1-johan@kernel.org>
The OOB wakeup interrupt is device managed but its lifetime is
incorrectly tied to the child HCI device rather than the USB interface
to which the driver is bound.
This should not cause any trouble currently as the interrupt will be
disabled when the HCI device is deregistered on disconnect (but this was
not always the case, see [1]), and there should be no further references
if probe fails before registering it. But it is still technically wrong
as the reference counted HCI device could in theory remain after a probe
failure.
Explicitly free the interrupt on disconnect so that it is guaranteed to
be disabled before freeing the (non-managed) driver data (including if
disconnected while suspended).
[1] 699fb50d9903 ("drivers: base: Free devm resources when unregistering
a device")
Fixes: fd913ef7ce61 ("Bluetooth: btusb: Add out-of-band wakeup support")
Cc: Rajat Jain <rajatja@google.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/bluetooth/btusb.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 3e8c90486e4c..9d2e5a8dcf85 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3824,8 +3824,7 @@ static int btusb_config_oob_wake(struct hci_dev *hdev)
}
irq_set_status_flags(irq, IRQ_NOAUTOEN);
- ret = devm_request_irq(&hdev->dev, irq, btusb_oob_wake_handler,
- 0, "OOB Wake-on-BT", data);
+ ret = request_irq(irq, btusb_oob_wake_handler, 0, "OOB Wake-on-BT", data);
if (ret) {
bt_dev_err(hdev, "%s: IRQ request failed", __func__);
return ret;
@@ -3834,12 +3833,18 @@ static int btusb_config_oob_wake(struct hci_dev *hdev)
ret = device_init_wakeup(dev, true);
if (ret) {
bt_dev_err(hdev, "%s: failed to init_wakeup", __func__);
- return ret;
+ goto err_free_irq;
}
data->oob_wake_irq = irq;
bt_dev_info(hdev, "OOB Wake-on-BT configured at IRQ %u", irq);
+
return 0;
+
+err_free_irq:
+ free_irq(irq, data);
+
+ return ret;
}
#else
static inline int btusb_config_oob_wake(struct hci_dev *hdev)
@@ -4437,8 +4442,10 @@ static int btusb_probe(struct usb_interface *intf,
err_kill_tx_urbs:
usb_kill_anchored_urbs(&data->tx_anchor);
err_disable_wakeup:
- if (data->oob_wake_irq)
+ if (data->oob_wake_irq) {
device_init_wakeup(&data->udev->dev, false);
+ free_irq(data->oob_wake_irq, data);
+ }
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
@@ -4471,8 +4478,11 @@ static void btusb_disconnect(struct usb_interface *intf)
hci_unregister_dev(hdev);
- if (data->oob_wake_irq)
+ if (data->oob_wake_irq) {
device_init_wakeup(&data->udev->dev, false);
+ free_irq(data->oob_wake_irq, data);
+ }
+
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
--
2.53.0
next prev parent reply other threads:[~2026-06-04 6:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 6:37 [PATCH v4 0/5] Bluetooth: btusb: fix wakeup irq devres lifetime Johan Hovold
2026-06-04 6:37 ` [PATCH v4 1/5] Bluetooth: btusb: fix use-after-free on registration failure Johan Hovold
2026-06-04 9:28 ` Bluetooth: btusb: fix wakeup irq devres lifetime bluez.test.bot
2026-06-04 6:37 ` [PATCH v4 2/5] Bluetooth: btusb: fix use-after-free on marvell probe failure Johan Hovold
2026-06-04 6:37 ` [PATCH v4 3/5] Bluetooth: btusb: fix wakeup source leak on " Johan Hovold
2026-06-04 6:37 ` Johan Hovold [this message]
2026-06-04 6:37 ` [PATCH v4 5/5] Bluetooth: btusb: clean up probe error handling Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604063740.2595260-5-johan@kernel.org \
--to=johan@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=rajatja@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox