* [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
@ 2025-11-17 21:51 Luiz Augusto von Dentz
2025-11-17 22:36 ` [v2] " bluez.test.bot
2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
0 siblings, 2 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-11-17 21:51 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Fixes: 486a25d25a4b3 ("Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP")
Reported-by: syzbot+25e9c406cbd26c66c417@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=25e9c406cbd26c66c417
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_core.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 9f686e5903a1..1920e3d62bda 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4121,7 +4121,7 @@ static void hci_rx_work(struct work_struct *work)
}
}
-static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
{
int err;
@@ -4133,16 +4133,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
if (!hdev->sent_cmd) {
skb_queue_head(&hdev->cmd_q, skb);
queue_work(hdev->workqueue, &hdev->cmd_work);
- return;
+ return -EINVAL;
}
if (hci_skb_opcode(skb) != HCI_OP_NOP) {
err = hci_send_frame(hdev, skb);
if (err < 0) {
hci_cmd_sync_cancel_sync(hdev, -err);
- return;
+ return err;
}
atomic_dec(&hdev->cmd_cnt);
+ } else {
+ err = -ENODATA;
+ kfree_skb(skb);
}
if (hdev->req_status == HCI_REQ_PEND &&
@@ -4150,12 +4153,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
kfree_skb(hdev->req_skb);
hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
}
+
+ return err;
}
static void hci_cmd_work(struct work_struct *work)
{
struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
struct sk_buff *skb;
+ int err;
BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
@@ -4166,12 +4172,8 @@ static void hci_cmd_work(struct work_struct *work)
if (!skb)
return;
- hci_send_cmd_sync(hdev, skb);
-
- /* Don't trigger cmd_timer in case of HCI_OP_NOP since there is
- * no command pending.
- */
- if (hci_skb_opcode(skb) == HCI_OP_NOP)
+ err = hci_send_cmd_sync(hdev, skb);
+ if (err)
return;
rcu_read_lock();
--
2.51.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
2025-11-17 21:51 [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Luiz Augusto von Dentz
@ 2025-11-17 22:36 ` bluez.test.bot
2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2025-11-17 22:36 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2900 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1024529
---Test result---
Test Summary:
CheckPatch PENDING 0.41 seconds
GitLint PENDING 0.24 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 25.18 seconds
CheckAllWarning PASS 28.16 seconds
CheckSparse WARNING 33.86 seconds
BuildKernel32 PASS 25.17 seconds
TestRunnerSetup PASS 546.30 seconds
TestRunner_l2cap-tester PASS 23.68 seconds
TestRunner_iso-tester PASS 76.63 seconds
TestRunner_bnep-tester PASS 6.05 seconds
TestRunner_mgmt-tester FAIL 111.67 seconds
TestRunner_rfcomm-tester PASS 9.09 seconds
TestRunner_sco-tester PASS 14.16 seconds
TestRunner_ioctl-tester PASS 9.73 seconds
TestRunner_mesh-tester FAIL 11.43 seconds
TestRunner_smp-tester PASS 8.32 seconds
TestRunner_userchan-tester PASS 6.54 seconds
IncrementalBuild PENDING 0.80 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_core.c:85:9: warning: context imbalance in '__hci_dev_get' - different lock contexts for basic blocknet/bluetooth/hci_core.c: note: in included file (through include/linux/notifier.h, include/linux/memory_hotplug.h, include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, include/linux/radix-tree.h, ...):
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 487 (98.6%), Failed: 3, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.092 seconds
LL Privacy - Add Device 3 (AL is full) Failed 0.194 seconds
LL Privacy - Set Flags 3 (2 Devices to RL) Failed 0.172 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.102 seconds
Mesh - Send cancel - 2 Timed out 1.999 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
2025-11-17 21:51 [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Luiz Augusto von Dentz
2025-11-17 22:36 ` [v2] " bluez.test.bot
@ 2025-11-18 14:16 ` Luiz Augusto von Dentz
2025-11-18 14:42 ` Pauli Virtanen
1 sibling, 1 reply; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-11-18 14:16 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
Hi Pauli,
On Mon, Nov 17, 2025 at 4:51 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Fixes: 486a25d25a4b3 ("Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP")
> Reported-by: syzbot+25e9c406cbd26c66c417@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=25e9c406cbd26c66c417
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_core.c | 20 +++++++++++---------
> 1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 9f686e5903a1..1920e3d62bda 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -4121,7 +4121,7 @@ static void hci_rx_work(struct work_struct *work)
> }
> }
>
> -static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
> +static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
> {
> int err;
>
> @@ -4133,16 +4133,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
> if (!hdev->sent_cmd) {
> skb_queue_head(&hdev->cmd_q, skb);
> queue_work(hdev->workqueue, &hdev->cmd_work);
> - return;
> + return -EINVAL;
> }
>
> if (hci_skb_opcode(skb) != HCI_OP_NOP) {
> err = hci_send_frame(hdev, skb);
> if (err < 0) {
> hci_cmd_sync_cancel_sync(hdev, -err);
> - return;
> + return err;
> }
> atomic_dec(&hdev->cmd_cnt);
> + } else {
> + err = -ENODATA;
> + kfree_skb(skb);
Does this address your concern about the skb not being consumed/leaking?
> }
>
> if (hdev->req_status == HCI_REQ_PEND &&
> @@ -4150,12 +4153,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
> kfree_skb(hdev->req_skb);
> hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
> }
> +
> + return err;
> }
>
> static void hci_cmd_work(struct work_struct *work)
> {
> struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
> struct sk_buff *skb;
> + int err;
>
> BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
> atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
> @@ -4166,12 +4172,8 @@ static void hci_cmd_work(struct work_struct *work)
> if (!skb)
> return;
>
> - hci_send_cmd_sync(hdev, skb);
> -
> - /* Don't trigger cmd_timer in case of HCI_OP_NOP since there is
> - * no command pending.
> - */
> - if (hci_skb_opcode(skb) == HCI_OP_NOP)
> + err = hci_send_cmd_sync(hdev, skb);
> + if (err)
> return;
>
> rcu_read_lock();
> --
> 2.51.1
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
@ 2025-11-18 14:42 ` Pauli Virtanen
0 siblings, 0 replies; 4+ messages in thread
From: Pauli Virtanen @ 2025-11-18 14:42 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
Hi,
18. marraskuuta 2025 14.16.42 UTC Luiz Augusto von Dentz <luiz.dentz@gmail.com> kirjoitti:
>Hi Pauli,
>
>On Mon, Nov 17, 2025 at 4:51 PM Luiz Augusto von Dentz
><luiz.dentz@gmail.com> wrote:
>>
>> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>
>> Fixes: 486a25d25a4b3 ("Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP")
>> Reported-by: syzbot+25e9c406cbd26c66c417@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=25e9c406cbd26c66c417
>> Signed-off-by: Pauli Virtanen <pav@iki.fi>
>> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>> ---
>> net/bluetooth/hci_core.c | 20 +++++++++++---------
>> 1 file changed, 11 insertions(+), 9 deletions(-)
>>
>> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
>> index 9f686e5903a1..1920e3d62bda 100644
>> --- a/net/bluetooth/hci_core.c
>> +++ b/net/bluetooth/hci_core.c
>> @@ -4121,7 +4121,7 @@ static void hci_rx_work(struct work_struct *work)
>> }
>> }
>>
>> -static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>> +static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>> {
>> int err;
>>
>> @@ -4133,16 +4133,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>> if (!hdev->sent_cmd) {
>> skb_queue_head(&hdev->cmd_q, skb);
>> queue_work(hdev->workqueue, &hdev->cmd_work);
>> - return;
>> + return -EINVAL;
>> }
>>
>> if (hci_skb_opcode(skb) != HCI_OP_NOP) {
>> err = hci_send_frame(hdev, skb);
>> if (err < 0) {
>> hci_cmd_sync_cancel_sync(hdev, -err);
>> - return;
>> + return err;
>> }
>> atomic_dec(&hdev->cmd_cnt);
>> + } else {
>> + err = -ENODATA;
>> + kfree_skb(skb);
>
>Does this address your concern about the skb not being consumed/leaking?
Yes, I think now the original skb gets freed in all paths.
>
>> }
>>
>> if (hdev->req_status == HCI_REQ_PEND &&
>> @@ -4150,12 +4153,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>> kfree_skb(hdev->req_skb);
>> hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
>> }
>> +
>> + return err;
>> }
>>
>> static void hci_cmd_work(struct work_struct *work)
>> {
>> struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
>> struct sk_buff *skb;
>> + int err;
>>
>> BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
>> atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
>> @@ -4166,12 +4172,8 @@ static void hci_cmd_work(struct work_struct *work)
>> if (!skb)
>> return;
>>
>> - hci_send_cmd_sync(hdev, skb);
>> -
>> - /* Don't trigger cmd_timer in case of HCI_OP_NOP since there is
>> - * no command pending.
>> - */
>> - if (hci_skb_opcode(skb) == HCI_OP_NOP)
>> + err = hci_send_cmd_sync(hdev, skb);
>> + if (err)
>> return;
>>
>> rcu_read_lock();
>> --
>> 2.51.1
>>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-11-18 14:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-17 21:51 [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Luiz Augusto von Dentz
2025-11-17 22:36 ` [v2] " bluez.test.bot
2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
2025-11-18 14:42 ` Pauli Virtanen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).