[PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
@ 2025-11-17 21:51 Luiz Augusto von Dentz
  2025-11-17 22:36 ` [v2] " bluez.test.bot
  2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
  0 siblings, 2 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-11-17 21:51 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Fixes: 486a25d25a4b3 ("Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP")
Reported-by: syzbot+25e9c406cbd26c66c417@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=25e9c406cbd26c66c417
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/hci_core.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 9f686e5903a1..1920e3d62bda 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4121,7 +4121,7 @@ static void hci_rx_work(struct work_struct *work)
 	}
 }
 
-static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	int err;
 
@@ -4133,16 +4133,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
 	if (!hdev->sent_cmd) {
 		skb_queue_head(&hdev->cmd_q, skb);
 		queue_work(hdev->workqueue, &hdev->cmd_work);
-		return;
+		return -EINVAL;
 	}
 
 	if (hci_skb_opcode(skb) != HCI_OP_NOP) {
 		err = hci_send_frame(hdev, skb);
 		if (err < 0) {
 			hci_cmd_sync_cancel_sync(hdev, -err);
-			return;
+			return err;
 		}
 		atomic_dec(&hdev->cmd_cnt);
+	} else {
+		err = -ENODATA;
+		kfree_skb(skb);
 	}
 
 	if (hdev->req_status == HCI_REQ_PEND &&
@@ -4150,12 +4153,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
 		kfree_skb(hdev->req_skb);
 		hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
 	}
+
+	return err;
 }
 
 static void hci_cmd_work(struct work_struct *work)
 {
 	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
 	struct sk_buff *skb;
+	int err;
 
 	BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
 	       atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
@@ -4166,12 +4172,8 @@ static void hci_cmd_work(struct work_struct *work)
 		if (!skb)
 			return;
 
-		hci_send_cmd_sync(hdev, skb);
-
-		/* Don't trigger cmd_timer in case of HCI_OP_NOP since there is
-		 * no command pending.
-		 */
-		if (hci_skb_opcode(skb) == HCI_OP_NOP)
+		err = hci_send_cmd_sync(hdev, skb);
+		if (err)
 			return;
 
 		rcu_read_lock();
-- 
2.51.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
  2025-11-17 21:51 [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Luiz Augusto von Dentz
@ 2025-11-17 22:36 ` bluez.test.bot
  2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
  1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2025-11-17 22:36 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 2900 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1024529

---Test result---

Test Summary:
CheckPatch                    PENDING   0.41 seconds
GitLint                       PENDING   0.24 seconds
SubjectPrefix                 PASS      0.09 seconds
BuildKernel                   PASS      25.18 seconds
CheckAllWarning               PASS      28.16 seconds
CheckSparse                   WARNING   33.86 seconds
BuildKernel32                 PASS      25.17 seconds
TestRunnerSetup               PASS      546.30 seconds
TestRunner_l2cap-tester       PASS      23.68 seconds
TestRunner_iso-tester         PASS      76.63 seconds
TestRunner_bnep-tester        PASS      6.05 seconds
TestRunner_mgmt-tester        FAIL      111.67 seconds
TestRunner_rfcomm-tester      PASS      9.09 seconds
TestRunner_sco-tester         PASS      14.16 seconds
TestRunner_ioctl-tester       PASS      9.73 seconds
TestRunner_mesh-tester        FAIL      11.43 seconds
TestRunner_smp-tester         PASS      8.32 seconds
TestRunner_userchan-tester    PASS      6.54 seconds
IncrementalBuild              PENDING   0.80 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/hci_core.c:85:9: warning: context imbalance in '__hci_dev_get' - different lock contexts for basic blocknet/bluetooth/hci_core.c: note: in included file (through include/linux/notifier.h, include/linux/memory_hotplug.h, include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, include/linux/radix-tree.h, ...):
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 487 (98.6%), Failed: 3, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.092 seconds
LL Privacy - Add Device 3 (AL is full)               Failed       0.194 seconds
LL Privacy - Set Flags 3 (2 Devices to RL)           Failed       0.172 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.102 seconds
Mesh - Send cancel - 2                               Timed out    1.999 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
  2025-11-17 21:51 [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Luiz Augusto von Dentz
  2025-11-17 22:36 ` [v2] " bluez.test.bot
@ 2025-11-18 14:16 ` Luiz Augusto von Dentz
  2025-11-18 14:42   ` Pauli Virtanen
  1 sibling, 1 reply; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2025-11-18 14:16 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Pauli Virtanen

Hi Pauli,

On Mon, Nov 17, 2025 at 4:51 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Fixes: 486a25d25a4b3 ("Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP")
> Reported-by: syzbot+25e9c406cbd26c66c417@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=25e9c406cbd26c66c417
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
>  net/bluetooth/hci_core.c | 20 +++++++++++---------
>  1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 9f686e5903a1..1920e3d62bda 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -4121,7 +4121,7 @@ static void hci_rx_work(struct work_struct *work)
>         }
>  }
>
> -static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
> +static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>  {
>         int err;
>
> @@ -4133,16 +4133,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>         if (!hdev->sent_cmd) {
>                 skb_queue_head(&hdev->cmd_q, skb);
>                 queue_work(hdev->workqueue, &hdev->cmd_work);
> -               return;
> +               return -EINVAL;
>         }
>
>         if (hci_skb_opcode(skb) != HCI_OP_NOP) {
>                 err = hci_send_frame(hdev, skb);
>                 if (err < 0) {
>                         hci_cmd_sync_cancel_sync(hdev, -err);
> -                       return;
> +                       return err;
>                 }
>                 atomic_dec(&hdev->cmd_cnt);
> +       } else {
> +               err = -ENODATA;
> +               kfree_skb(skb);

Does this address your concern about the skb not being consumed/leaking?

>         }
>
>         if (hdev->req_status == HCI_REQ_PEND &&
> @@ -4150,12 +4153,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>                 kfree_skb(hdev->req_skb);
>                 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
>         }
> +
> +       return err;
>  }
>
>  static void hci_cmd_work(struct work_struct *work)
>  {
>         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
>         struct sk_buff *skb;
> +       int err;
>
>         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
>                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
> @@ -4166,12 +4172,8 @@ static void hci_cmd_work(struct work_struct *work)
>                 if (!skb)
>                         return;
>
> -               hci_send_cmd_sync(hdev, skb);
> -
> -               /* Don't trigger cmd_timer in case of HCI_OP_NOP since there is
> -                * no command pending.
> -                */
> -               if (hci_skb_opcode(skb) == HCI_OP_NOP)
> +               err = hci_send_cmd_sync(hdev, skb);
> +               if (err)
>                         return;
>
>                 rcu_read_lock();
> --
> 2.51.1
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP
  2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
@ 2025-11-18 14:42   ` Pauli Virtanen
  0 siblings, 0 replies; 4+ messages in thread
From: Pauli Virtanen @ 2025-11-18 14:42 UTC (permalink / raw)
  To: Luiz Augusto von Dentz, linux-bluetooth

Hi,

18. marraskuuta 2025 14.16.42 UTC Luiz Augusto von Dentz <luiz.dentz@gmail.com> kirjoitti:
>Hi Pauli,
>
>On Mon, Nov 17, 2025 at 4:51 PM Luiz Augusto von Dentz
><luiz.dentz@gmail.com> wrote:
>>
>> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>
>> Fixes: 486a25d25a4b3 ("Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP")
>> Reported-by: syzbot+25e9c406cbd26c66c417@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=25e9c406cbd26c66c417
>> Signed-off-by: Pauli Virtanen <pav@iki.fi>
>> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>> ---
>>  net/bluetooth/hci_core.c | 20 +++++++++++---------
>>  1 file changed, 11 insertions(+), 9 deletions(-)
>>
>> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
>> index 9f686e5903a1..1920e3d62bda 100644
>> --- a/net/bluetooth/hci_core.c
>> +++ b/net/bluetooth/hci_core.c
>> @@ -4121,7 +4121,7 @@ static void hci_rx_work(struct work_struct *work)
>>         }
>>  }
>>
>> -static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>> +static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>>  {
>>         int err;
>>
>> @@ -4133,16 +4133,19 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>>         if (!hdev->sent_cmd) {
>>                 skb_queue_head(&hdev->cmd_q, skb);
>>                 queue_work(hdev->workqueue, &hdev->cmd_work);
>> -               return;
>> +               return -EINVAL;
>>         }
>>
>>         if (hci_skb_opcode(skb) != HCI_OP_NOP) {
>>                 err = hci_send_frame(hdev, skb);
>>                 if (err < 0) {
>>                         hci_cmd_sync_cancel_sync(hdev, -err);
>> -                       return;
>> +                       return err;
>>                 }
>>                 atomic_dec(&hdev->cmd_cnt);
>> +       } else {
>> +               err = -ENODATA;
>> +               kfree_skb(skb);
>
>Does this address your concern about the skb not being consumed/leaking?

Yes, I think now the original skb gets freed in all paths.

>
>>         }
>>
>>         if (hdev->req_status == HCI_REQ_PEND &&
>> @@ -4150,12 +4153,15 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
>>                 kfree_skb(hdev->req_skb);
>>                 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
>>         }
>> +
>> +       return err;
>>  }
>>
>>  static void hci_cmd_work(struct work_struct *work)
>>  {
>>         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
>>         struct sk_buff *skb;
>> +       int err;
>>
>>         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
>>                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
>> @@ -4166,12 +4172,8 @@ static void hci_cmd_work(struct work_struct *work)
>>                 if (!skb)
>>                         return;
>>
>> -               hci_send_cmd_sync(hdev, skb);
>> -
>> -               /* Don't trigger cmd_timer in case of HCI_OP_NOP since there is
>> -                * no command pending.
>> -                */
>> -               if (hci_skb_opcode(skb) == HCI_OP_NOP)
>> +               err = hci_send_cmd_sync(hdev, skb);
>> +               if (err)
>>                         return;
>>
>>                 rcu_read_lock();
>> --
>> 2.51.1
>>
>
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-11-18 14:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-17 21:51 [PATCH v2] fixup! Bluetooth: hci_core: Fix triggering cmd_timer for HCI_OP_NOP Luiz Augusto von Dentz
2025-11-17 22:36 ` [v2] " bluez.test.bot
2025-11-18 14:16 ` [PATCH v2] " Luiz Augusto von Dentz
2025-11-18 14:42   ` Pauli Virtanen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).