* [PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
@ 2026-03-18 12:54 Cen Zhang
2026-03-18 14:43 ` [v2] " bluez.test.bot
2026-03-23 19:40 ` [PATCH v2] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Cen Zhang @ 2026-03-18 12:54 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, linux-kernel, baijiaju1990, Cen Zhang
btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
and Intel exception-info retrieval) without holding
hci_req_sync_lock(). This lets it race against
hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
__hci_cmd_sync() under the same lock. When both paths manipulate
hdev->req_status/req_rsp concurrently, the close path may free the
response skb first, and the still-running hw_error path hits a
slab-use-after-free in kfree_skb().
Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it
is serialized with every other synchronous HCI command issuer.
Below is the data race report and the kasan report:
BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined
read of hdev->req_rsp at net/bluetooth/hci_sync.c:199
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
write/free by task ioctl/22580:
btintel_shutdown_combined+0xd0/0x360
drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
BUG: KASAN: slab-use-after-free in
sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
Read of size 4 at addr ffff888144a738dc
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors")
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
drivers/bluetooth/btintel.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index 246b6205c5e0..ab146894ba4e 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -251,11 +251,13 @@ void btintel_hw_error(struct hci_dev *hdev, u8 code)
bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
+ hci_req_sync_lock(hdev);
+
skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
PTR_ERR(skb));
- return;
+ goto unlock;
}
kfree_skb(skb);
@@ -263,18 +265,21 @@ void btintel_hw_error(struct hci_dev *hdev, u8 code)
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
PTR_ERR(skb));
- return;
+ goto unlock;
}
if (skb->len != 13) {
bt_dev_err(hdev, "Exception info size mismatch");
kfree_skb(skb);
- return;
+ goto unlock;
}
bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
kfree_skb(skb);
+
+unlock:
+ hci_req_sync_unlock(hdev);
}
EXPORT_SYMBOL_GPL(btintel_hw_error);
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: [v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
2026-03-18 12:54 [PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Cen Zhang
@ 2026-03-18 14:43 ` bluez.test.bot
2026-03-23 19:40 ` [PATCH v2] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-03-18 14:43 UTC (permalink / raw)
To: linux-bluetooth, zzzccc427
[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1068649
---Test result---
Test Summary:
CheckPatch PENDING 0.58 seconds
GitLint PENDING 0.35 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 27.17 seconds
CheckAllWarning PASS 29.65 seconds
CheckSparse PASS 28.44 seconds
BuildKernel32 PASS 26.84 seconds
TestRunnerSetup PASS 584.05 seconds
TestRunner_l2cap-tester PASS 28.26 seconds
TestRunner_iso-tester FAIL 32.95 seconds
TestRunner_bnep-tester PASS 6.39 seconds
TestRunner_mgmt-tester FAIL 117.46 seconds
TestRunner_rfcomm-tester PASS 9.95 seconds
TestRunner_sco-tester FAIL 14.94 seconds
TestRunner_ioctl-tester PASS 10.54 seconds
TestRunner_mesh-tester FAIL 12.49 seconds
TestRunner_smp-tester PASS 8.79 seconds
TestRunner_userchan-tester PASS 6.97 seconds
IncrementalBuild PENDING 0.88 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.109 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.600 seconds
Mesh - Send cancel - 2 Timed out 1.993 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
2026-03-18 12:54 [PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Cen Zhang
2026-03-18 14:43 ` [v2] " bluez.test.bot
@ 2026-03-23 19:40 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-23 19:40 UTC (permalink / raw)
To: Cen Zhang; +Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel, baijiaju1990
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 18 Mar 2026 20:54:03 +0800 you wrote:
> btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
> and Intel exception-info retrieval) without holding
> hci_req_sync_lock(). This lets it race against
> hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
> __hci_cmd_sync() under the same lock. When both paths manipulate
> hdev->req_status/req_rsp concurrently, the close path may free the
> response skb first, and the still-running hw_error path hits a
> slab-use-after-free in kfree_skb().
>
> [...]
Here is the summary with links:
- [v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
https://git.kernel.org/bluetooth/bluetooth-next/c/b8982b6b9815
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-23 19:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-18 12:54 [PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock Cen Zhang
2026-03-18 14:43 ` [v2] " bluez.test.bot
2026-03-23 19:40 ` [PATCH v2] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox