* [PATCH v2] Bluetooth: hci_sync: fix refcounting in le_read_features_complete
@ 2026-03-29 15:40 Pauli Virtanen
2026-03-29 16:50 ` [v2] " bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Pauli Virtanen @ 2026-03-29 15:40 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
hci_conn_get() refcount acquired in hci_le_read_remote_features() must
be unconditionally released in the destructor, or it leaks. The
destructor is always called if hci_cmd_sync_queue_once() returned with
success.
It also looks like removing the hold/drop logical refcounting here by
commit 60562bebb651 ("Bluetooth: hci_sync: Fix UAF in le_read_features_complete")
caused a behavior change (mgmt-tester Adv. / Ext. Adv. test failures).
Fix the destructor le_read_features_complete() to always release the
refcount.
Also restore the logical hold/drop refcount, preventing the hci_conn
from timing out during this command.
Fixes: 60562bebb651 ("Bluetooth: hci_sync: Fix UAF in le_read_features_complete")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
v2:
- restore also the hold/drop refcounting
This probably should be fixup in bluetooth-next/master if it wasn't
pulled yet.
Restoring the hold/drop makes the following mgmt-tester tests pass
again:
Adv. connectable & connected (central) - Success
Adv. non-connectable & connected (central) - Success
Ext Adv. connectable & connected (central)
Ext Adv. non-connectable & connected (central)
It's not clear to me whether there is something wrong with these tests,
but probably the behavior change was unintended so it's better to
restore it.
net/bluetooth/hci_sync.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 91d0252ae661..0c6baba4e69c 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7390,9 +7390,7 @@ static void le_read_features_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "err %d", err);
- if (err == -ECANCELED)
- return;
-
+ hci_conn_drop(conn);
hci_conn_put(conn);
}
@@ -7463,10 +7461,12 @@ int hci_le_read_remote_features(struct hci_conn *conn)
if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
err = hci_cmd_sync_queue_once(hdev,
hci_le_read_remote_features_sync,
- hci_conn_get(conn),
+ hci_conn_hold(hci_conn_get(conn)),
le_read_features_complete);
- if (err)
+ if (err) {
+ hci_conn_drop(conn);
hci_conn_put(conn);
+ }
} else {
err = -EOPNOTSUPP;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* RE: [v2] Bluetooth: hci_sync: fix refcounting in le_read_features_complete
2026-03-29 15:40 [PATCH v2] Bluetooth: hci_sync: fix refcounting in le_read_features_complete Pauli Virtanen
@ 2026-03-29 16:50 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-03-29 16:50 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 2593 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1074221
---Test result---
Test Summary:
CheckPatch PENDING 0.30 seconds
GitLint PENDING 0.25 seconds
SubjectPrefix PASS 0.10 seconds
BuildKernel PASS 25.91 seconds
CheckAllWarning PASS 28.29 seconds
CheckSparse PASS 27.22 seconds
BuildKernel32 PASS 25.10 seconds
TestRunnerSetup PASS 560.73 seconds
TestRunner_l2cap-tester PASS 27.63 seconds
TestRunner_iso-tester PASS 39.73 seconds
TestRunner_bnep-tester PASS 6.25 seconds
TestRunner_mgmt-tester FAIL 115.26 seconds
TestRunner_rfcomm-tester PASS 9.94 seconds
TestRunner_sco-tester FAIL 14.84 seconds
TestRunner_ioctl-tester PASS 10.58 seconds
TestRunner_mesh-tester FAIL 12.46 seconds
TestRunner_smp-tester PASS 8.78 seconds
TestRunner_userchan-tester PASS 7.00 seconds
IncrementalBuild PENDING 1.00 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.115 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.512 seconds
Mesh - Send cancel - 2 Timed out 1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-29 16:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-29 15:40 [PATCH v2] Bluetooth: hci_sync: fix refcounting in le_read_features_complete Pauli Virtanen
2026-03-29 16:50 ` [v2] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox