* [PATCH v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path
@ 2026-05-15 0:46 Zhao Dongdong
2026-05-15 1:53 ` [v3] " bluez.test.bot
2026-05-15 12:57 ` [PATCH v3] " Luiz Augusto von Dentz
0 siblings, 2 replies; 3+ messages in thread
From: Zhao Dongdong @ 2026-05-15 0:46 UTC (permalink / raw)
To: amitkumar.karwar, neeraj.sanjaykale, marcel
Cc: linux-bluetooth, Zhao Dongdong
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
fails, the error path jumps to 'probe_fail' which only calls
hci_free_dev() and asserts the reset GPIO, but does NOT call
hci_unregister_dev() first.
This leaves the HCI device registered in the system with its backing
memory freed, leading to a use-after-free when userspace subsequently
accesses the device (e.g. via hciconfig or bluetoothd).
Fix by adding a 'probe_fail_unregister' label that calls
hci_unregister_dev() before falling through to the existing
'probe_fail' label. The original 'probe_fail' label is preserved
for the case where hci_register_dev() itself fails (device was
never registered, so no unregister is needed).
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
v3: fix gitlint WARNING
v2: fix SubjectPrefix
---
drivers/bluetooth/btnxpuart.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index e7036a48ce48..a4d7747e5be0 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1907,13 +1907,15 @@ static int nxp_serdev_probe(struct serdev_device *serdev)
}
if (ps_setup(hdev))
- goto probe_fail;
+ goto probe_fail_unregister;
hci_devcd_register(hdev, nxp_coredump, nxp_coredump_hdr,
nxp_coredump_notify);
return 0;
+probe_fail_unregister:
+ hci_unregister_dev(hdev);
probe_fail:
reset_control_assert(nxpdev->pdn);
hci_free_dev(hdev);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path
2026-05-15 0:46 [PATCH v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path Zhao Dongdong
@ 2026-05-15 1:53 ` bluez.test.bot
2026-05-15 12:57 ` [PATCH v3] " Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-15 1:53 UTC (permalink / raw)
To: linux-bluetooth, winter91
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1095065
---Test result---
Test Summary:
CheckPatch PASS 0.63 seconds
GitLint PASS 0.21 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 27.86 seconds
CheckAllWarning PASS 30.47 seconds
CheckSparse PASS 28.77 seconds
BuildKernel32 PASS 26.72 seconds
TestRunnerSetup PASS 586.50 seconds
IncrementalBuild PASS 25.96 seconds
https://github.com/bluez/bluetooth-next/pull/193
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path
2026-05-15 0:46 [PATCH v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path Zhao Dongdong
2026-05-15 1:53 ` [v3] " bluez.test.bot
@ 2026-05-15 12:57 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-05-15 12:57 UTC (permalink / raw)
To: Zhao Dongdong
Cc: amitkumar.karwar, neeraj.sanjaykale, marcel, linux-bluetooth,
Zhao Dongdong
Hi,
On Thu, May 14, 2026 at 8:54 PM Zhao Dongdong <winter91@foxmail.com> wrote:
>
> From: Zhao Dongdong <zhaodongdong@kylinos.cn>
>
> In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
> fails, the error path jumps to 'probe_fail' which only calls
> hci_free_dev() and asserts the reset GPIO, but does NOT call
> hci_unregister_dev() first.
>
> This leaves the HCI device registered in the system with its backing
> memory freed, leading to a use-after-free when userspace subsequently
> accesses the device (e.g. via hciconfig or bluetoothd).
>
> Fix by adding a 'probe_fail_unregister' label that calls
> hci_unregister_dev() before falling through to the existing
> 'probe_fail' label. The original 'probe_fail' label is preserved
> for the case where hci_register_dev() itself fails (device was
> never registered, so no unregister is needed).
>
> Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
> ---
> v3: fix gitlint WARNING
> v2: fix SubjectPrefix
> ---
> drivers/bluetooth/btnxpuart.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
> index e7036a48ce48..a4d7747e5be0 100644
> --- a/drivers/bluetooth/btnxpuart.c
> +++ b/drivers/bluetooth/btnxpuart.c
> @@ -1907,13 +1907,15 @@ static int nxp_serdev_probe(struct serdev_device *serdev)
> }
>
> if (ps_setup(hdev))
> - goto probe_fail;
> + goto probe_fail_unregister;
>
> hci_devcd_register(hdev, nxp_coredump, nxp_coredump_hdr,
> nxp_coredump_notify);
>
> return 0;
>
> +probe_fail_unregister:
> + hci_unregister_dev(hdev);
> probe_fail:
> reset_control_assert(nxpdev->pdn);
> hci_free_dev(hdev);
> --
> 2.25.1
https://sashiko.dev/#/patchset/tencent_4A1D33225C74DB33EFAE8A0B6E884567DD09%40qq.com
Not sure if it is valid, but it probably worth checking since we can
perhaps simplify the error path.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-15 12:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 0:46 [PATCH v3] Bluetooth: btnxpuart: Fix use-after-free in probe error path Zhao Dongdong
2026-05-15 1:53 ` [v3] " bluez.test.bot
2026-05-15 12:57 ` [PATCH v3] " Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox