RE: [v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

Linux bluetooth development
 help / color / mirror / Atom feed

From: bluez.test.bot@gmail.com
To: linux-bluetooth@vger.kernel.org, w15303746062@163.com
Subject: RE: [v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Date: Sun, 17 May 2026 23:16:36 -0700 (PDT)	[thread overview]
Message-ID: <6a0aaec4.1fd2fdbd.247711.f630@mx.google.com> (raw)
In-Reply-To: <20260518024949.439299-1-w15303746062@163.com>

[-- Attachment #1: Type: text/plain, Size: 4142 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1096260

---Test result---

Test Summary:
CheckPatch                    PASS      0.75 seconds
GitLint                       FAIL      0.33 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      25.77 seconds
CheckAllWarning               PASS      28.71 seconds
CheckSparse                   PASS      27.21 seconds
BuildKernel32                 PASS      25.26 seconds
TestRunnerSetup               PASS      532.29 seconds
IncrementalBuild              PASS      25.10 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v9] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
54: B1 Line exceeds max length (398>80): "- Addressed a critical flaw identified in v8 where premature cancellation of write_work allowed active protocol timers to immediately reschedule it. The teardown sequence in hci_uart_tty_close() now strictly clears HCI_UART_PROTO_READY *before* calling cancel_work_sync(&hu->write_work). This permanently locks out hci_uart_tx_wakeup(), completely resolving the lingering UAF and double-free races."
55: B1 Line exceeds max length (170>80): "- Documented that skipping hu->proto->flush() via early flag clearance is intrinsically safe, as hu->proto->close() executes subsequently to purge all unacked/rel queues."
58: B1 Line exceeds max length (122>80): "- Corrected the teardown sequence in hci_uart_tty_close() by unconditionally canceling write_work BEFORE hci_uart_close()."
59: B1 Line exceeds max length (182>80): "- Moved hu->hdev->stat.byte_rx increment inside the proto_lock read-side critical section in hci_uart_tty_receive() to prevent read-side UAF against concurrent registration failures."
60: B1 Line exceeds max length (190>80): "- Added cancel_work_sync(&hu->write_work) inside hci_uart_close() to eliminate the race condition between write_work and hci_uart_flush() when the interface is brought down via the HCI core."
63: B1 Line exceeds max length (133>80): "- Reverted disable_work_sync() back to cancel_work_sync() across all error and close paths to preserve user-space retry capabilities."
64: B1 Line exceeds max length (142>80): "- Synchronized workqueue teardown safely by atomically clearing PROTO_READY / PROTO_INIT under proto_lock prior to calling cancel_work_sync()."
65: B1 Line exceeds max length (142>80): "- Fixed a Use-After-Free (UAF) vulnerability in the teardown sequence by relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)."
66: B1 Line exceeds max length (151>80): "- Added cancel_work_sync(&hu->init_ready) at the very beginning of hci_uart_tty_close() to serialize teardown against active asynchronous registration."
69: B1 Line exceeds max length (130>80): "- Fixed missing `hu->proto_lock` write lock in hci_uart_init_work() error path to prevent race with readers (reported by Sashiko)."
70: B1 Line exceeds max length (143>80): "- Added disable_work_sync() instead of cancel_work_sync() for `hu->write_work` in hci_uart_init_work() and hci_uart_register_dev() error paths."
73: B2 Line has trailing whitespace: "- Relocated disable_work_sync() to the very top of hci_uart_tty_close(), "
74: B1 Line exceeds max length (85>80): "  before hci_uart_close(), to ensure no new work is submitted during device teardown."
77: B2 Line has trailing whitespace: "- Adopted Luiz's suggestion to use disable_work_sync() instead of "

https://github.com/bluez/bluetooth-next/pull/209

---
Regards,
Linux Bluetooth

next prev parent reply	other threads:[~2026-05-18  6:16 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-13  6:45 [PATCH] Bluetooth: hci_uart: fix UAF in hci_uart_tty_close() w15303746062
2026-05-13  7:54 ` bluez.test.bot
2026-05-13  9:04 ` [PATCH] " Paul Menzel
2026-05-14 15:17   ` [PATCH v2] " w15303746062
2026-05-14 17:00     ` [v2] " bluez.test.bot
2026-05-15  6:10     ` [PATCH v2] " Greg KH
2026-05-15  6:50   ` [PATCH v3] " w15303746062
2026-05-15  8:43     ` [v3] " bluez.test.bot
2026-05-15 12:37 ` [PATCH] " Luiz Augusto von Dentz
2026-05-15 13:39   ` w15303746062
2026-05-15 14:05   ` [PATCH v4] " w15303746062
2026-05-15 15:12     ` [v4] " bluez.test.bot
2026-05-15 16:08     ` [PATCH v4] " Luiz Augusto von Dentz
2026-05-16  1:41       ` w15303746062
2026-05-16  2:22       ` [PATCH v5] " w15303746062
2026-05-16  5:11         ` [v5] " bluez.test.bot
2026-05-16  5:30       ` [PATCH v6] Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths w15303746062
2026-05-16  7:33         ` [v6] " bluez.test.bot
2026-05-16  8:47       ` [PATCH v7] " w15303746062
2026-05-16  9:24         ` [v7] " bluez.test.bot
2026-05-18  1:36       ` [PATCH v8] " w15303746062
2026-05-18  2:49       ` [PATCH v9] " w15303746062
2026-05-18  6:16         ` bluez.test.bot [this message]
2026-05-19 15:00         ` patchwork-bot+bluetooth
2026-06-13 12:58           ` [REGRESSION] " Pauli Virtanen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6a0aaec4.1fd2fdbd.247711.f630@mx.google.com \
    --to=bluez.test.bot@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=w15303746062@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox