[PATCH v2 0/3] Bluetooth: hci_core: Refactor HCI reset functions

[PATCH v2 0/3] Bluetooth: hci_core: Refactor HCI reset functions

[Heitor Alves de Siqueira]

Dear maintainers,

While investigating some warnings reported by syzbot on the hdev
workqueue, Luiz kindly mentioned the possibility of reworking the reset
functions in hci_core. A lot of the work done "manually" in
hci_dev_do_reset() is already handled by the close/open functions in
hci_sync, and those also handle missing functionality related to LE,
discovery and advertising.

This series removes most of the code in hci_dev_do_reset() in favor of
calling hci_dev_close_sync() and hci_dev_open_sync(). The two follow-up
patches are minor fixes porting over a device flag for indicating when
the workqueue is being drained, and another for zeroing device counters.
Although I've left them as individual commits, they could probably be
squashed together if that's preferrable.

I've tested this using the Bluez HCI emulator and corresponding tester
tools, as well as on a generic USB Bluetooth dongle. No regressions were
reported by l2cap-tester, mgmt-tester and hci-tester.

Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
Changes in v2:
- Removed most reset code from hci_dev_do_reset(), in favor of
  hci_dev_close_sync() and hci_dev_open_sync()
- Added HCI_CMD_DRAIN_WORKQUEUE to hci_dev_close_sync(), as it's now
  used in the reset path
- Included a minor fix for zeroing protocol counters
- Link to v1: https://patch.msgid.link/20260513-hci_send-v1-1-ae3eef758280@igalia.com

To: Marcel Holtmann <marcel@holtmann.org>
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: Schspa Shi <schspa@gmail.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

---
Heitor Alves de Siqueira (3):
      Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
      Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
      Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()

 net/bluetooth/hci_core.c | 43 +++----------------------------------------
 net/bluetooth/hci_sync.c | 12 ++++++++++++
 2 files changed, 15 insertions(+), 40 deletions(-)
---
base-commit: 8bc67e4db64aa72732c474b44ea8622062c903f0
change-id: 20260513-hci_send-640290de7acc

Best regards,
--  
Heitor Alves de Siqueira <halves@igalia.com>

[PATCH v2 1/3] Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions

[Heitor Alves de Siqueira]

The current HCI reset function in hci_core.c duplicates most of the work
done by hci_dev_close_sync(), and doesn't handle LE, advertising or
discovery.

Instead of porting these to hci_dev_do_reset(), directly call the
close/open functions from hci_sync to reset the hdev. MGMT now notifies
when a user performs a reset.

Suggested-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
 net/bluetooth/hci_core.c | 43 +++----------------------------------------
 1 file changed, 3 insertions(+), 40 deletions(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..28d7929dc593 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -539,46 +539,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev)
 
 	hci_req_sync_lock(hdev);
 
-	/* Drop queues */
-	skb_queue_purge(&hdev->rx_q);
-	skb_queue_purge(&hdev->cmd_q);
-
-	/* Cancel these to avoid queueing non-chained pending work */
-	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
-	/* Wait for
-	 *
-	 *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
-	 *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)
-	 *
-	 * inside RCU section to see the flag or complete scheduling.
-	 */
-	synchronize_rcu();
-	/* Explicitly cancel works in case scheduled after setting the flag. */
-	cancel_delayed_work(&hdev->cmd_timer);
-	cancel_delayed_work(&hdev->ncmd_timer);
-
-	/* Avoid potential lockdep warnings from the *_flush() calls by
-	 * ensuring the workqueue is empty up front.
-	 */
-	drain_workqueue(hdev->workqueue);
-
-	hci_dev_lock(hdev);
-	hci_inquiry_cache_flush(hdev);
-	hci_conn_hash_flush(hdev);
-	hci_dev_unlock(hdev);
-
-	if (hdev->flush)
-		hdev->flush(hdev);
-
-	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
-
-	atomic_set(&hdev->cmd_cnt, 1);
-	hdev->acl_cnt = 0;
-	hdev->sco_cnt = 0;
-	hdev->le_cnt = 0;
-	hdev->iso_cnt = 0;
-
-	ret = hci_reset_sync(hdev);
+	ret = hci_dev_close_sync(hdev);
+	if (!ret)
+		ret = hci_dev_open_sync(hdev);
 
 	hci_req_sync_unlock(hdev);
 	return ret;

-- 
2.54.0

[PATCH v2 2/3] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close

[Heitor Alves de Siqueira]

Since hci_dev_close_sync() can now be called during the reset path, we
should also set HCI_CMD_DRAIN_WORKQUEUE. This avoids queuing timeouts
while the hdev workqueue is being drained.

Fixes: 877afadad2dc ("Bluetooth: When HCI work queue is drained, only queue chained work")
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
 net/bluetooth/hci_sync.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index fd3aacdea512..84d8f457c799 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5298,6 +5298,12 @@ int hci_dev_close_sync(struct hci_dev *hdev)
 
 	bt_dev_dbg(hdev, "");
 
+	/* Set HCI_DRAIN_WORKQUEUE flag to prevent queuing work during
+	 * reset/close. See hci_cmd_work() and handle_cmd_cnt_and_timer().
+	 */
+	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
+	synchronize_rcu();
+
 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
 		disable_delayed_work(&hdev->power_off);
 		disable_delayed_work(&hdev->ncmd_timer);
@@ -5321,6 +5327,7 @@ int hci_dev_close_sync(struct hci_dev *hdev)
 
 	if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
 		cancel_delayed_work_sync(&hdev->cmd_timer);
+		hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
 		return err;
 	}
 
@@ -5420,6 +5427,7 @@ int hci_dev_close_sync(struct hci_dev *hdev)
 	/* Clear flags */
 	hdev->flags &= BIT(HCI_RAW);
 	hci_dev_clear_volatile_flags(hdev);
+	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
 
 	memset(hdev->eir, 0, sizeof(hdev->eir));
 	memset(hdev->dev_class, 0, sizeof(hdev->dev_class));

-- 
2.54.0

[PATCH v2 3/3] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()

[Heitor Alves de Siqueira]

Before resetting or closing the device, protocol counters should also be
zeroed.

Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages")
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
 net/bluetooth/hci_sync.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 84d8f457c799..c11d5a1f2dba 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5390,6 +5390,10 @@ int hci_dev_close_sync(struct hci_dev *hdev)
 	/* Reset device */
 	skb_queue_purge(&hdev->cmd_q);
 	atomic_set(&hdev->cmd_cnt, 1);
+	hdev->acl_cnt = 0;
+	hdev->sco_cnt = 0;
+	hdev->le_cnt = 0;
+	hdev->iso_cnt = 0;
 	if (hci_test_quirk(hdev, HCI_QUIRK_RESET_ON_CLOSE) &&
 	    !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
 		set_bit(HCI_INIT, &hdev->flags);

-- 
2.54.0

RE: Bluetooth: hci_core: Refactor HCI reset functions

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2489 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100995

---Test result---

Test Summary:
CheckPatch                    PASS      1.61 seconds
VerifyFixes                   PASS      0.07 seconds
VerifySignedoff               PASS      0.08 seconds
GitLint                       FAIL      0.65 seconds
SubjectPrefix                 PASS      0.20 seconds
BuildKernel                   PASS      27.79 seconds
CheckAllWarning               PASS      30.33 seconds
CheckSparse                   PASS      29.14 seconds
BuildKernel32                 PASS      26.84 seconds
TestRunnerSetup               PASS      583.48 seconds
TestRunner_l2cap-tester       PASS      59.20 seconds
TestRunner_iso-tester         PASS      81.41 seconds
TestRunner_bnep-tester        PASS      24.55 seconds
TestRunner_mgmt-tester        FAIL      215.80 seconds
TestRunner_rfcomm-tester      PASS      26.17 seconds
TestRunner_sco-tester         PASS      33.02 seconds
TestRunner_ioctl-tester       PASS      26.08 seconds
TestRunner_mesh-tester        FAIL      25.85 seconds
TestRunner_smp-tester         PASS      23.24 seconds
TestRunner_userchan-tester    PASS      20.11 seconds
TestRunner_6lowpan-tester     PASS      22.78 seconds
IncrementalBuild              PASS      30.90 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2,1/3] Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions

1: T1 Title exceeds max length (81>80): "[v2,1/3] Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions"
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.256 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.635 seconds
Mesh - Send cancel - 2                               Timed out    1.989 seconds


https://github.com/bluez/bluetooth-next/pull/244

---
Regards,
Linux Bluetooth

Re: [PATCH v2 0/3] Bluetooth: hci_core: Refactor HCI reset functions

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 26 May 2026 10:50:56 -0300 you wrote:
> Dear maintainers,
> 
> While investigating some warnings reported by syzbot on the hdev
> workqueue, Luiz kindly mentioned the possibility of reworking the reset
> functions in hci_core. A lot of the work done "manually" in
> hci_dev_do_reset() is already handled by the close/open functions in
> hci_sync, and those also handle missing functionality related to LE,
> discovery and advertising.
> 
> [...]

Here is the summary with links:
  - [v2,1/3] Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
    https://git.kernel.org/bluetooth/bluetooth-next/c/54f93846b7a8
  - [v2,2/3] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
    https://git.kernel.org/bluetooth/bluetooth-next/c/db6e813f5789
  - [v2,3/3] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
    https://git.kernel.org/bluetooth/bluetooth-next/c/a92f90568cc9

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html