* [PATCH] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled
@ 2026-06-13 15:29 Pauli Virtanen
2026-06-13 16:25 ` bluez.test.bot
2026-06-13 18:43 ` [PATCH v2] " Pauli Virtanen
0 siblings, 2 replies; 4+ messages in thread
From: Pauli Virtanen @ 2026-06-13 15:29 UTC (permalink / raw)
To: linux-bluetooth
Cc: Pauli Virtanen, marcel, luiz.dentz, 25181214217, linux-kernel,
stable
HCI_UART_SENDING bit in tx_state means write_work is pending and blocks
queueing it again. Currently this bit is not cleared when canceling the
work in hci_uart_close(), which blocks future writes when device is
reopened later if write_work was pending.
Fix by clearing HCI_UART_SENDING when canceling the work.
Also make clearing of tx_skb safe by using disable_work_sync +
enable_work instead of just cancel_work_sync. hci_uart_flush() purges
the proto tx queue so we can cancel the pending write_work there,
instead of doing it just in hci_uart_close().
Fixes: c1bb9336ae6b ("Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths")
Link: https://lore.kernel.org/linux-bluetooth/07e0a28650773abec711ee492fdb1bf5d21a6c98.camel@iki.fi/
Cc: stable@vger.kernel.org
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
drivers/bluetooth/hci_ldisc.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 47f4902b40b4..b0708ec9751c 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -239,10 +239,17 @@ static int hci_uart_flush(struct hci_dev *hdev)
BT_DBG("hdev %p tty %p", hdev, tty);
+ disable_work_sync(&hu->write_work);
+
if (hu->tx_skb) {
kfree_skb(hu->tx_skb); hu->tx_skb = NULL;
}
+ if (test_and_clear_bit(HCI_UART_SENDING, &hu->tx_state))
+ wake_up_bit(&hu->tx_state, HCI_UART_SENDING);
+
+ enable_work(&hu->write_work);
+
/* Flush any pending characters in the driver and discipline. */
tty_ldisc_flush(tty);
tty_driver_flush_buffer(tty);
@@ -271,12 +278,8 @@ static int hci_uart_open(struct hci_dev *hdev)
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
- struct hci_uart *hu = hci_get_drvdata(hdev);
-
BT_DBG("hdev %p", hdev);
- cancel_work_sync(&hu->write_work);
-
hci_uart_flush(hdev);
hdev->flush = NULL;
return 0;
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled
2026-06-13 15:29 [PATCH] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled Pauli Virtanen
@ 2026-06-13 16:25 ` bluez.test.bot
2026-06-13 18:43 ` [PATCH v2] " Pauli Virtanen
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-06-13 16:25 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 988 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1111067
---Test result---
Test Summary:
CheckPatch PASS 0.72 seconds
VerifyFixes PASS 0.13 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 0.32 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 25.26 seconds
CheckAllWarning PASS 27.81 seconds
CheckSparse PASS 26.40 seconds
BuildKernel32 PASS 24.70 seconds
TestRunnerSetup PASS 524.23 seconds
IncrementalBuild PASS 25.70 seconds
https://github.com/bluez/bluetooth-next/pull/312
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled
2026-06-13 15:29 [PATCH] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled Pauli Virtanen
2026-06-13 16:25 ` bluez.test.bot
@ 2026-06-13 18:43 ` Pauli Virtanen
2026-06-13 19:19 ` [v2] " bluez.test.bot
1 sibling, 1 reply; 4+ messages in thread
From: Pauli Virtanen @ 2026-06-13 18:43 UTC (permalink / raw)
To: linux-bluetooth
Cc: Pauli Virtanen, marcel, luiz.dentz, 25181214217, linux-kernel,
stable
HCI_UART_SENDING bit in tx_state means write_work is pending and blocks
queueing it again. Currently this bit is not cleared when canceling the
work in hci_uart_close(), which blocks future writes when device is
reopened later if write_work was pending.
Fix by clearing HCI_UART_SENDING when canceling the work.
Also make clearing of tx_skb safe by using disable_work_sync +
enable_work instead of just cancel_work_sync. hci_uart_flush() purges
the proto tx queue so we can cancel the pending write_work there,
instead of doing it just in hci_uart_close(). Re-enable and possibly
requeue the work after queue flush.
Fixes: c1bb9336ae6b ("Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths")
Link: https://lore.kernel.org/linux-bluetooth/07e0a28650773abec711ee492fdb1bf5d21a6c98.camel@iki.fi/
Cc: stable@vger.kernel.org
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
v2:
- extend disable_work section to after proto->flush where the queue is
supposed to be empty
- clear HCI_UART_SENDING after enable_work() to avoid concurrent
bt_tx_wakeup() having set it
- requeue write_work in case something concurrently added more tx
drivers/bluetooth/hci_ldisc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 47f4902b40b4..2ad42c3bbaac 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -239,6 +239,8 @@ static int hci_uart_flush(struct hci_dev *hdev)
BT_DBG("hdev %p tty %p", hdev, tty);
+ disable_work_sync(&hu->write_work);
+
if (hu->tx_skb) {
kfree_skb(hu->tx_skb); hu->tx_skb = NULL;
}
@@ -254,6 +256,14 @@ static int hci_uart_flush(struct hci_dev *hdev)
percpu_up_read(&hu->proto_lock);
+ /* Resume TX. Also reschedule in case work was queued concurrently;
+ * this may schedule write_work although there's nothing to do.
+ */
+ enable_work(&hu->write_work);
+ clear_bit(HCI_UART_SENDING, &hu->tx_state);
+ if (test_bit(HCI_UART_TX_WAKEUP, &hu->tx_state))
+ hci_uart_tx_wakeup(hu);
+
return 0;
}
@@ -271,12 +281,8 @@ static int hci_uart_open(struct hci_dev *hdev)
/* Close device */
static int hci_uart_close(struct hci_dev *hdev)
{
- struct hci_uart *hu = hci_get_drvdata(hdev);
-
BT_DBG("hdev %p", hdev);
- cancel_work_sync(&hu->write_work);
-
hci_uart_flush(hdev);
hdev->flush = NULL;
return 0;
--
2.54.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-13 19:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-13 15:29 [PATCH] Bluetooth: hci_uart: clear HCI_UART_SENDING when write_work is canceled Pauli Virtanen
2026-06-13 16:25 ` bluez.test.bot
2026-06-13 18:43 ` [PATCH v2] " Pauli Virtanen
2026-06-13 19:19 ` [v2] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox