Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH v2] Bluetooth: hci_debugfs: serialize force_bredr_smp writes
@ 2026-07-03  8:14 Cen Zhang
  2026-07-03 10:10 ` [v2] " bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Cen Zhang @ 2026-07-03  8:14 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: linux-bluetooth, baijiaju1990, zzzccc427

force_bredr_smp_write() calls smp_force_bredr() without hci_dev_lock().
That helper checks HCI_FORCE_BREDR_SMP, updates hdev->smp_bredr_data,
and then toggles the force flag.

Two same-value writers can both pass the state check and run the same
enable or disable transition on one hdev. On the disable side, one writer
can clear hdev->smp_bredr_data while the other still observes the old
force flag and later passes NULL into smp_del_chan(). The double
transition can also leave the force flag out of sync with the requested
state.

Take hci_dev_lock() around smp_force_bredr() in the debugfs write path so
each request observes and applies one stable BR/EDR SMP transition.

Validation reproduced this kernel report:

  KASAN null-ptr-deref in smp_del_chan+0x31/0x90
  RIP: 0033:0x7faae680d340
  RIP: 0010:smp_del_chan+0x31/0x90 [bluetooth]
  Read of size 8
  Call Trace:
   dump_stack_lvl+0x66/0xa0
   kasan_report+0xe0/0x110
   smp_del_chan+0x31/0x90
   smp_force_bredr+0x69/0xc0
   trace_clock_x86_tsc+0x20/0x20
   srso_alias_return_thunk+0x5/0xfbef5
   lock_acquire+0xd0/0x300
   ksys_write+0xd2/0x170
   full_proxy_write+0x9e/0xd0
   vfs_write+0x1b0/0x810
   find_held_lock+0x2b/0x80
   do_user_addr_fault+0x65a/0x890
   rcu_is_watching+0x20/0x50
   do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fixes: 300acfdec916 ("Bluetooth: Introduce force_bredr_smp debugfs option for testing")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
v2:
- Reword commit message to avoid checkpatch's 75-character line warning.

 net/bluetooth/hci_debugfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/hci_debugfs.c b/net/bluetooth/hci_debugfs.c
index b7f682922a16..ff344564c923 100644
--- a/net/bluetooth/hci_debugfs.c
+++ b/net/bluetooth/hci_debugfs.c
@@ -520,7 +520,9 @@ static ssize_t force_bredr_smp_write(struct file *file,
 	if (err)
 		return err;
 
+	hci_dev_lock(hdev);
 	err = smp_force_bredr(hdev, enable);
+	hci_dev_unlock(hdev);
 	if (err)
 		return err;
 
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: [v2] Bluetooth: hci_debugfs: serialize force_bredr_smp writes
  2026-07-03  8:14 [PATCH v2] Bluetooth: hci_debugfs: serialize force_bredr_smp writes Cen Zhang
@ 2026-07-03 10:10 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-07-03 10:10 UTC (permalink / raw)
  To: linux-bluetooth, zzzccc427

[-- Attachment #1: Type: text/plain, Size: 2737 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1120995

---Test result---

Test Summary:
CheckPatch                    PASS      0.77 seconds
VerifyFixes                   PASS      0.13 seconds
VerifySignedoff               PASS      0.13 seconds
GitLint                       PASS      0.32 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      26.35 seconds
CheckAllWarning               PASS      29.85 seconds
CheckSparse                   PASS      28.57 seconds
BuildKernel32                 PASS      25.65 seconds
CheckKernelLLVM               SKIP      0.00 seconds
TestRunnerSetup               PASS      494.82 seconds
TestRunner_l2cap-tester       FAIL      58.69 seconds
TestRunner_iso-tester         PASS      82.99 seconds
TestRunner_bnep-tester        PASS      18.60 seconds
TestRunner_mgmt-tester        FAIL      210.72 seconds
TestRunner_rfcomm-tester      PASS      24.85 seconds
TestRunner_sco-tester         PASS      31.78 seconds
TestRunner_ioctl-tester       PASS      26.08 seconds
TestRunner_mesh-tester        FAIL      30.43 seconds
TestRunner_smp-tester         PASS      23.14 seconds
TestRunner_userchan-tester    PASS      19.72 seconds
TestRunner_6lowpan-tester     PASS      22.52 seconds
IncrementalBuild              PASS      24.93 seconds

Details
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 94 (97.9%), Failed: 2, Not Run: 0

Failed Test Cases
L2CAP BR/EDR Server - Set PHY 1M                     Failed       0.258 seconds
L2CAP BR/EDR Server - Set PHY 3M                     Failed       0.253 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.242 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.748 seconds
Mesh - Send cancel - 2                               Timed out    1.990 seconds


https://github.com/bluez/bluetooth-next/pull/391

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-03 10:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03  8:14 [PATCH v2] Bluetooth: hci_debugfs: serialize force_bredr_smp writes Cen Zhang
2026-07-03 10:10 ` [v2] " bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox