* [PATCH] bluetooth: btnxpuart: Fix use-after-free in probe error path
@ 2026-05-14 6:03 Zhao Dongdong
2026-05-14 8:18 ` bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Zhao Dongdong @ 2026-05-14 6:03 UTC (permalink / raw)
To: amitkumar.karwar, neeraj.sanjaykale, marcel
Cc: linux-bluetooth, Zhao Dongdong
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
fails, the error path jumps to 'probe_fail' which only calls
hci_free_dev() and asserts the reset GPIO, but does NOT call
hci_unregister_dev() first.
This leaves the HCI device registered in the system with its backing
memory freed, leading to a use-after-free when userspace subsequently
accesses the device (e.g. via hciconfig or bluetoothd).
Fix by adding a 'probe_fail_unregister' label that calls
hci_unregister_dev() before falling through to the existing
'probe_fail' label. The original 'probe_fail' label is preserved
for the case where hci_register_dev() itself fails (device was
never registered, so no unregister is needed).
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
drivers/bluetooth/btnxpuart.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index e7036a48ce48..a4d7747e5be0 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1907,13 +1907,15 @@ static int nxp_serdev_probe(struct serdev_device *serdev)
}
if (ps_setup(hdev))
- goto probe_fail;
+ goto probe_fail_unregister;
hci_devcd_register(hdev, nxp_coredump, nxp_coredump_hdr,
nxp_coredump_notify);
return 0;
+probe_fail_unregister:
+ hci_unregister_dev(hdev);
probe_fail:
reset_control_assert(nxpdev->pdn);
hci_free_dev(hdev);
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: bluetooth: btnxpuart: Fix use-after-free in probe error path
2026-05-14 6:03 [PATCH] bluetooth: btnxpuart: Fix use-after-free in probe error path Zhao Dongdong
@ 2026-05-14 8:18 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-14 8:18 UTC (permalink / raw)
To: linux-bluetooth, winter91
[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1094596
---Test result---
Test Summary:
CheckPatch PASS 0.73 seconds
GitLint PASS 0.34 seconds
SubjectPrefix FAIL 0.13 seconds
BuildKernel PASS 25.79 seconds
CheckAllWarning PASS 28.12 seconds
CheckSparse PASS 26.37 seconds
BuildKernel32 PASS 25.28 seconds
TestRunnerSetup PASS 535.46 seconds
IncrementalBuild PASS 24.70 seconds
Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
https://github.com/bluez/bluetooth-next/pull/187
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-14 8:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-14 6:03 [PATCH] bluetooth: btnxpuart: Fix use-after-free in probe error path Zhao Dongdong
2026-05-14 8:18 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox