[PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

[PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

[Chandrashekar Devegowda]

Add a u8 reset_type parameter to the hdev->reset() callback to allow
userspace to select the reset method via sysfs. Writing 1 to
/sys/class/bluetooth/hci0/reset triggers a Product Level Device
Reset (PLDR), while any other value triggers a Function Level Reset
(FLR).

The reset_type values are:
  0 - Function Level Reset (FLR)
  1 - Product Level Device Reset (PLDR)

Internal callers (command timeout, suspend/resume, coredump)
default to FLR (0).

All drivers implementing the reset callback are updated to accept
the new parameter:
  - btusb: btusb_intel_reset, btusb_qca_reset, btusb_rtl_reset
  - hci_qca: qca_reset
  - btmtksdio: btmtksdio_reset
  - btmtk: btmtk_reset_sync
  - btnxpuart: nxp_reset
  - btintel_pcie: btintel_pcie_reset (maps to Intel PRR types)

Signed-off-by: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com>
---
 Documentation/ABI/stable/sysfs-class-bluetooth |  6 +++++-
 drivers/bluetooth/btintel_pcie.c               | 17 +++++++++++------
 drivers/bluetooth/btmtk.c                      |  6 +++---
 drivers/bluetooth/btmtk.h                      |  4 ++--
 drivers/bluetooth/btmtksdio.c                  |  2 +-
 drivers/bluetooth/btnxpuart.c                  |  2 +-
 drivers/bluetooth/btusb.c                      |  6 +++---
 drivers/bluetooth/hci_qca.c                    |  2 +-
 include/net/bluetooth/hci_core.h               |  2 +-
 net/bluetooth/hci_core.c                       |  2 +-
 net/bluetooth/hci_sysfs.c                      | 10 ++++++++--
 11 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/Documentation/ABI/stable/sysfs-class-bluetooth b/Documentation/ABI/stable/sysfs-class-bluetooth
index 36be02471174..8f485fa02a47 100644
--- a/Documentation/ABI/stable/sysfs-class-bluetooth
+++ b/Documentation/ABI/stable/sysfs-class-bluetooth
@@ -3,7 +3,11 @@ Date:		14-Jan-2025
 KernelVersion:	6.13
 Contact:	linux-bluetooth@vger.kernel.org
 Description: 	This write-only attribute allows users to trigger the vendor reset
-		method on the Bluetooth device when arbitrary data is written.
+		method on the Bluetooth device. The value written selects the
+		reset type:
+		  0 - Function Level Reset (FLR)
+		  1 - Product Level Device Reset (PLDR)
+		Writing any value other than 1 defaults to FLR.
 		The reset may or may not be done through the device transport
 		(e.g., UART/USB), and can also be done through an out-of-band
 		approach such as GPIO.
diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 9e39327dc1fe..d3a03cf96421 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -2486,7 +2486,7 @@ static void btintel_pcie_inc_recovery_count(struct pci_dev *pdev,
 }
 
 static int btintel_pcie_setup_hdev(struct btintel_pcie_data *data);
-static void btintel_pcie_reset(struct hci_dev *hdev);
+static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type);
 
 static int btintel_pcie_acpi_reset_method(struct btintel_pcie_data *data)
 {
@@ -2680,7 +2680,7 @@ static void btintel_pcie_reset_work(struct work_struct *wk)
 	pci_unlock_rescan_remove();
 }
 
-static void btintel_pcie_reset(struct hci_dev *hdev)
+static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btintel_pcie_data *data;
 
@@ -2692,6 +2692,12 @@ static void btintel_pcie_reset(struct hci_dev *hdev)
 	if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags))
 		return;
 
+	data->reset_type = (reset_type == 1) ?
+			    BTINTEL_PCIE_IOSF_PRR_PLDR : BTINTEL_PCIE_IOSF_PRR_FLR;
+
+	bt_dev_info(hdev, "Reset triggered: %s",
+		    data->reset_type == BTINTEL_PCIE_IOSF_PRR_PLDR ? "PLDR" : "FLR");
+
 	pci_dev_get(data->pdev);
 	schedule_work(&data->reset_work);
 }
@@ -2729,7 +2735,7 @@ static void btintel_pcie_hw_error(struct hci_dev *hdev, u8 code)
 		return;
 	}
 	btintel_pcie_inc_recovery_count(pdev, &hdev->dev);
-	btintel_pcie_reset(hdev);
+	btintel_pcie_reset(hdev, (code == 0x13) ? 1 : 0);
 }
 
 static bool btintel_pcie_wakeup(struct hci_dev *hdev)
@@ -3111,8 +3117,7 @@ static int btintel_pcie_resume(struct device *dev)
 	if (data->pm_sx_event == PM_EVENT_FREEZE ||
 	    data->pm_sx_event == PM_EVENT_HIBERNATE) {
 		set_bit(BTINTEL_PCIE_CORE_HALTED, &data->flags);
-		data->reset_type = BTINTEL_PCIE_IOSF_PRR_FLR;
-		btintel_pcie_reset(data->hdev);
+		btintel_pcie_reset(data->hdev, 0);
 		return 0;
 	}
 
@@ -3143,7 +3148,7 @@ static int btintel_pcie_resume(struct device *dev)
 			queue_work(data->coredump_workqueue, &data->coredump_work);
 		}
 		set_bit(BTINTEL_PCIE_CORE_HALTED, &data->flags);
-		btintel_pcie_reset(data->hdev);
+		btintel_pcie_reset(data->hdev, 0);
 	}
 	return err;
 }
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 02a96342e964..641f62912f63 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -104,7 +104,7 @@ static void btmtk_coredump_notify(struct hci_dev *hdev, int state)
 	case HCI_DEVCOREDUMP_ABORT:
 	case HCI_DEVCOREDUMP_DONE:
 		data->cd_info.state = HCI_DEVCOREDUMP_IDLE;
-		btmtk_reset_sync(hdev);
+		btmtk_reset_sync(hdev, 0);
 		break;
 	}
 }
@@ -384,7 +384,7 @@ int btmtk_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
 }
 EXPORT_SYMBOL_GPL(btmtk_set_bdaddr);
 
-void btmtk_reset_sync(struct hci_dev *hdev)
+void btmtk_reset_sync(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btmtk_data *reset_work = hci_get_priv(hdev);
 	int err;
@@ -1403,7 +1403,7 @@ int btmtk_usb_setup(struct hci_dev *hdev)
 		if (err < 0) {
 			/* retry once if setup firmware error */
 			if (!test_and_set_bit(BTMTK_FIRMWARE_DL_RETRY, &btmtk_data->flags))
-				btmtk_reset_sync(hdev);
+				btmtk_reset_sync(hdev, 0);
 			bt_dev_err(hdev, "Failed to set up firmware (%d)", err);
 			return err;
 		}
diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
index c83c24897c95..5cda42444e94 100644
--- a/drivers/bluetooth/btmtk.h
+++ b/drivers/bluetooth/btmtk.h
@@ -196,7 +196,7 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
 int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
 			 wmt_cmd_sync_func_t wmt_cmd_sync);
 
-void btmtk_reset_sync(struct hci_dev *hdev);
+void btmtk_reset_sync(struct hci_dev *hdev, u8 reset_type);
 
 int btmtk_register_coredump(struct hci_dev *hdev, const char *name,
 			    u32 fw_version);
@@ -244,7 +244,7 @@ static inline int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
 	return -EOPNOTSUPP;
 }
 
-static inline void btmtk_reset_sync(struct hci_dev *hdev)
+static inline void btmtk_reset_sync(struct hci_dev *hdev, u8 reset_type)
 {
 }
 
diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
index c6f80c419e90..3c4401ce1e00 100644
--- a/drivers/bluetooth/btmtksdio.c
+++ b/drivers/bluetooth/btmtksdio.c
@@ -1269,7 +1269,7 @@ static int btmtksdio_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 	return 0;
 }
 
-static void btmtksdio_reset(struct hci_dev *hdev)
+static void btmtksdio_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
 	u32 status;
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index e7036a48ce48..e2416b48116c 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -1539,7 +1539,7 @@ static bool nxp_wakeup(struct hci_dev *hdev)
 	return false;
 }
 
-static void nxp_reset(struct hci_dev *hdev)
+static void nxp_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev);
 
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 08c0a99a62c5..d701c7d82cad 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -1043,7 +1043,7 @@ static void btusb_reset(struct hci_dev *hdev)
 	usb_queue_reset_device(data->intf);
 }
 
-static void btusb_intel_reset(struct hci_dev *hdev)
+static void btusb_intel_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btusb_data *data = hci_get_drvdata(hdev);
 	struct gpio_desc *reset_gpio = data->reset_gpio;
@@ -1121,7 +1121,7 @@ static inline void btusb_rtl_alloc_devcoredump(struct hci_dev *hdev,
 	}
 }
 
-static void btusb_rtl_reset(struct hci_dev *hdev)
+static void btusb_rtl_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btusb_data *data = hci_get_drvdata(hdev);
 	struct gpio_desc *reset_gpio = data->reset_gpio;
@@ -1165,7 +1165,7 @@ static void btusb_rtl_hw_error(struct hci_dev *hdev, u8 code)
 	btusb_rtl_alloc_devcoredump(hdev, &hdr, NULL, 0);
 }
 
-static void btusb_qca_reset(struct hci_dev *hdev)
+static void btusb_qca_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct btusb_data *data = hci_get_drvdata(hdev);
 	struct gpio_desc *reset_gpio = data->reset_gpio;
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 244447195619..02b4afe77669 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1693,7 +1693,7 @@ static void qca_hw_error(struct hci_dev *hdev, u8 code)
 	clear_bit(QCA_HW_ERROR_EVENT, &qca->flags);
 }
 
-static void qca_reset(struct hci_dev *hdev)
+static void qca_reset(struct hci_dev *hdev, u8 reset_type)
 {
 	struct hci_uart *hu = hci_get_drvdata(hdev);
 	struct qca_data *qca = hu->priv;
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 7e15da47fe3a..00421352fcb5 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -650,7 +650,7 @@ struct hci_dev {
 	int (*post_init)(struct hci_dev *hdev);
 	int (*set_diag)(struct hci_dev *hdev, bool enable);
 	int (*set_bdaddr)(struct hci_dev *hdev, const bdaddr_t *bdaddr);
-	void (*reset)(struct hci_dev *hdev);
+	void (*reset)(struct hci_dev *hdev, u8 reset_type);
 	bool (*wakeup)(struct hci_dev *hdev);
 	int (*set_quality_report)(struct hci_dev *hdev, bool enable);
 	int (*get_data_path_id)(struct hci_dev *hdev, __u8 *data_path);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 5ba9fe8261ec..360b329ae6da 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1435,7 +1435,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	}
 
 	if (hdev->reset)
-		hdev->reset(hdev);
+		hdev->reset(hdev, 0);
 
 	atomic_set(&hdev->cmd_cnt, 1);
 	queue_work(hdev->workqueue, &hdev->cmd_work);
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 8957ce7c21b7..a4fe329158cf 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -97,8 +97,14 @@ static ssize_t reset_store(struct device *dev, struct device_attribute *attr,
 {
 	struct hci_dev *hdev = to_hci_dev(dev);
 
-	if (hdev->reset)
-		hdev->reset(hdev);
+	if (hdev->reset) {
+		int val;
+
+		if (kstrtoint(buf, 10, &val) || val != 1)
+			hdev->reset(hdev, 0);
+		else
+			hdev->reset(hdev, 1);
+	}
 
 	return count;
 }
-- 
2.43.0

[PATCH v1 2/2] Bluetooth: btintel_pcie: Fix TOCTOU race in reset path

[Chandrashekar Devegowda]

Move the test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS) check
before the SETUP_DONE check to fix a Time-Of-Check to Time-Of-Use
race. Previously, multiple callers could pass the SETUP_DONE check
concurrently and then race on the RECOVERY_IN_PROGRESS flag,
potentially scheduling conflicting removal work.

By reordering the existing atomic guard to execute first, concurrent
reset requests are atomically rejected before any state is inspected.
The RECOVERY_IN_PROGRESS flag is cleared on the early-exit path
(setup not done) to allow future reset attempts.

Signed-off-by: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com>
---
 drivers/bluetooth/btintel_pcie.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index d3a03cf96421..f4f400421833 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -2686,11 +2686,15 @@ static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type)
 
 	data = hci_get_drvdata(hdev);
 
-	if (!test_bit(BTINTEL_PCIE_SETUP_DONE, &data->flags))
+	if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags)) {
+		bt_dev_warn(hdev, "Reset rejected: recovery already in progress");
 		return;
+	}
 
-	if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags))
+	if (!test_bit(BTINTEL_PCIE_SETUP_DONE, &data->flags)) {
+		clear_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags);
 		return;
+	}
 
 	data->reset_type = (reset_type == 1) ?
 			    BTINTEL_PCIE_IOSF_PRR_PLDR : BTINTEL_PCIE_IOSF_PRR_FLR;
-- 
2.43.0

Re: [PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] BTINTEL_PCIE_RECOVERY_IN_PROGRESS flag is never cleared on reset failure, causing a permanent deadlock of the recovery mechanism.
--

commit 01c1befdb681c2e10f544ce7e32e0eba288f218c
Author: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com>

Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

This patch adds a reset_type parameter to the Bluetooth hci_dev reset
callback, allowing userspace to specify whether to perform a Function Level
Reset (FLR) or a Product Level Device Reset (PLDR) via sysfs. Internal
callers are updated to default to FLR.

> diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
> index 9e39327dc1fe2..d3a03cf964216 100644
> --- a/drivers/bluetooth/btintel_pcie.c
> +++ b/drivers/bluetooth/btintel_pcie.c
[ ... ]
> @@ -2680,7 +2680,7 @@ static void btintel_pcie_reset_work(struct work_struct *wk)
>  	pci_unlock_rescan_remove();
>  }
>  
> -static void btintel_pcie_reset(struct hci_dev *hdev)
> +static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>  	struct btintel_pcie_data *data;
>  
> @@ -2692,6 +2692,12 @@ static void btintel_pcie_reset(struct hci_dev *hdev)
>  	if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags))
>  		return;

[Severity: High]
This is a pre-existing issue, but if btintel_pcie_reset_work() fails, does
the BTINTEL_PCIE_RECOVERY_IN_PROGRESS flag remain set permanently?

Looking at btintel_pcie_reset_work() in the same file, if
pci_try_reset_function() or btintel_pcie_setup_hdev() fail, the code jumps
to the out_enable label:

btintel_pcie_reset_work() {
        err = pci_try_reset_function(pdev);
        if (err) {
                BT_ERR("Failed resetting the pcie device (%d)", err);
                goto out_enable;
        }
        ...
        data->flags = 0;
        ...
out_enable:
        enable_work(&data->coredump_work);
out:
        ...
}

Because the error paths bypass the data->flags = 0 assignment, the
BTINTEL_PCIE_RECOVERY_IN_PROGRESS flag is never cleared. Would this cause
all future reset attempts (including the sysfs triggers introduced in this
patch) to be rejected indefinitely by the test_and_set_bit() check until
the module is reloaded?

> +	data->reset_type = (reset_type == 1) ?
> +			    BTINTEL_PCIE_IOSF_PRR_PLDR : BTINTEL_PCIE_IOSF_PRR_FLR;
> +
> +	bt_dev_info(hdev, "Reset triggered: %s",
> +		    data->reset_type == BTINTEL_PCIE_IOSF_PRR_PLDR ? "PLDR" : "FLR");
> +
>  	pci_dev_get(data->pdev);
>  	schedule_work(&data->reset_work);
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260612012832.2395034-1-chandrashekar.devegowda@intel.com?part=1

Re: [PATCH v1 2/2] Bluetooth: btintel_pcie: Fix TOCTOU race in reset path

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [High] Non-atomic assignment `data->flags = 0;` in `btintel_pcie_reset_work` wipes out flags set concurrently via atomic bitops.
- [High] PCI device reference leak when `schedule_work()` fails due to reset work being disabled during device removal.
- [High] Null pointer dereference of `data->hdev` in suspend/resume handlers if device recovery fails.
- [High] Missing `dma_rmb()` after reading hardware-updated completion ring indices in MSI-X receive/transmit handlers.
--

commit 9ad44c0c51fefc58aa3ecc2842ab5a316618a24a
Author: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com>

Bluetooth: btintel_pcie: Fix TOCTOU race in reset path

Move the test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS) check
before the SETUP_DONE check to fix a Time-Of-Check to Time-Of-Use
race. Previously, multiple callers could pass the SETUP_DONE check
concurrently and then race on the RECOVERY_IN_PROGRESS flag,
potentially scheduling conflicting removal work.

> diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
> index d3a03cf964216..f4f400421833b 100644
> --- a/drivers/bluetooth/btintel_pcie.c
> +++ b/drivers/bluetooth/btintel_pcie.c
> @@ -2686,11 +2686,15 @@ static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type)
>  
>  	data = hci_get_drvdata(hdev);

[Severity: High]
This isn't a bug introduced by this patch, but is it possible for
btintel_pcie_reset() to dereference a null hdev pointer here if device
recovery failed previously?

During an FLR reset triggered via btintel_pcie_reset_work(), the code calls
btintel_pcie_release_hdev(data), explicitly unregistering and setting
data->hdev = NULL. If the subsequent hardware reset operations fail (e.g.,
pci_try_reset_function() errors out), the worker exits early and abandons
recovery:

drivers/bluetooth/btintel_pcie.c:btintel_pcie_reset_work() {
        ...
        btintel_pcie_release_hdev(data);
        ...
        err = pci_try_reset_function(pdev);
        if (err) {
                BT_ERR("Failed resetting the pcie device (%d)", err);
                goto out_enable;
        }
        ...
}

This leaves data->hdev permanently as NULL. Later, if the system undergoes a
sleep/wake cycle, the PCI PM callback unconditionally checks for a halted
controller state and invokes btintel_pcie_reset():

drivers/bluetooth/btintel_pcie.c:btintel_pcie_resume() {
        ...
        btintel_pcie_reset(data->hdev, 0);
        ...
}

Because data->hdev is null, won't btintel_pcie_reset() immediately
dereference the null pointer via hci_get_drvdata(hdev)?

> -	if (!test_bit(BTINTEL_PCIE_SETUP_DONE, &data->flags))
> +	if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags)) {
> +		bt_dev_warn(hdev, "Reset rejected: recovery already in progress");
>  		return;
> +	}
>  
> -	if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags))
> +	if (!test_bit(BTINTEL_PCIE_SETUP_DONE, &data->flags)) {
> +		clear_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags);
>  		return;
> +	}
>  
>  	data->reset_type = (reset_type == 1) ?
>  			    BTINTEL_PCIE_IOSF_PRR_PLDR : BTINTEL_PCIE_IOSF_PRR_FLR;

[Severity: High]
This isn't a bug introduced by this patch, but does this function leak a
PCI device reference if schedule_work() fails during driver teardown?

In btintel_pcie_reset(), the driver unconditionally increments the PCI
device reference before calling schedule_work():

drivers/bluetooth/btintel_pcie.c:btintel_pcie_reset() {
        ...
        pci_dev_get(data->pdev);
        schedule_work(&data->reset_work);
}

Normally, this reference is balanced by a pci_dev_put() inside the worker
thread. However, during driver teardown, disable_work_sync() is
intentionally called to block further reset executions:

drivers/bluetooth/btintel_pcie.c:btintel_pcie_remove() {
        ...
        disable_work_sync(&data->reset_work);

        btintel_pcie_disable_interrupts(data);
        ...
}

Because disable_work_sync() is called before disabling interrupts, if a
hardware exception interrupt fires within this deterministic window, it will
invoke btintel_pcie_reset(). The schedule_work() call will return false
(since the work is disabled), but the driver fails to check this return
value. Could this permanently leak the pci_dev reference and prevent the
PCI subsystem from fully releasing the device?


[Severity: High]
This isn't a bug introduced by this patch, but can the non-atomic assignment
in btintel_pcie_reset_work() wipe out flags set concurrently via atomic
bitops?

In btintel_pcie_reset_work(), the driver attempts to clear all flags by
executing a direct assignment:

drivers/bluetooth/btintel_pcie.c:btintel_pcie_reset_work() {
        ...
        data->flags = 0;
        ...
}

However, this occurs shortly after interrupts are unmasked via
btintel_pcie_enable_interrupts(data). If an MSI-X interrupt fires between
the unmasking and the assignment, the IRQ handler might use atomic bitops
(e.g., test_and_set_bit(BTINTEL_PCIE_CORE_HALTED, &data->flags) in
btintel_pcie_msix_hw_exp_handler) to record a critical hardware event.

Will the non-atomic store silently overwrite and lose these concurrently set
flags, potentially dropping hardware exceptions or blocking core dumps from
executing?


[Severity: High]
This isn't a bug introduced by this patch, but are memory barriers required
after reading the hardware-updated completion ring indices in the MSI-X
interrupt handlers?

In the MSI-X interrupt handlers, the driver reads the hardware-updated
completion ring head indices to determine how many descriptors are ready:

drivers/bluetooth/btintel_pcie.c:btintel_pcie_msix_rx_handle() {
        ...
        cr_hia = data->ia.cr_hia[BTINTEL_PCIE_RXQ_NUM];
        ...
}

And similarly in the TX handler:

drivers/bluetooth/btintel_pcie.c:btintel_pcie_msix_tx_handle() {
        ...
        cr_hia = data->ia.cr_hia[BTINTEL_PCIE_TXQ_NUM];
        ...
}

It then immediately iterates into the ring to process the descriptors from
coherent DMA memory. There is no read memory barrier (dma_rmb()) between
fetching the index and reading the descriptor contents.

On weakly ordered CPU architectures, can these reads be reordered by the CPU
or compiler, leading to the host fetching and processing stale descriptor
data before the hardware's updates to the memory have become visible?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260612012832.2395034-1-chandrashekar.devegowda@intel.com?part=2

Re: [PATCH v1 2/2] Bluetooth: btintel_pcie: Fix TOCTOU race in reset path

[kernel test robot]

Hi Chandrashekar,

kernel test robot noticed the following build warnings:

[auto build test WARNING on bluetooth-next/master]
[also build test WARNING on next-20260611]
[cannot apply to bluetooth/master linus/master v7.1-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Chandrashekar-Devegowda/Bluetooth-btintel_pcie-Fix-TOCTOU-race-in-reset-path/20260612-093045
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
patch link:    https://lore.kernel.org/r/20260612012832.2395034-2-chandrashekar.devegowda%40intel.com
patch subject: [PATCH v1 2/2] Bluetooth: btintel_pcie: Fix TOCTOU race in reset path
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project f43d6834093b19baf79beda8c0337ab020ac5f17)
docutils: docutils (Docutils 0.21.2, Python 3.13.5, on linux)
reproduce: (https://download.01.org/0day-ci/archive/20260612/202606121343.Ix11WMZO-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202606121343.Ix11WMZO-lkp@intel.com/

All warnings (new ones prefixed by >>):

   WARNING: /sys/bus/usb/devices/<busnum>-<devnum>:<config num>.<interface num>/<hid-bus>:<vendor-id>:<product-id>.<num>/os_mode is defined 2 times: Documentation/ABI/testing/sysfs-driver-hid-lenovo-go:364; Documentation/ABI/testing/sysfs-driver-hid-lenovo-go-s:234
   WARNING: /sys/bus/usb/devices/<busnum>-<devnum>:<config num>.<interface num>/<hid-bus>:<vendor-id>:<product-id>.<num>/os_mode_index is defined 2 times: Documentation/ABI/testing/sysfs-driver-hid-lenovo-go:373; Documentation/ABI/testing/sysfs-driver-hid-lenovo-go-s:243
   WARNING: /sys/bus/usb/devices/<busnum>-<devnum>:<config num>.<interface num>/<hid-bus>:<vendor-id>:<product-id>.<num>/touchpad/enabled is defined 2 times: Documentation/ABI/testing/sysfs-driver-hid-lenovo-go:636; Documentation/ABI/testing/sysfs-driver-hid-lenovo-go-s:252
   WARNING: /sys/bus/usb/devices/<busnum>-<devnum>:<config num>.<interface num>/<hid-bus>:<vendor-id>:<product-id>.<num>/touchpad/enabled_index is defined 2 times: Documentation/ABI/testing/sysfs-driver-hid-lenovo-go:645; Documentation/ABI/testing/sysfs-driver-hid-lenovo-go-s:261
   Documentation/ABI/stable/sysfs-class-bluetooth:1: ERROR: Unexpected indentation. [docutils]
>> Documentation/ABI/stable/sysfs-class-bluetooth:1: WARNING: Block quote ends without a blank line; unexpected unindent. [docutils]
   Documentation/core-api/kref:328: ./include/linux/kref.h:72: WARNING: Invalid C declaration: Expected end of definition. [error at 96]
   int kref_put_mutex (struct kref *kref, void (*release)(struct kref *kref), struct mutex *mutex) __cond_acquires(true# mutex)
   ------------------------------------------------------------------------------------------------^
   Documentation/core-api/kref:328: ./include/linux/kref.h:94: WARNING: Invalid C declaration: Expected end of definition. [error at 92]
   int kref_put_lock (struct kref *kref, void (*release)(struct kref *kref), spinlock_t *lock) __cond_acquires(true# lock)


vim +1 Documentation/ABI/stable/sysfs-class-bluetooth

514a8e6d6152a41 Hsin-chen Chuang 2025-01-20 @1  What: 		/sys/class/bluetooth/hci<index>/reset

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

[Luiz Augusto von Dentz]

Hi Chandru,

On Thu, Jun 11, 2026 at 10:29 PM Chandrashekar Devegowda
<chandrashekar.devegowda@intel.com> wrote:
>
> Add a u8 reset_type parameter to the hdev->reset() callback to allow
> userspace to select the reset method via sysfs. Writing 1 to
> /sys/class/bluetooth/hci0/reset triggers a Product Level Device
> Reset (PLDR), while any other value triggers a Function Level Reset
> (FLR).
>
> The reset_type values are:
>   0 - Function Level Reset (FLR)
>   1 - Product Level Device Reset (PLDR)

This should probably be treated as a generic level at the sysfs level,
then each vendor can interpret according to its own needs, for
btintel_pcie that would result in the above levels.

> Internal callers (command timeout, suspend/resume, coredump)
> default to FLR (0).
>
> All drivers implementing the reset callback are updated to accept
> the new parameter:
>   - btusb: btusb_intel_reset, btusb_qca_reset, btusb_rtl_reset
>   - hci_qca: qca_reset
>   - btmtksdio: btmtksdio_reset
>   - btmtk: btmtk_reset_sync
>   - btnxpuart: nxp_reset
>   - btintel_pcie: btintel_pcie_reset (maps to Intel PRR types)
>
> Signed-off-by: Chandrashekar Devegowda <chandrashekar.devegowda@intel.com>
> ---
>  Documentation/ABI/stable/sysfs-class-bluetooth |  6 +++++-
>  drivers/bluetooth/btintel_pcie.c               | 17 +++++++++++------
>  drivers/bluetooth/btmtk.c                      |  6 +++---
>  drivers/bluetooth/btmtk.h                      |  4 ++--
>  drivers/bluetooth/btmtksdio.c                  |  2 +-
>  drivers/bluetooth/btnxpuart.c                  |  2 +-
>  drivers/bluetooth/btusb.c                      |  6 +++---
>  drivers/bluetooth/hci_qca.c                    |  2 +-
>  include/net/bluetooth/hci_core.h               |  2 +-
>  net/bluetooth/hci_core.c                       |  2 +-
>  net/bluetooth/hci_sysfs.c                      | 10 ++++++++--
>  11 files changed, 37 insertions(+), 22 deletions(-)
>
> diff --git a/Documentation/ABI/stable/sysfs-class-bluetooth b/Documentation/ABI/stable/sysfs-class-bluetooth
> index 36be02471174..8f485fa02a47 100644
> --- a/Documentation/ABI/stable/sysfs-class-bluetooth
> +++ b/Documentation/ABI/stable/sysfs-class-bluetooth
> @@ -3,7 +3,11 @@ Date:          14-Jan-2025
>  KernelVersion: 6.13
>  Contact:       linux-bluetooth@vger.kernel.org
>  Description:   This write-only attribute allows users to trigger the vendor reset
> -               method on the Bluetooth device when arbitrary data is written.
> +               method on the Bluetooth device. The value written selects the
> +               reset type:
> +                 0 - Function Level Reset (FLR)
> +                 1 - Product Level Device Reset (PLDR)
> +               Writing any value other than 1 defaults to FLR.
>                 The reset may or may not be done through the device transport
>                 (e.g., UART/USB), and can also be done through an out-of-band
>                 approach such as GPIO.
> diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
> index 9e39327dc1fe..d3a03cf96421 100644
> --- a/drivers/bluetooth/btintel_pcie.c
> +++ b/drivers/bluetooth/btintel_pcie.c
> @@ -2486,7 +2486,7 @@ static void btintel_pcie_inc_recovery_count(struct pci_dev *pdev,
>  }
>
>  static int btintel_pcie_setup_hdev(struct btintel_pcie_data *data);
> -static void btintel_pcie_reset(struct hci_dev *hdev);
> +static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type);
>
>  static int btintel_pcie_acpi_reset_method(struct btintel_pcie_data *data)
>  {
> @@ -2680,7 +2680,7 @@ static void btintel_pcie_reset_work(struct work_struct *wk)
>         pci_unlock_rescan_remove();
>  }
>
> -static void btintel_pcie_reset(struct hci_dev *hdev)
> +static void btintel_pcie_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btintel_pcie_data *data;
>
> @@ -2692,6 +2692,12 @@ static void btintel_pcie_reset(struct hci_dev *hdev)
>         if (test_and_set_bit(BTINTEL_PCIE_RECOVERY_IN_PROGRESS, &data->flags))
>                 return;
>
> +       data->reset_type = (reset_type == 1) ?
> +                           BTINTEL_PCIE_IOSF_PRR_PLDR : BTINTEL_PCIE_IOSF_PRR_FLR;
> +
> +       bt_dev_info(hdev, "Reset triggered: %s",
> +                   data->reset_type == BTINTEL_PCIE_IOSF_PRR_PLDR ? "PLDR" : "FLR");
> +
>         pci_dev_get(data->pdev);
>         schedule_work(&data->reset_work);
>  }
> @@ -2729,7 +2735,7 @@ static void btintel_pcie_hw_error(struct hci_dev *hdev, u8 code)
>                 return;
>         }
>         btintel_pcie_inc_recovery_count(pdev, &hdev->dev);
> -       btintel_pcie_reset(hdev);
> +       btintel_pcie_reset(hdev, (code == 0x13) ? 1 : 0);
>  }
>
>  static bool btintel_pcie_wakeup(struct hci_dev *hdev)
> @@ -3111,8 +3117,7 @@ static int btintel_pcie_resume(struct device *dev)
>         if (data->pm_sx_event == PM_EVENT_FREEZE ||
>             data->pm_sx_event == PM_EVENT_HIBERNATE) {
>                 set_bit(BTINTEL_PCIE_CORE_HALTED, &data->flags);
> -               data->reset_type = BTINTEL_PCIE_IOSF_PRR_FLR;
> -               btintel_pcie_reset(data->hdev);
> +               btintel_pcie_reset(data->hdev, 0);
>                 return 0;
>         }
>
> @@ -3143,7 +3148,7 @@ static int btintel_pcie_resume(struct device *dev)
>                         queue_work(data->coredump_workqueue, &data->coredump_work);
>                 }
>                 set_bit(BTINTEL_PCIE_CORE_HALTED, &data->flags);
> -               btintel_pcie_reset(data->hdev);
> +               btintel_pcie_reset(data->hdev, 0);
>         }
>         return err;
>  }
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index 02a96342e964..641f62912f63 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -104,7 +104,7 @@ static void btmtk_coredump_notify(struct hci_dev *hdev, int state)
>         case HCI_DEVCOREDUMP_ABORT:
>         case HCI_DEVCOREDUMP_DONE:
>                 data->cd_info.state = HCI_DEVCOREDUMP_IDLE;
> -               btmtk_reset_sync(hdev);
> +               btmtk_reset_sync(hdev, 0);
>                 break;
>         }
>  }
> @@ -384,7 +384,7 @@ int btmtk_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
>  }
>  EXPORT_SYMBOL_GPL(btmtk_set_bdaddr);
>
> -void btmtk_reset_sync(struct hci_dev *hdev)
> +void btmtk_reset_sync(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btmtk_data *reset_work = hci_get_priv(hdev);
>         int err;
> @@ -1403,7 +1403,7 @@ int btmtk_usb_setup(struct hci_dev *hdev)
>                 if (err < 0) {
>                         /* retry once if setup firmware error */
>                         if (!test_and_set_bit(BTMTK_FIRMWARE_DL_RETRY, &btmtk_data->flags))
> -                               btmtk_reset_sync(hdev);
> +                               btmtk_reset_sync(hdev, 0);
>                         bt_dev_err(hdev, "Failed to set up firmware (%d)", err);
>                         return err;
>                 }
> diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
> index c83c24897c95..5cda42444e94 100644
> --- a/drivers/bluetooth/btmtk.h
> +++ b/drivers/bluetooth/btmtk.h
> @@ -196,7 +196,7 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
>  int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
>                          wmt_cmd_sync_func_t wmt_cmd_sync);
>
> -void btmtk_reset_sync(struct hci_dev *hdev);
> +void btmtk_reset_sync(struct hci_dev *hdev, u8 reset_type);
>
>  int btmtk_register_coredump(struct hci_dev *hdev, const char *name,
>                             u32 fw_version);
> @@ -244,7 +244,7 @@ static inline int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
>         return -EOPNOTSUPP;
>  }
>
> -static inline void btmtk_reset_sync(struct hci_dev *hdev)
> +static inline void btmtk_reset_sync(struct hci_dev *hdev, u8 reset_type)
>  {
>  }
>
> diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
> index c6f80c419e90..3c4401ce1e00 100644
> --- a/drivers/bluetooth/btmtksdio.c
> +++ b/drivers/bluetooth/btmtksdio.c
> @@ -1269,7 +1269,7 @@ static int btmtksdio_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
>         return 0;
>  }
>
> -static void btmtksdio_reset(struct hci_dev *hdev)
> +static void btmtksdio_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
>         u32 status;
> diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
> index e7036a48ce48..e2416b48116c 100644
> --- a/drivers/bluetooth/btnxpuart.c
> +++ b/drivers/bluetooth/btnxpuart.c
> @@ -1539,7 +1539,7 @@ static bool nxp_wakeup(struct hci_dev *hdev)
>         return false;
>  }
>
> -static void nxp_reset(struct hci_dev *hdev)
> +static void nxp_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev);
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index 08c0a99a62c5..d701c7d82cad 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -1043,7 +1043,7 @@ static void btusb_reset(struct hci_dev *hdev)
>         usb_queue_reset_device(data->intf);
>  }
>
> -static void btusb_intel_reset(struct hci_dev *hdev)
> +static void btusb_intel_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btusb_data *data = hci_get_drvdata(hdev);
>         struct gpio_desc *reset_gpio = data->reset_gpio;
> @@ -1121,7 +1121,7 @@ static inline void btusb_rtl_alloc_devcoredump(struct hci_dev *hdev,
>         }
>  }
>
> -static void btusb_rtl_reset(struct hci_dev *hdev)
> +static void btusb_rtl_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btusb_data *data = hci_get_drvdata(hdev);
>         struct gpio_desc *reset_gpio = data->reset_gpio;
> @@ -1165,7 +1165,7 @@ static void btusb_rtl_hw_error(struct hci_dev *hdev, u8 code)
>         btusb_rtl_alloc_devcoredump(hdev, &hdr, NULL, 0);
>  }
>
> -static void btusb_qca_reset(struct hci_dev *hdev)
> +static void btusb_qca_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct btusb_data *data = hci_get_drvdata(hdev);
>         struct gpio_desc *reset_gpio = data->reset_gpio;
> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
> index 244447195619..02b4afe77669 100644
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -1693,7 +1693,7 @@ static void qca_hw_error(struct hci_dev *hdev, u8 code)
>         clear_bit(QCA_HW_ERROR_EVENT, &qca->flags);
>  }
>
> -static void qca_reset(struct hci_dev *hdev)
> +static void qca_reset(struct hci_dev *hdev, u8 reset_type)
>  {
>         struct hci_uart *hu = hci_get_drvdata(hdev);
>         struct qca_data *qca = hu->priv;
> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> index 7e15da47fe3a..00421352fcb5 100644
> --- a/include/net/bluetooth/hci_core.h
> +++ b/include/net/bluetooth/hci_core.h
> @@ -650,7 +650,7 @@ struct hci_dev {
>         int (*post_init)(struct hci_dev *hdev);
>         int (*set_diag)(struct hci_dev *hdev, bool enable);
>         int (*set_bdaddr)(struct hci_dev *hdev, const bdaddr_t *bdaddr);
> -       void (*reset)(struct hci_dev *hdev);
> +       void (*reset)(struct hci_dev *hdev, u8 reset_type);
>         bool (*wakeup)(struct hci_dev *hdev);
>         int (*set_quality_report)(struct hci_dev *hdev, bool enable);
>         int (*get_data_path_id)(struct hci_dev *hdev, __u8 *data_path);
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 5ba9fe8261ec..360b329ae6da 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -1435,7 +1435,7 @@ static void hci_cmd_timeout(struct work_struct *work)
>         }
>
>         if (hdev->reset)
> -               hdev->reset(hdev);
> +               hdev->reset(hdev, 0);
>
>         atomic_set(&hdev->cmd_cnt, 1);
>         queue_work(hdev->workqueue, &hdev->cmd_work);
> diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
> index 8957ce7c21b7..a4fe329158cf 100644
> --- a/net/bluetooth/hci_sysfs.c
> +++ b/net/bluetooth/hci_sysfs.c
> @@ -97,8 +97,14 @@ static ssize_t reset_store(struct device *dev, struct device_attribute *attr,
>  {
>         struct hci_dev *hdev = to_hci_dev(dev);
>
> -       if (hdev->reset)
> -               hdev->reset(hdev);
> +       if (hdev->reset) {
> +               int val;
> +
> +               if (kstrtoint(buf, 10, &val) || val != 1)
> +                       hdev->reset(hdev, 0);
> +               else
> +                       hdev->reset(hdev, 1);
> +       }
>
>         return count;
>  }
> --
> 2.43.0
>
>


-- 
Luiz Augusto von Dentz

Re: [PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

[Bjorn Helgaas]

On Fri, Jun 12, 2026 at 11:08:06AM -0300, Luiz Augusto von Dentz wrote:
> On Thu, Jun 11, 2026 at 10:29 PM Chandrashekar Devegowda
> <chandrashekar.devegowda@intel.com> wrote:
> >
> > Add a u8 reset_type parameter to the hdev->reset() callback to allow
> > userspace to select the reset method via sysfs. Writing 1 to
> > /sys/class/bluetooth/hci0/reset triggers a Product Level Device
> > Reset (PLDR), while any other value triggers a Function Level Reset
> > (FLR).
> >
> > The reset_type values are:
> >   0 - Function Level Reset (FLR)
> >   1 - Product Level Device Reset (PLDR)
> 
> This should probably be treated as a generic level at the sysfs level,
> then each vendor can interpret according to its own needs, for
> btintel_pcie that would result in the above levels.

Are you suggesting that this should be implemented in the
pci_dev_reset_methods[] framework in drivers/pci/quirks.c, so the
PCI-generic /sys/bus/pci/devices/.../reset interface could do the
PLDR?

That sounds worth exploring, although I really don't know anything
about the unusual multi-function model of some of these devices.
And the /sys/class/bluetooth/hci<index>/reset attribute already exists
and probably couldn't be removed.

Re: [PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback

[Luiz Augusto von Dentz]

Hi Bjorn,

On Fri, Jun 12, 2026 at 11:28 AM Bjorn Helgaas <helgaas@kernel.org> wrote:
>
> On Fri, Jun 12, 2026 at 11:08:06AM -0300, Luiz Augusto von Dentz wrote:
> > On Thu, Jun 11, 2026 at 10:29 PM Chandrashekar Devegowda
> > <chandrashekar.devegowda@intel.com> wrote:
> > >
> > > Add a u8 reset_type parameter to the hdev->reset() callback to allow
> > > userspace to select the reset method via sysfs. Writing 1 to
> > > /sys/class/bluetooth/hci0/reset triggers a Product Level Device
> > > Reset (PLDR), while any other value triggers a Function Level Reset
> > > (FLR).
> > >
> > > The reset_type values are:
> > >   0 - Function Level Reset (FLR)
> > >   1 - Product Level Device Reset (PLDR)
> >
> > This should probably be treated as a generic level at the sysfs level,
> > then each vendor can interpret according to its own needs, for
> > btintel_pcie that would result in the above levels.
>
> Are you suggesting that this should be implemented in the
> pci_dev_reset_methods[] framework in drivers/pci/quirks.c, so the
> PCI-generic /sys/bus/pci/devices/.../reset interface could do the
> PLDR?

This is the Bluetooth sysfs reset entry, not the PCI one, which was
created for Bluetooth-specific reset methods like the one above. If
you think the generic level could be applied to the PCI sysfs level
that is perhaps a different suggestion.

> That sounds worth exploring, although I really don't know anything
> about the unusual multi-function model of some of these devices.
> And the /sys/class/bluetooth/hci<index>/reset attribute already exists
> and probably couldn't be removed.

Yeah, I suggested just treating the parameter as generic levels, so we
don't define its domain and leave it for each driver to decide how to
interpret it. The sysfs entry is not transport-specific (pci, usb,
uart), so using pci terminology in the documentation may lead to the
assumption that it is PCI-specific when it is not.

-- 
Luiz Augusto von Dentz