* [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure
[not found] <20260402154810.2467291-1-johan@kernel.org>
@ 2026-04-02 15:48 ` Johan Hovold
2026-04-02 20:56 ` Paul Menzel
2026-04-02 15:48 ` [PATCH v3 2/5] Bluetooth: btusb: fix use-after-free on marvell probe failure Johan Hovold
2026-04-02 15:48 ` [PATCH v3 3/5] Bluetooth: btusb: fix wakeup source leak on " Johan Hovold
2 siblings, 1 reply; 4+ messages in thread
From: Johan Hovold @ 2026-04-02 15:48 UTC (permalink / raw)
To: Luiz Augusto von Dentz, Marcel Holtmann
Cc: linux-bluetooth, linux-kernel, Johan Hovold, stable
Make sure to release the sibling interfaces in case controller
registration fails to avoid use-after-free and double-free when they are
eventually disconnected.
This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.
Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
Cc: stable@vger.kernel.org # 2.6.27
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/bluetooth/btusb.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 21e85c212506..97de6e6e7dbc 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4372,7 +4372,7 @@ static int btusb_probe(struct usb_interface *intf,
err = hci_register_dev(hdev);
if (err < 0)
- goto out_free_dev;
+ goto err_release_siblings;
usb_set_intfdata(intf, data);
@@ -4381,6 +4381,15 @@ static int btusb_probe(struct usb_interface *intf,
return 0;
+err_release_siblings:
+ if (data->diag) {
+ usb_set_intfdata(data->diag, NULL);
+ usb_driver_release_interface(&btusb_driver, data->diag);
+ }
+ if (data->isoc) {
+ usb_set_intfdata(data->isoc, NULL);
+ usb_driver_release_interface(&btusb_driver, data->isoc);
+ }
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 2/5] Bluetooth: btusb: fix use-after-free on marvell probe failure
[not found] <20260402154810.2467291-1-johan@kernel.org>
2026-04-02 15:48 ` [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure Johan Hovold
@ 2026-04-02 15:48 ` Johan Hovold
2026-04-02 15:48 ` [PATCH v3 3/5] Bluetooth: btusb: fix wakeup source leak on " Johan Hovold
2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2026-04-02 15:48 UTC (permalink / raw)
To: Luiz Augusto von Dentz, Marcel Holtmann
Cc: linux-bluetooth, linux-kernel, Johan Hovold, stable, Rajat Jain
Make sure to stop any TX URBs submitted during Marvell OOB wakeup
configuration on later probe failures to avoid use-after-free in the
completion callback.
This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.
Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: a4ccc9e33d2f ("Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup")
Cc: stable@vger.kernel.org # 4.11
Cc: Rajat Jain <rajatja@google.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/bluetooth/btusb.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 97de6e6e7dbc..b6f2bed7d1b8 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4183,7 +4183,7 @@ static int btusb_probe(struct usb_interface *intf,
if (id->driver_info & BTUSB_INTEL_COMBINED) {
err = btintel_configure_setup(hdev, btusb_driver.name);
if (err)
- goto out_free_dev;
+ goto err_kill_tx_urbs;
/* Transport specific configuration */
hdev->send = btusb_send_frame_intel;
@@ -4346,7 +4346,7 @@ static int btusb_probe(struct usb_interface *intf,
err = usb_set_interface(data->udev, 0, 0);
if (err < 0) {
BT_ERR("failed to set interface 0, alt 0 %d", err);
- goto out_free_dev;
+ goto err_kill_tx_urbs;
}
}
@@ -4354,7 +4354,7 @@ static int btusb_probe(struct usb_interface *intf,
err = usb_driver_claim_interface(&btusb_driver,
data->isoc, data);
if (err < 0)
- goto out_free_dev;
+ goto err_kill_tx_urbs;
}
if (IS_ENABLED(CONFIG_BT_HCIBTUSB_BCM) && data->diag) {
@@ -4390,6 +4390,8 @@ static int btusb_probe(struct usb_interface *intf,
usb_set_intfdata(data->isoc, NULL);
usb_driver_release_interface(&btusb_driver, data->isoc);
}
+err_kill_tx_urbs:
+ usb_kill_anchored_urbs(&data->tx_anchor);
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 3/5] Bluetooth: btusb: fix wakeup source leak on probe failure
[not found] <20260402154810.2467291-1-johan@kernel.org>
2026-04-02 15:48 ` [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure Johan Hovold
2026-04-02 15:48 ` [PATCH v3 2/5] Bluetooth: btusb: fix use-after-free on marvell probe failure Johan Hovold
@ 2026-04-02 15:48 ` Johan Hovold
2 siblings, 0 replies; 4+ messages in thread
From: Johan Hovold @ 2026-04-02 15:48 UTC (permalink / raw)
To: Luiz Augusto von Dentz, Marcel Holtmann
Cc: linux-bluetooth, linux-kernel, Johan Hovold, stable, Rajat Jain
Make sure to disable wakeup on probe failure to avoid leaking the wakeup
source.
Fixes: fd913ef7ce61 ("Bluetooth: btusb: Add out-of-band wakeup support")
Cc: stable@vger.kernel.org # 4.11
Cc: Rajat Jain <rajatja@google.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/bluetooth/btusb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index b6f2bed7d1b8..cb0d40a7af8f 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4146,7 +4146,7 @@ static int btusb_probe(struct usb_interface *intf,
if (id->driver_info & BTUSB_MARVELL && data->oob_wake_irq) {
err = marvell_config_oob_wake(hdev);
if (err)
- goto out_free_dev;
+ goto err_disable_wakeup;
}
#endif
if (id->driver_info & BTUSB_CW6622)
@@ -4392,6 +4392,9 @@ static int btusb_probe(struct usb_interface *intf,
}
err_kill_tx_urbs:
usb_kill_anchored_urbs(&data->tx_anchor);
+err_disable_wakeup:
+ if (data->oob_wake_irq)
+ device_init_wakeup(&data->udev->dev, false);
out_free_dev:
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure
2026-04-02 15:48 ` [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure Johan Hovold
@ 2026-04-02 20:56 ` Paul Menzel
0 siblings, 0 replies; 4+ messages in thread
From: Paul Menzel @ 2026-04-02 20:56 UTC (permalink / raw)
To: Johan Hovold
Cc: Luiz Augusto von Dentz, Marcel Holtmann, linux-bluetooth,
linux-kernel, stable
Dear Johan,
Thank you for looking into and fixing the additional comments.
Am 02.04.26 um 17:48 schrieb Johan Hovold:
> Make sure to release the sibling interfaces in case controller
> registration fails to avoid use-after-free and double-free when they are
> eventually disconnected.
>
> This issue was reported by Sashiko while reviewing a fix for a wakeup
> source leak in the btusb probe errors paths.
>
> Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
> Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
> Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
> Cc: stable@vger.kernel.org # 2.6.27
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> drivers/bluetooth/btusb.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index 21e85c212506..97de6e6e7dbc 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -4372,7 +4372,7 @@ static int btusb_probe(struct usb_interface *intf,
>
> err = hci_register_dev(hdev);
> if (err < 0)
> - goto out_free_dev;
> + goto err_release_siblings;
>
> usb_set_intfdata(intf, data);
>
> @@ -4381,6 +4381,15 @@ static int btusb_probe(struct usb_interface *intf,
>
> return 0;
>
> +err_release_siblings:
> + if (data->diag) {
> + usb_set_intfdata(data->diag, NULL);
> + usb_driver_release_interface(&btusb_driver, data->diag);
> + }
> + if (data->isoc) {
> + usb_set_intfdata(data->isoc, NULL);
> + usb_driver_release_interface(&btusb_driver, data->isoc);
> + }
> out_free_dev:
> if (data->reset_gpio)
> gpiod_put(data->reset_gpio);
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-02 20:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260402154810.2467291-1-johan@kernel.org>
2026-04-02 15:48 ` [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure Johan Hovold
2026-04-02 20:56 ` Paul Menzel
2026-04-02 15:48 ` [PATCH v3 2/5] Bluetooth: btusb: fix use-after-free on marvell probe failure Johan Hovold
2026-04-02 15:48 ` [PATCH v3 3/5] Bluetooth: btusb: fix wakeup source leak on " Johan Hovold
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox