[PW_SID:1031579] Bluetooth: btintel: serialize hw error recovery with req_lock #3208

BluezTestBot · 2025-12-09T07:20:43Z

btintel_hw_error() issues two __hci_cmd_sync() calls to reset the
controller and fetch the Intel exception report. Unlike the shutdown
path, this helper ran without hci_req_sync_lock(), so it could race
against hci_dev_do_close() and both sides would manipulate
hdev->req_status/req_rsp concurrently.When the close path freed the
shared response buffer first, the still running hw_error path hit a
slab-use-after-free inside kfree_skb() (skb_unref → atomic_read) and
KASAN reported the crash in the trace.

Acquire hci_req_sync_lock() around the hw_error recovery sequence and
make sure all error/cleanup paths release it. This serializes the Intel
handler with every other synchronous command issuer and prevents the
req_* bookkeeping from being double-touched.

Below is the data race report and the kasan report:

BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined

read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83
write/free of same SKB at drivers/bluetooth/btintel.c:3660 by task ioctl/22580

Call Trace (reader):
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
...

Call Trace (writer):
btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
...

BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83

Call Trace:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
...

Allocated by task 84:
skb_clone+0x212/0x3a0 net/core/skbuff.c:2049
hci_event_packet+0x66c/0x2da0 net/bluetooth/hci_event.c:7614
...

Freed by task 22580:
btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
...

Signed-off-by: Cen Zhang zzzccc427@gmail.com

drivers/bluetooth/btintel.c | 6 ++++++
1 file changed, 6 insertions(+)

This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>

btintel_hw_error() issues two __hci_cmd_sync() calls to reset the controller and fetch the Intel exception report. Unlike the shutdown path, this helper ran without hci_req_sync_lock(), so it could race against hci_dev_do_close() and both sides would manipulate hdev->req_status/req_rsp concurrently.When the close path freed the shared response buffer first, the still running hw_error path hit a slab-use-after-free inside kfree_skb() (skb_unref → atomic_read) and KASAN reported the crash in the trace. Acquire hci_req_sync_lock() around the hw_error recovery sequence and make sure all error/cleanup paths release it. This serializes the Intel handler with every other synchronous command issuer and prevents the req_* bookkeeping from being double-touched. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83 write/free of same SKB at drivers/bluetooth/btintel.c:3660 by task ioctl/22580 Call Trace (reader): __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 ... Call Trace (writer): btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 ... BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83 Call Trace: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260 ... Allocated by task 84: skb_clone+0x212/0x3a0 net/core/skbuff.c:2049 hci_event_packet+0x66c/0x2da0 net/bluetooth/hci_event.c:7614 ... Freed by task 22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 ... Signed-off-by: Cen Zhang <zzzccc427@gmail.com>

github-actions · 2025-12-09T07:24:02Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.32 seconds
Result: PENDING

github-actions · 2025-12-09T07:24:03Z

GitLint
Desc: Run gitlint
Duration: 0.34 seconds
Result: PENDING

github-actions · 2025-12-09T07:24:04Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.09 seconds
Result: PASS

github-actions · 2025-12-09T07:24:34Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.47 seconds
Result: PASS

github-actions · 2025-12-09T07:25:06Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.48 seconds
Result: PASS

github-actions · 2025-12-09T07:25:40Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 30.42 seconds
Result: PASS

github-actions · 2025-12-09T07:26:09Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.77 seconds
Result: PASS

github-actions · 2025-12-09T07:35:28Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 558.28 seconds
Result: PASS

github-actions · 2025-12-09T07:35:54Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 24.90 seconds
Result: PASS

github-actions · 2025-12-09T07:36:52Z

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 57.49 seconds
Result: FAIL
Output:

BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0

github-actions · 2025-12-09T07:36:59Z

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.39 seconds
Result: PASS

github-actions · 2025-12-09T07:39:07Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 127.02 seconds
Result: FAIL
Output:

Total: 494, Passed: 487 (98.6%), Failed: 3, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.107 seconds
LL Privacy - Add Device 2 (2 Devices to AL)          Failed       0.179 seconds
LL Privacy - Set Flags 2 (Enable RL)                 Failed       0.160 seconds

github-actions · 2025-12-09T07:39:17Z

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.67 seconds
Result: PASS

github-actions · 2025-12-09T07:39:32Z

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.68 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

github-actions · 2025-12-09T07:39:44Z

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.38 seconds
Result: PASS

github-actions · 2025-12-09T07:39:56Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 11.52 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.793 seconds
Mesh - Send cancel - 2                               Timed out    1.997 seconds

github-actions · 2025-12-09T07:40:06Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.78 seconds
Result: PASS

github-actions · 2025-12-09T07:40:13Z

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.69 seconds
Result: PASS

github-actions · 2025-12-09T07:40:14Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.44 seconds
Result: PENDING

tedd-an and others added 2 commits December 3, 2025 20:30

github-actions bot force-pushed the workflow branch 4 times, most recently from dbdc24e to 7b93eea Compare December 15, 2025 18:36

github-actions bot force-pushed the workflow branch 5 times, most recently from 8eabaf6 to b7ba526 Compare December 22, 2025 19:50

[PW_SID:1031579] Bluetooth: btintel: serialize hw error recovery with req_lock #3208

Are you sure you want to change the base?

[PW_SID:1031579] Bluetooth: btintel: serialize hw error recovery with req_lock #3208

Uh oh!

Conversation

BluezTestBot commented Dec 9, 2025

Signed-off-by: Cen Zhang zzzccc427@gmail.com

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

github-actions bot commented Dec 9, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants