Skip to content

[PW_SID:1094596] bluetooth: btnxpuart: Fix use-after-free in probe error path#187

Open
BluezTestBot wants to merge 6 commits into
workflowfrom
1094596
Open

[PW_SID:1094596] bluetooth: btnxpuart: Fix use-after-free in probe error path#187
BluezTestBot wants to merge 6 commits into
workflowfrom
1094596

Conversation

@BluezTestBot
Copy link
Copy Markdown

@BluezTestBot BluezTestBot commented May 14, 2026

From: Zhao Dongdong zhaodongdong@kylinos.cn

In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
fails, the error path jumps to 'probe_fail' which only calls
hci_free_dev() and asserts the reset GPIO, but does NOT call
hci_unregister_dev() first.

This leaves the HCI device registered in the system with its backing
memory freed, leading to a use-after-free when userspace subsequently
accesses the device (e.g. via hciconfig or bluetoothd).

Fix by adding a 'probe_fail_unregister' label that calls
hci_unregister_dev() before falling through to the existing
'probe_fail' label. The original 'probe_fail' label is preserved
for the case where hci_register_dev() itself fails (device was
never registered, so no unregister is needed).

Signed-off-by: Zhao Dongdong zhaodongdong@kylinos.cn

drivers/bluetooth/btnxpuart.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

tedd-an and others added 6 commits May 13, 2026 17:39
@tedd-an @Vudentz
workflow: Add workflow files for ci
233c3f2 
This patch adds workflow files for ci:

[sync.yml]
 - The workflow file for scheduled work
 - Sync the repo with upstream repo and rebase the workflow branch
 - Review the patches in the patchwork and creates the PR if needed

[ci.yml]
 - The workflow file for CI tasks
 - Run CI tests when PR is created

Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
@Vudentz
workflows: Make use bluez/action-ci action
e8329bd 
This replaces the bzcafe action with bluez/action-ci so we can maintain
everything in the github bluez organization

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/sync: Attempt to sync every 5 minutes
21607fe 
This attempts to sync every 5 minutes instead of 30.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/sync: Set workflow to use worflow branch
cc49aee 
bluez/action-ci uses master as default branch for workflow which is
incorrect for kernel

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/ci: Add checks:write permission and explicit reopened trigger
b227437 
The CI action now creates individual GitHub Check Runs per test, which
requires 'checks: write' permission on the GITHUB_TOKEN. Also make the
pull_request trigger types explicit to include 'reopened', allowing CI
to be retriggered by closing and reopening a PR.
@Vudentz
bluetooth: btnxpuart: Fix use-after-free in probe error path
40e1df7 
In nxp_serdev_probe(), if hci_register_dev() succeeds but ps_setup()
fails, the error path jumps to 'probe_fail' which only calls
hci_free_dev() and asserts the reset GPIO, but does NOT call
hci_unregister_dev() first.

This leaves the HCI device registered in the system with its backing
memory freed, leading to a use-after-free when userspace subsequently
accesses the device (e.g. via hciconfig or bluetoothd).

Fix by adding a 'probe_fail_unregister' label that calls
hci_unregister_dev() before falling through to the existing
'probe_fail' label. The original 'probe_fail' label is preserved
for the case where hci_register_dev() itself fails (device was
never registered, so no unregister is needed).

Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.73 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

GitLint
Desc: Run gitlint
Duration: 0.34 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.13 seconds
Result: FAIL
Output:

"Bluetooth: " prefix is not specified in the subject

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.79 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 28.12 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 26.37 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.28 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 535.46 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 24.70 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area:drivers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BluezTestBot @tedd-an @Vudentz