Re: [PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock

Next message: Rito Rhymes: "Re: [PATCH] docs: set canonical base URL for HTML output"
Previous message: Rob Herring: "Re: [PATCH v2 1/5] dt-bindings: interrupt-controller: aspeed: Add AST2700-A2 support"
In reply to: Cen Zhang: "[PATCH v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Mon Mar 23 2026 - 15:40:27 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Wed, 18 Mar 2026 20:54:03 +0800 you wrote:
> btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
> and Intel exception-info retrieval) without holding
> hci_req_sync_lock(). This lets it race against
> hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
> __hci_cmd_sync() under the same lock. When both paths manipulate
> hdev->req_status/req_rsp concurrently, the close path may free the
> response skb first, and the still-running hw_error path hits a
> slab-use-after-free in kfree_skb().
>
> [...]

Here is the summary with links:
- [v2] Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
https://git.kernel.org/bluetooth/bluetooth-next/c/b8982b6b9815

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html