[PATCH v3 1/2] Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

Next message: Jonathan Rissanen: "[PATCH v3 2/2] Bluetooth: hci_h4: Fix race during initialization"
Previous message: gerben: "[PATCH] iio: imu: bmi323: Fix potential out-of-bounds access of bmi323_hw[]"
In reply to: Jonathan Rissanen: "[PATCH v3 0/2] Bluetooth: fix race during h4 bluetooth initialization"
Next in thread: Jonathan Rissanen: "[PATCH v3 2/2] Bluetooth: hci_h4: Fix race during initialization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Rissanen

Date: Fri Mar 27 2026 - 06:48:51 EST

When hci_register_dev() fails in hci_uart_register_dev()
HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu)
and setting hu->hdev to NULL. This means incoming UART data will reach
the protocol-specific recv handler in hci_uart_tty_receive() after
resources are freed.

Clear HCI_UART_PROTO_INIT with a write lock before calling
hu->proto->close() and setting hu->hdev to NULL. The write lock ensures
all active readers have completed and no new reader can enter the
protocol recv path before resources are freed.

This allows the protocol-specific recv functions to remove the
"HCI_UART_REGISTERED" guard without risking a null pointer dereference
if hci_register_dev() fails.

Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
Signed-off-by: Jonathan Rissanen <jonathan.rissanen@xxxxxxxx>
---
drivers/bluetooth/hci_ldisc.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 2b28515de92c..5455990ab211 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -692,6 +692,9 @@ static int hci_uart_register_dev(struct hci_uart *hu)

if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ percpu_down_write(&hu->proto_lock);
+ clear_bit(HCI_UART_PROTO_INIT, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);

--
2.39.5