[PW_SID:1076527] Bluetooth: btusb: fix wakeup irq devres lifetime by BluezTestBot · Pull Request #43 · bluez/bluetooth-next

BluezTestBot · 2026-04-09T19:44:29Z

Make sure to release the sibling interfaces in case controller
registration fails to avoid use-after-free and double-free when they are
eventually disconnected.

This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.

Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: `9bfa35f` ("[Bluetooth] Add SCO support to btusb driver")
Fixes: `9d08f50` ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
Cc: stable@vger.kernel.org # 2.6.27
Signed-off-by: Johan Hovold johan@kernel.org

drivers/bluetooth/btusb.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

bluez/action-ci uses master as default branch for workflow which is incorrect for kernel. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Make sure to release the sibling interfaces in case controller registration fails to avoid use-after-free and double-free when they are eventually disconnected. This issue was reported by Sashiko while reviewing a fix for a wakeup source leak in the btusb probe errors paths. Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org Fixes: 9bfa35f ("[Bluetooth] Add SCO support to btusb driver") Fixes: 9d08f50 ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface") Cc: stable@vger.kernel.org # 2.6.27 Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>

Make sure to stop any TX URBs submitted during Marvell OOB wakeup configuration on later probe failures to avoid use-after-free in the completion callback. This issue was reported by Sashiko while reviewing a fix for a wakeup source leak in the btusb probe errors paths. Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org Fixes: a4ccc9e ("Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup") Cc: stable@vger.kernel.org # 4.11 Cc: Rajat Jain <rajatja@google.com> Signed-off-by: Johan Hovold <johan@kernel.org>

Make sure to disable wakeup on probe failure to avoid leaking the wakeup source. Fixes: fd913ef ("Bluetooth: btusb: Add out-of-band wakeup support") Cc: stable@vger.kernel.org # 4.11 Cc: Rajat Jain <rajatja@google.com> Signed-off-by: Johan Hovold <johan@kernel.org>

The OOB wakeup interrupt is device managed but its lifetime is incorrectly tied to the child HCI device rather than the USB interface to which the driver is bound. This should not cause any trouble currently as the interrupt will be disabled when the HCI device is deregistered on disconnect (but this was not always the case, see [1]), and there should be no further references if probe fails before registering it. But it is still technically wrong as the reference counted HCI device could in theory remain after a probe failure. Explicitly free the interrupt on disconnect so that it is guaranteed to be disabled before freeing the (non-managed) driver data (including if disconnected while suspended). [1] 699fb50 ("drivers: base: Free devm resources when unregistering a device") Fixes: fd913ef ("Bluetooth: btusb: Add out-of-band wakeup support") Cc: Rajat Jain <rajatja@google.com> Signed-off-by: Johan Hovold <johan@kernel.org>

Clean up probe error handling by using dedicated error labels with an "err" prefix. Note that the endpoint lookup helper returns -ENXIO when endpoints are missing which is functionally equivalent to returning -ENODEV. Signed-off-by: Johan Hovold <johan@kernel.org>

github-actions · 2026-04-09T20:03:59Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.53 seconds
Result: PENDING

github-actions · 2026-04-09T20:04:00Z

GitLint
Desc: Run gitlint
Duration: 0.47 seconds
Result: PENDING

github-actions · 2026-04-09T20:04:02Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.31 seconds
Result: PASS

github-actions · 2026-04-09T20:04:33Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 26.79 seconds
Result: PASS

github-actions · 2026-04-09T20:05:07Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 29.28 seconds
Result: PASS

github-actions · 2026-04-09T20:05:40Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 28.13 seconds
Result: PASS

github-actions · 2026-04-09T20:06:10Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.66 seconds
Result: PASS

github-actions · 2026-04-09T20:15:55Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 583.75 seconds
Result: PASS

github-actions · 2026-04-09T20:16:26Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 29.76 seconds
Result: FAIL
Output:

Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0

Failed Test Cases
L2CAP BR/EDR Server - Set PHY 3M                     Failed       0.120 seconds

github-actions · 2026-04-09T20:17:05Z

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 37.40 seconds
Result: PASS

github-actions · 2026-04-09T20:17:13Z

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.60 seconds
Result: PASS

github-actions · 2026-04-09T20:19:15Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 121.13 seconds
Result: FAIL
Output:

Total: 494, Passed: 488 (98.8%), Failed: 2, Not Run: 4

Failed Test Cases
Pairing Acceptor - SMP over BR/EDR 2                 Timed out    2.576 seconds
Read Exp Feature - Success                           Failed       0.116 seconds

github-actions · 2026-04-09T20:19:25Z

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.65 seconds
Result: PASS

github-actions · 2026-04-09T20:19:41Z

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.73 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
7.0.0-rc2-g974015308a27 #1 Not tainted
------------------------------------------------------
kworker/u5:2/117 is trying to acquire lock:
ffff888002043240 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x358/0x8d0

but task is already holding lock:
ffff888002094c20 (&conn->lock){+.+.}-{3:3}, at: sco_connect_cfm+0x22d/0x8d0

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&conn->lock){+.+.}-{3:3}:
       lock_acquire+0xf7/0x2c0
       _raw_spin_lock+0x2a/0x40
       sco_sock_connect+0x4d7/0x1280
       __sys_connect+0x1a3/0x260
       __x64_sys_connect+0x6e/0xb0
       do_syscall_64+0xa0/0x570
       entry_SYSCALL_64_after_hwframe+0x74/0x7c

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       check_prev_add+0xe9/0xc70
       __lock_acquire+0x1457/0x1df0
       lock_acquire+0xf7/0x2c0
       lock_sock_nested+0x36/0xd0
       sco_connect_cfm+0x358/0x8d0
       hci_sync_conn_complete_evt+0x3d3/0x8e0
       hci_event_packet+0x74f/0xb10
       hci_rx_work+0x398/0xd00
       process_scheduled_works+0xb16/0x1ac0
       worker_thread+0x4ff/0xba0
       kthread+0x368/0x490
       ret_from_fork+0x498/0x7e0
       ret_from_fork_asm+0x19/0x30

other info that might help us debug this:

...
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 117, name: kworker/u5:2
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 117 Comm: kworker/u5:2 Not tainted 7.0.0-rc2-g974015308a27 #1 PREEMPT(lazy) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x49/0x60
 __might_resched+0x2ea/0x500
 lock_sock_nested+0x47/0xd0
 ? sco_connect_cfm+0x358/0x8d0
 sco_connect_cfm+0x358/0x8d0
 ? hci_debugfs_create_conn+0x190/0x210
 ? __pfx_sco_connect_cfm+0x10/0x10
 hci_sync_conn_complete_evt+0x3d3/0x8e0
 hci_event_packet+0x74f/0xb10
 ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
 ? __pfx_hci_event_packet+0x10/0x10
 ? mark_held_locks+0x49/0x80
 ? lockdep_hardirqs_on_prepare+0xd4/0x180
 ? _raw_spin_unlock_irqrestore+0x2c/0x50
 hci_rx_work+0x398/0xd00
 process_scheduled_works+0xb16/0x1ac0
 ? __pfx_process_scheduled_works+0x10/0x10
 ? lock_acquire+0xf7/0x2c0
 ? lock_is_held_type+0x9b/0x110
 ? __pfx_hci_rx_work+0x10/0x10
 worker_thread+0x4ff/0xba0
 ? _raw_spin_unlock_irqrestore+0x2c/0x50
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x368/0x490
 ? _raw_spin_unlock_irq+0x23/0x40
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x498/0x7e0
 ? __pfx_ret_from_fork+0x10/0x10
 ? __switch_to+0x9e4/0xe50
 ? __switch_to_asm+0x32/0x60
...
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

github-actions · 2026-04-09T20:19:52Z

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.65 seconds
Result: PASS

github-actions · 2026-04-09T20:20:06Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 12.64 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.609 seconds
Mesh - Send cancel - 2                               Timed out    1.994 seconds

github-actions · 2026-04-09T20:20:17Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 9.99 seconds
Result: PASS

github-actions · 2026-04-09T20:20:25Z

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.94 seconds
Result: PASS

github-actions · 2026-04-09T20:20:35Z

TestRunner_6lowpan-tester
Desc: Run 6lowpan-tester with test-runner
Duration: 9.03 seconds
Result: PASS

github-actions · 2026-04-09T20:20:36Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.39 seconds
Result: PENDING

Vudentz and others added 6 commits April 9, 2026 15:21

workflow/sync: Set workflow to use worflow branch

80f84c0

bluez/action-ci uses master as default branch for workflow which is incorrect for kernel. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Vudentz force-pushed the workflow branch from 80f84c0 to 1cfbfee Compare April 9, 2026 19:46

Conversation

BluezTestBot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

github-actions bot commented Apr 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants