Re: [syzbot] Re: [syzbot] [bluetooth?] general protection fault in qca_close
From: syzbot
Date: Thu Feb 06 2025 - 21:38:13 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx.
***
Subject: Re: [syzbot] [bluetooth?] general protection fault in qca_close
Author: lizhi.xu@xxxxxxxxxxxxx
if hci register device lose than clear HCI_UART_PROTO_READY bit.
And move closer set bit HCI_UART_PROTO_READY to hci_register_dev, make the window smaller.
#syz test
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index b955dc96b483..d5b97ff59330 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -683,8 +683,10 @@ static int hci_uart_register_dev(struct hci_uart *hu)
if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
return 0;
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
@@ -707,8 +709,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
hu->proto = p;
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
-
err = hci_uart_register_dev(hu);
if (err) {
return err;