From c6e7062a344b63fb376ac448f4bcbeea06bb1449 Mon Sep 17 00:00:00 2001 From: Tedd Ho-Jeong An Date: Wed, 4 Nov 2020 21:09:48 -0800 Subject: [PATCH 1/6] workflow: Add workflow files for ci This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An --- .github/workflows/ci.yml | 25 ++++++++++++++++++++++ .github/workflows/sync.yml | 43 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/sync.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000000..3a2c45c37553c --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,25 @@ +name: CI + +on: [pull_request] + +jobs: + ci: + runs-on: ubuntu-latest + name: CI for Pull Request + steps: + - name: Checkout the source code + uses: actions/checkout@v3 + with: + path: src/src + + - name: CI + uses: tedd-an/bzcafe@main + with: + task: ci + base_folder: src + space: kernel + github_token: ${{ secrets.GITHUB_TOKEN }} + email_token: ${{ secrets.EMAIL_TOKEN }} + patchwork_token: ${{ secrets.PATCHWORK_TOKEN }} + patchwork_user: ${{ secrets.PATCHWORK_USER }} + diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml new file mode 100644 index 0000000000000..3883d55a23267 --- /dev/null +++ b/.github/workflows/sync.yml @@ -0,0 +1,43 @@ +name: Sync + +on: + schedule: + - cron: "*/30 * * * *" + +jobs: + sync_repo: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: master + + - name: Sync Repo + uses: tedd-an/bzcafe@main + with: + task: sync + upstream_repo: 'https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git' + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Cleanup PR + uses: tedd-an/bzcafe@main + with: + task: cleanup + github_token: ${{ secrets.ACTION_TOKEN }} + + sync_patchwork: + needs: sync_repo + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Sync Patchwork + uses: tedd-an/bzcafe@main + with: + task: patchwork + space: kernel + github_token: ${{ secrets.ACTION_TOKEN }} + email_token: ${{ secrets.EMAIL_TOKEN }} + patchwork_token: ${{ secrets.PATCHWORK_TOKEN }} + patchwork_user: ${{ secrets.PATCHWORK_USER }} + From e79fe6ff23eae24a7959b07ad662b71b944d445d Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 2 Apr 2026 17:48:06 +0200 Subject: [PATCH 2/6] Bluetooth: btusb: fix use-after-free on registration failure Make sure to release the sibling interfaces in case controller registration fails to avoid use-after-free and double-free when they are eventually disconnected. This issue was reported by Sashiko while reviewing a fix for a wakeup source leak in the btusb probe errors paths. Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver") Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface") Cc: stable@vger.kernel.org # 2.6.27 Signed-off-by: Johan Hovold --- drivers/bluetooth/btusb.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 63020c061fc0c..9c232b66a1476 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -4399,7 +4399,7 @@ static int btusb_probe(struct usb_interface *intf, err = hci_register_dev(hdev); if (err < 0) - goto out_free_dev; + goto err_release_siblings; usb_set_intfdata(intf, data); @@ -4408,6 +4408,15 @@ static int btusb_probe(struct usb_interface *intf, return 0; +err_release_siblings: + if (data->diag) { + usb_set_intfdata(data->diag, NULL); + usb_driver_release_interface(&btusb_driver, data->diag); + } + if (data->isoc) { + usb_set_intfdata(data->isoc, NULL); + usb_driver_release_interface(&btusb_driver, data->isoc); + } out_free_dev: if (data->reset_gpio) gpiod_put(data->reset_gpio); From 49ac7c7e06831feab74ba61210c0774ffd36e03a Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 2 Apr 2026 17:48:07 +0200 Subject: [PATCH 3/6] Bluetooth: btusb: fix use-after-free on marvell probe failure Make sure to stop any TX URBs submitted during Marvell OOB wakeup configuration on later probe failures to avoid use-after-free in the completion callback. This issue was reported by Sashiko while reviewing a fix for a wakeup source leak in the btusb probe errors paths. Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org Fixes: a4ccc9e33d2f ("Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup") Cc: stable@vger.kernel.org # 4.11 Cc: Rajat Jain Signed-off-by: Johan Hovold --- drivers/bluetooth/btusb.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 9c232b66a1476..f9fec1c0e3221 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -4210,7 +4210,7 @@ static int btusb_probe(struct usb_interface *intf, if (id->driver_info & BTUSB_INTEL_COMBINED) { err = btintel_configure_setup(hdev, btusb_driver.name); if (err) - goto out_free_dev; + goto err_kill_tx_urbs; /* Transport specific configuration */ hdev->send = btusb_send_frame_intel; @@ -4373,7 +4373,7 @@ static int btusb_probe(struct usb_interface *intf, err = usb_set_interface(data->udev, 0, 0); if (err < 0) { BT_ERR("failed to set interface 0, alt 0 %d", err); - goto out_free_dev; + goto err_kill_tx_urbs; } } @@ -4381,7 +4381,7 @@ static int btusb_probe(struct usb_interface *intf, err = usb_driver_claim_interface(&btusb_driver, data->isoc, data); if (err < 0) - goto out_free_dev; + goto err_kill_tx_urbs; } if (IS_ENABLED(CONFIG_BT_HCIBTUSB_BCM) && data->diag) { @@ -4417,6 +4417,8 @@ static int btusb_probe(struct usb_interface *intf, usb_set_intfdata(data->isoc, NULL); usb_driver_release_interface(&btusb_driver, data->isoc); } +err_kill_tx_urbs: + usb_kill_anchored_urbs(&data->tx_anchor); out_free_dev: if (data->reset_gpio) gpiod_put(data->reset_gpio); From be51307337b49a09ef16ec3492e52822b8b2d47e Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 2 Apr 2026 17:48:08 +0200 Subject: [PATCH 4/6] Bluetooth: btusb: fix wakeup source leak on probe failure Make sure to disable wakeup on probe failure to avoid leaking the wakeup source. Fixes: fd913ef7ce61 ("Bluetooth: btusb: Add out-of-band wakeup support") Cc: stable@vger.kernel.org # 4.11 Cc: Rajat Jain Signed-off-by: Johan Hovold --- drivers/bluetooth/btusb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index f9fec1c0e3221..2af3197e508c9 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -4173,7 +4173,7 @@ static int btusb_probe(struct usb_interface *intf, if (id->driver_info & BTUSB_MARVELL && data->oob_wake_irq) { err = marvell_config_oob_wake(hdev); if (err) - goto out_free_dev; + goto err_disable_wakeup; } #endif if (id->driver_info & BTUSB_CW6622) @@ -4419,6 +4419,9 @@ static int btusb_probe(struct usb_interface *intf, } err_kill_tx_urbs: usb_kill_anchored_urbs(&data->tx_anchor); +err_disable_wakeup: + if (data->oob_wake_irq) + device_init_wakeup(&data->udev->dev, false); out_free_dev: if (data->reset_gpio) gpiod_put(data->reset_gpio); From 846ccf78859c4789dcd8b63b08359b1fe66f9bf4 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 2 Apr 2026 17:48:09 +0200 Subject: [PATCH 5/6] Bluetooth: btusb: fix wakeup irq devres lifetime The OOB wakeup interrupt is device managed but its lifetime is incorrectly tied to the child HCI device rather than the USB interface to which the driver is bound. This should not cause any trouble currently as the interrupt will be disabled when the HCI device is deregistered on disconnect (but this was not always the case, see [1]), and there should be no further references if probe fails before registering it. But it is still technically wrong as the reference counted HCI device could in theory remain after a probe failure. Explicitly free the interrupt on disconnect so that it is guaranteed to be disabled before freeing the (non-managed) driver data (including if disconnected while suspended). [1] 699fb50d9903 ("drivers: base: Free devm resources when unregistering a device") Fixes: fd913ef7ce61 ("Bluetooth: btusb: Add out-of-band wakeup support") Cc: Rajat Jain Signed-off-by: Johan Hovold --- drivers/bluetooth/btusb.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 2af3197e508c9..31b2a5aa9d5ad 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -3811,8 +3811,7 @@ static int btusb_config_oob_wake(struct hci_dev *hdev) } irq_set_status_flags(irq, IRQ_NOAUTOEN); - ret = devm_request_irq(&hdev->dev, irq, btusb_oob_wake_handler, - 0, "OOB Wake-on-BT", data); + ret = request_irq(irq, btusb_oob_wake_handler, 0, "OOB Wake-on-BT", data); if (ret) { bt_dev_err(hdev, "%s: IRQ request failed", __func__); return ret; @@ -3821,12 +3820,18 @@ static int btusb_config_oob_wake(struct hci_dev *hdev) ret = device_init_wakeup(dev, true); if (ret) { bt_dev_err(hdev, "%s: failed to init_wakeup", __func__); - return ret; + goto err_free_irq; } data->oob_wake_irq = irq; bt_dev_info(hdev, "OOB Wake-on-BT configured at IRQ %u", irq); + return 0; + +err_free_irq: + free_irq(irq, data); + + return ret; } #endif @@ -4420,8 +4425,10 @@ static int btusb_probe(struct usb_interface *intf, err_kill_tx_urbs: usb_kill_anchored_urbs(&data->tx_anchor); err_disable_wakeup: - if (data->oob_wake_irq) + if (data->oob_wake_irq) { device_init_wakeup(&data->udev->dev, false); + free_irq(data->oob_wake_irq, data); + } out_free_dev: if (data->reset_gpio) gpiod_put(data->reset_gpio); @@ -4454,8 +4461,11 @@ static void btusb_disconnect(struct usb_interface *intf) hci_unregister_dev(hdev); - if (data->oob_wake_irq) + if (data->oob_wake_irq) { device_init_wakeup(&data->udev->dev, false); + free_irq(data->oob_wake_irq, data); + } + if (data->reset_gpio) gpiod_put(data->reset_gpio); From c10f09c6faf3b391bb171a9a46d4e4ea048b1a0f Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 2 Apr 2026 17:48:10 +0200 Subject: [PATCH 6/6] Bluetooth: btusb: clean up probe error handling Clean up probe error handling by using dedicated error labels with an "err" prefix. Note that the endpoint lookup helper returns -ENXIO when endpoints are missing which is functionally equivalent to returning -ENODEV. Signed-off-by: Johan Hovold --- drivers/bluetooth/btusb.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 31b2a5aa9d5ad..8f408daaae8a2 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -4082,10 +4082,8 @@ static int btusb_probe(struct usb_interface *intf, err = usb_find_common_endpoints(intf->cur_altsetting, &data->bulk_rx_ep, &data->bulk_tx_ep, &data->intr_ep, NULL); - if (err) { - kfree(data); - return -ENODEV; - } + if (err) + goto err_free_data; if (id->driver_info & BTUSB_AMP) { data->cmdreq_type = USB_TYPE_CLASS | 0x01; @@ -4141,8 +4139,8 @@ static int btusb_probe(struct usb_interface *intf, hdev = hci_alloc_dev_priv(priv_size); if (!hdev) { - kfree(data); - return -ENOMEM; + err = -ENOMEM; + goto err_free_data; } hdev->bus = HCI_USB; @@ -4156,7 +4154,7 @@ static int btusb_probe(struct usb_interface *intf, GPIOD_OUT_LOW); if (IS_ERR(reset_gpio)) { err = PTR_ERR(reset_gpio); - goto out_free_dev; + goto err_free_hdev; } else if (reset_gpio) { data->reset_gpio = reset_gpio; } @@ -4172,7 +4170,7 @@ static int btusb_probe(struct usb_interface *intf, #ifdef CONFIG_PM err = btusb_config_oob_wake(hdev); if (err) - goto out_free_dev; + goto err_put_reset; /* Marvell devices may need a specific chip configuration */ if (id->driver_info & BTUSB_MARVELL && data->oob_wake_irq) { @@ -4429,11 +4427,14 @@ static int btusb_probe(struct usb_interface *intf, device_init_wakeup(&data->udev->dev, false); free_irq(data->oob_wake_irq, data); } -out_free_dev: +err_put_reset: if (data->reset_gpio) gpiod_put(data->reset_gpio); +err_free_hdev: hci_free_dev(hdev); +err_free_data: kfree(data); + return err; }