1. Patchew
  2. linux
  3. [PATCH v3 0/5] Bluetooth: btusb: fix wakeup irq devres lifetime
  4. View patch

[PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure

Johan Hovold posted 5 patches 1 day, 11 hours ago
[PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure
Posted by Johan Hovold 1 day, 11 hours ago 
Make sure to release the sibling interfaces in case controller
registration fails to avoid use-after-free and double-free when they are
eventually disconnected.

This issue was reported by Sashiko while reviewing a fix for a wakeup
source leak in the btusb probe errors paths.

Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
Cc: stable@vger.kernel.org	# 2.6.27
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/bluetooth/btusb.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 21e85c212506..97de6e6e7dbc 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4372,7 +4372,7 @@ static int btusb_probe(struct usb_interface *intf,
 
 	err = hci_register_dev(hdev);
 	if (err < 0)
-		goto out_free_dev;
+		goto err_release_siblings;
 
 	usb_set_intfdata(intf, data);
 
@@ -4381,6 +4381,15 @@ static int btusb_probe(struct usb_interface *intf,
 
 	return 0;
 
+err_release_siblings:
+	if (data->diag) {
+		usb_set_intfdata(data->diag, NULL);
+		usb_driver_release_interface(&btusb_driver, data->diag);
+	}
+	if (data->isoc) {
+		usb_set_intfdata(data->isoc, NULL);
+		usb_driver_release_interface(&btusb_driver, data->isoc);
+	}
 out_free_dev:
 	if (data->reset_gpio)
 		gpiod_put(data->reset_gpio);
-- 
2.52.0
Re: [PATCH v3 1/5] Bluetooth: btusb: fix use-after-free on registration failure
Posted by Paul Menzel 1 day, 6 hours ago 
Dear Johan,


Thank you for looking into and fixing the additional comments.

Am 02.04.26 um 17:48 schrieb Johan Hovold:
> Make sure to release the sibling interfaces in case controller
> registration fails to avoid use-after-free and double-free when they are
> eventually disconnected.
> 
> This issue was reported by Sashiko while reviewing a fix for a wakeup
> source leak in the btusb probe errors paths.
> 
> Link: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org
> Fixes: 9bfa35fe422c ("[Bluetooth] Add SCO support to btusb driver")
> Fixes: 9d08f50401ac ("Bluetooth: btusb: Add support for Broadcom LM_DIAG interface")
> Cc: stable@vger.kernel.org	# 2.6.27
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
>   drivers/bluetooth/btusb.c | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index 21e85c212506..97de6e6e7dbc 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -4372,7 +4372,7 @@ static int btusb_probe(struct usb_interface *intf,
>   
>   	err = hci_register_dev(hdev);
>   	if (err < 0)
> -		goto out_free_dev;
> +		goto err_release_siblings;
>   
>   	usb_set_intfdata(intf, data);
>   
> @@ -4381,6 +4381,15 @@ static int btusb_probe(struct usb_interface *intf,
>   
>   	return 0;
>   
> +err_release_siblings:
> +	if (data->diag) {
> +		usb_set_intfdata(data->diag, NULL);
> +		usb_driver_release_interface(&btusb_driver, data->diag);
> +	}
> +	if (data->isoc) {
> +		usb_set_intfdata(data->isoc, NULL);
> +		usb_driver_release_interface(&btusb_driver, data->isoc);
> +	}
>   out_free_dev:
>   	if (data->reset_gpio)
>   		gpiod_put(data->reset_gpio);

Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>


Kind regards,

Paul

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.