Patch "Bluetooth: btintel_pcie: Fix a potential race condition" has been added to the 6.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 17 Feb 2025 11:50:16 -0500

This is a note to let you know that I've just added the patch titled

    Bluetooth: btintel_pcie: Fix a potential race condition

to the 6.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-btintel_pcie-fix-a-potential-race-conditio.patch
and it can be found in the queue-6.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a5ab6b41ab895fa250211ea50c9dcdf0ea2d6905
Author: Kiran K <kiran.k@xxxxxxxxx>
Date:   Fri Jan 31 18:30:19 2025 +0530

    Bluetooth: btintel_pcie: Fix a potential race condition
    
    [ Upstream commit 872274b992839ff64fe560767fe7ee5f942ccdb1 ]
    
    On HCI_OP_RESET command, firmware raises alive interrupt. Driver needs
    to wait for this before sending other command. This patch fixes the potential
    miss of alive interrupt due to which HCI_OP_RESET can timeout.
    
    Expected flow:
    If tx command is HCI_OP_RESET,
      1. set data->gp0_received = false
      2. send HCI_OP_RESET
      3. wait for alive interrupt
    
    Actual flow having potential race:
    If tx command is HCI_OP_RESET,
     1. send HCI_OP_RESET
       1a. Firmware raises alive interrupt here and in ISR
           data->gp0_received  is set to true
     2. set data->gp0_received = false
     3. wait for alive interrupt
    
    Signed-off-by: Kiran K <kiran.k@xxxxxxxxx>
    Fixes: 05c200c8f029 ("Bluetooth: btintel_pcie: Add handshake between driver and firmware")
    Reported-by: Bjorn Helgaas <helgaas@xxxxxxxxxx>
    Closes: https://patchwork.kernel.org/project/bluetooth/patch/20241001104451.626964-1-kiran.k@xxxxxxxxx/
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 2b79952f3628d..091ffe3e14954 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -1320,6 +1320,10 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev,
 			if (opcode == 0xfc01)
 				btintel_pcie_inject_cmd_complete(hdev, opcode);
 		}
+		/* Firmware raises alive interrupt on HCI_OP_RESET */
+		if (opcode == HCI_OP_RESET)
+			data->gp0_received = false;
+
 		hdev->stat.cmd_tx++;
 		break;
 	case HCI_ACLDATA_PKT:
@@ -1357,7 +1361,6 @@ static int btintel_pcie_send_frame(struct hci_dev *hdev,
 			   opcode, btintel_pcie_alivectxt_state2str(old_ctxt),
 			   btintel_pcie_alivectxt_state2str(data->alive_intr_ctxt));
 		if (opcode == HCI_OP_RESET) {
-			data->gp0_received = false;
 			ret = wait_event_timeout(data->gp0_wait_q,
 						 data->gp0_received,
 						 msecs_to_jiffies(BTINTEL_DEFAULT_INTR_TIMEOUT_MS));







