syzbot |
sign-in | mailing list | source | docs | 🏰 |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| ece23198-6a3a-4f24-9191-0ffc2c63de84 | assessment-kcsan | Benign: ❌ Confident: ✅ | ❓ | KCSAN: data-race in __hci_cmd_sync_sk / hci_cmd_sync_cancel_sync | 2026/01/15 01:31 | 2026/01/15 01:31 | 2026/01/15 01:36 | a9d6a79219801d2130df3b1a792c57f0e5428e9f |
The data race occurs on the `hdev->req_status` field of `struct hci_dev` between `__hci_cmd_sync_sk` (the reader) and `hci_cmd_sync_cancel_sync` (the writer).
### Analysis
1. **Synchronization Mechanism**: The Bluetooth stack uses `hdev->req_status` to synchronize between a thread waiting for a synchronous HCI command to complete (in `__hci_cmd_sync_sk`) and the code that handles command completion or cancellation (in `hci_cmd_sync_complete` or `hci_cmd_sync_cancel_sync`).
2. **Locking**: The waiter in `__hci_cmd_sync_sk` holds `hdev->req_lock` (a mutex) while waiting. However, the completion and cancellation handlers (which typically run in a workqueue or interrupt context) do not take this lock. Taking `req_lock` in these handlers would cause a deadlock because the waiter is already holding it while waiting on `hdev->req_wait_q`.
3. **The Race**: KCSAN detected a concurrent read of `hdev->req_status` at line 176 (in `wait_event_interruptible_timeout`) and a write at line 690 (in `hci_cmd_sync_cancel_sync`).
4. **Harmful Consequences**:
* `hdev->req_status` acts as a signal for the availability of other data: `hdev->req_result` and `hdev->req_rsp`.
* In `hci_cmd_sync_cancel_sync`, `hdev->req_result` is updated followed by `hdev->req_status`. Without proper memory barriers (like `smp_store_release` on the writer and an implicit or explicit acquire on the reader), the stores can be reordered by the compiler or CPU. This means the reader could see `hdev->req_status == HCI_REQ_CANCELED` but still read a stale value of `hdev->req_result` (e.g., 0). This would cause the synchronous command to incorrectly return success instead of an error.
* A similar issue exists in `hci_cmd_sync_complete`, where `hdev->req_status` is updated to `HCI_REQ_DONE` *before* `hdev->req_rsp` is set. If the reader wakes up and sees `HCI_REQ_DONE`, it might read a `NULL` response pointer, leading to a false `-ENODATA` error for a successful command.
### Conclusion
This is a **harmful** data race because it involves a state machine transition where the state variable is used to signal the validity of other fields without sufficient synchronization (either locks or formal memory model primitives like `READ_ONCE`/`WRITE_ONCE` with barriers). This can lead to inconsistent state and incorrect return values from HCI commands.================================================================== BUG: KCSAN: data-race in __hci_cmd_sync_sk / hci_cmd_sync_cancel_sync write to 0xffff88810b33c8f8 of 4 bytes by task 44 on cpu 1: hci_cmd_sync_cancel_sync+0x67/0xa0 net/bluetooth/hci_sync.c:691 hci_send_cmd_sync net/bluetooth/hci_core.c:4119 [inline] hci_cmd_work+0x27a/0x320 net/bluetooth/hci_core.c:4152 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 worker_thread+0x582/0x770 kernel/workqueue.c:3421 kthread+0x489/0x510 kernel/kthread.c:463 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 read to 0xffff88810b33c8f8 of 4 bytes by task 5534 on cpu 0: __hci_cmd_sync_sk+0x34f/0x640 net/bluetooth/hci_sync.c:176 __hci_cmd_sync_status_sk net/bluetooth/hci_sync.c:263 [inline] __hci_cmd_sync_status net/bluetooth/hci_sync.c:287 [inline] hci_cmd_sync_status+0x4b/0x100 net/bluetooth/hci_sync.c:298 hci_dev_cmd+0x4e4/0x500 net/bluetooth/hci_core.c:-1 hci_sock_ioctl+0x578/0x7f0 net/bluetooth/hci_sock.c:1157 sock_do_ioctl+0x73/0x220 net/socket.c:1254 sock_ioctl+0x41b/0x610 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd8/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000001 -> 0x00000002 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 5534 Comm: syz.2.673 Not tainted syzkaller #0 PREEMPT(voluntary) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 ================================================================== Bluetooth: hci0: Opcode 0x0c20 failed: -22
| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/01/15 01:31 | flow | assessment-kcsan |
4mModel:unknown Results: map[Benign:false Confident:true Explanation:The data race occurs on the `hdev->req_status` field of `struct hci_dev` between `__hci_cmd_sync_sk` (the reader) and `hci_cmd_sync_cancel_sync` (the writer).
### Analysis
1. **Synchronization Mechanism**: The Bluetooth stack uses `hdev->req_status` to synchronize between a thread waiting for a synchronous HCI command to complete (in `__hci_cmd_sync_sk`) and the code that handles command completion or cancellation (in `hci_cmd_sync_complete` or `hci_cmd_sync_cancel_sync`).
2. **Locking**: The waiter in `__hci_cmd_sync_sk` holds `hdev->req_lock` (a mutex) while waiting. However, the completion and cancellation handlers (which typically run in a workqueue or interrupt context) do not take this lock. Taking `req_lock` in these handlers would cause a deadlock because the waiter is already holding it while waiting on `hdev->req_wait_q`.
3. **The Race**: KCSAN detected a concurrent read of `hdev->req_status` at line 176 (in `wait_event_interruptible_timeout`) and a write at line 690 (in `hci_cmd_sync_cancel_sync`).
4. **Harmful Consequences**:
* `hdev->req_status` acts as a signal for the availability of other data: `hdev->req_result` and `hdev->req_rsp`.
* In `hci_cmd_sync_cancel_sync`, `hdev->req_result` is updated followed by `hdev->req_status`. Without proper memory barriers (like `smp_store_release` on the writer and an implicit or explicit acquire on the reader), the stores can be reordered by the compiler or CPU. This means the reader could see `hdev->req_status == HCI_REQ_CANCELED` but still read a stale value of `hdev->req_result` (e.g., 0). This would cause the synchronous command to incorrectly return success instead of an error.
* A similar issue exists in `hci_cmd_sync_complete`, where `hdev->req_status` is updated to `HCI_REQ_DONE` *before* `hdev->req_rsp` is set. If the reader wakes up and sees `HCI_REQ_DONE`, it might read a `NULL` response pointer, leading to a false `-ENODATA` error for a successful command.
### Conclusion
This is a **harmful** data race because it involves a state machine transition where the state variable is used to signal the validity of other fields without sufficient synchronization (either locks or formal memory model primitives like `READ_ONCE`/`WRITE_ONCE` with barriers). This can lead to inconsistent state and incorrect return values from HCI commands.] |
| 1/1 | 2026/01/15 01:31 | action | kernel-checkouter |
0mModel:unknown Results: map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/a8cdb5a178c0afc02aca9f7a83d7f6bfe478ea9e] |
| 2/1 | 2026/01/15 01:31 | action | kernel-builder |
0mModel:unknown Results: map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/480c7270dfdb6b3b80f5245d0988f700574901ff] |
| 3/1 | 2026/01/15 01:31 | action | codesearch-prepare |
0mModel:unknown Results: map[Index:codesearch-index] |
| 4/1 | 2026/01/15 01:31 | agent | expert |
4mModel:unknown Results: map[Benign:false Confident:true] Instruction: You are an experienced Linux kernel developer tasked with determining if the given kernel data race is benign or not. The data race report is from KCSAN tool. It contains 2 stack traces of the memory accesses that constitute a data race. A "benign" data races are on a simple int/bool variable or similar field, and the accesses are not supposed to be protected by any mutual exclusion primitives. Common examples of such "benign" data races are accesses to various flags fields, statistics counters, and similar. A "benign" data race does not lead to memory corruption/crash with a conservative compiler that compiles memory accesses to primitive types effectively as atomic. A non-benign (or "harmful" data race) can lead to corruption/crash even with a conservative compiler that compiles memory accesses to primitive types effectively as atomic. A common example of a "harmful" data races is race on a complex container (list/hashmap/etc), where accesses are supposed to be protected by a mutual exclusion primitive. In the final reply explain why you think the given data race is benign or is harmful. Use the provided tools to confirm any assumptions, variables/fields being accessed, etc. In particular, don't make assumptions about the kernel source code, use codesearch tools to read the actual source code. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: The data race report is: ================================================================== BUG: KCSAN: data-race in __hci_cmd_sync_sk / hci_cmd_sync_cancel_sync write to 0xffff88810b33c8f8 of 4 bytes by task 44 on cpu 1: hci_cmd_sync_cancel_sync+0x67/0xa0 net/bluetooth/hci_sync.c:691 hci_send_cmd_sync net/bluetooth/hci_core.c:4119 [inline] hci_cmd_work+0x27a/0x320 net/bluetooth/hci_core.c:4152 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340 worker_thread+0x582/0x770 kernel/workqueue.c:3421 kthread+0x489/0x510 kernel/kthread.c:463 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 read to 0xffff88810b33c8f8 of 4 bytes by task 5534 on cpu 0: __hci_cmd_sync_sk+0x34f/0x640 net/bluetooth/hci_sync.c:176 __hci_cmd_sync_status_sk net/bluetooth/hci_sync.c:263 [inline] __hci_cmd_sync_status net/bluetooth/hci_sync.c:287 [inline] hci_cmd_sync_status+0x4b/0x100 net/bluetooth/hci_sync.c:298 hci_dev_cmd+0x4e4/0x500 net/bluetooth/hci_core.c:-1 hci_sock_ioctl+0x578/0x7f0 net/bluetooth/hci_sock.c:1157 sock_do_ioctl+0x73/0x220 net/socket.c:1254 sock_ioctl+0x41b/0x610 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd8/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00000001 -> 0x00000002 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 5534 Comm: syz.2.673 Not tainted syzkaller #0 PREEMPT(voluntary) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 ================================================================== Bluetooth: hci0: Opcode 0x0c20 failed: -22 Reply: The data race occurs on the `hdev->req_status` field of `struct hci_dev` between `__hci_cmd_sync_sk` (the reader) and `hci_cmd_sync_cancel_sync` (the writer).
### Analysis
1. **Synchronization Mechanism**: The Bluetooth stack uses `hdev->req_status` to synchronize between a thread waiting for a synchronous HCI command to complete (in `__hci_cmd_sync_sk`) and the code that handles command completion or cancellation (in `hci_cmd_sync_complete` or `hci_cmd_sync_cancel_sync`).
2. **Locking**: The waiter in `__hci_cmd_sync_sk` holds `hdev->req_lock` (a mutex) while waiting. However, the completion and cancellation handlers (which typically run in a workqueue or interrupt context) do not take this lock. Taking `req_lock` in these handlers would cause a deadlock because the waiter is already holding it while waiting on `hdev->req_wait_q`.
3. **The Race**: KCSAN detected a concurrent read of `hdev->req_status` at line 176 (in `wait_event_interruptible_timeout`) and a write at line 690 (in `hci_cmd_sync_cancel_sync`).
4. **Harmful Consequences**:
* `hdev->req_status` acts as a signal for the availability of other data: `hdev->req_result` and `hdev->req_rsp`.
* In `hci_cmd_sync_cancel_sync`, `hdev->req_result` is updated followed by `hdev->req_status`. Without proper memory barriers (like `smp_store_release` on the writer and an implicit or explicit acquire on the reader), the stores can be reordered by the compiler or CPU. This means the reader could see `hdev->req_status == HCI_REQ_CANCELED` but still read a stale value of `hdev->req_result` (e.g., 0). This would cause the synchronous command to incorrectly return success instead of an error.
* A similar issue exists in `hci_cmd_sync_complete`, where `hdev->req_status` is updated to `HCI_REQ_DONE` *before* `hdev->req_rsp` is set. If the reader wakes up and sees `HCI_REQ_DONE`, it might read a `NULL` response pointer, leading to a false `-ENODATA` error for a successful command.
### Conclusion
This is a **harmful** data race because it involves a state machine transition where the state variable is used to signal the validity of other fields without sufficient synchronization (either locks or formal memory model primitives like `READ_ONCE`/`WRITE_ONCE` with barriers). This can lead to inconsistent state and incorrect return values from HCI commands. |
| 5/2 | 2026/01/15 01:31 | llm | expert |
0mModel:unknown Thoughts: **Investigating a Bluetooth HCI Data Race** Okay, so I'm looking at this report and it seems like we have a pretty clear data race on our hands. The report points to a conflict between `hci_cmd_sync_cancel_sync` and `__hci_cmd_sync_sk` – both functions are messing with the same 4-byte chunk of memory at address `0xffff88810b33c8f8`. Judging by the size, this is likely an integer or enum representing some sort of state or flag. And the value's changing from `0x00000001` to `0x00000002`. That's a classic sign of trouble. Now, let's dive into the code. The report's pinpointing `net/bluetooth/hci_sync.c:691` for `hci_cmd_sync_cancel_sync` and `net/bluetooth/hci_sync.c:176` for `__hci_cmd_sync_sk`. Before I start digging too deep, it's always good to get a handle on the landscape. I'll need to list the entities defined within `net/bluetooth/hci_sync.c`. Let's see what we're working with here... |
| 6/2 | 2026/01/15 01:31 | tool | codesearch-file-index |
0mModel:unknown Args: map[SourceFile:net/bluetooth/hci_sync.c] Results: map[Entities:[map[Kind:function Name:__hci_cmd_sync] map[Kind:function Name:__hci_cmd_sync] map[Kind:function Name:__hci_cmd_sync_ev] map[Kind:function Name:__hci_cmd_sync_ev] map[Kind:function Name:__hci_cmd_sync_sk] map[Kind:function Name:__hci_cmd_sync_sk] map[Kind:function Name:__hci_cmd_sync_status] map[Kind:function Name:__hci_cmd_sync_status] map[Kind:function Name:__hci_cmd_sync_status_sk] map[Kind:function Name:__hci_cmd_sync_status_sk] map[Kind:function Name:__hci_set_scan_rsp_data_sync] map[Kind:function Name:_hci_cmd_sync_cancel_entry] map[Kind:function Name:_hci_cmd_sync_lookup_entry] map[Kind:function Name:_update_adv_data_sync] map[Kind:function Name:adv_timeout_expire] map[Kind:function Name:adv_timeout_expire_sync] map[Kind:function Name:adv_use_rpa] map[Kind:function Name:cancel_adv_timeout] map[Kind:function Name:cancel_interleave_scan] map[Kind:function Name:conn_params_copy] map[Kind:function Name:conn_use_rpa] map[Kind:function Name:create_big_complete] map[Kind:function Name:create_le_conn_complete] map[Kind:function Name:create_pa_complete] map[Kind:function Name:disconnected_accept_list_entries] map[Kind:function Name:enable_advertising_sync] map[Kind:function Name:get_service_classes] map[Kind:function Name:hci_abort_conn_sync] map[Kind:function Name:hci_acl_create_conn_sync] map[Kind:function Name:hci_active_scan_sync] map[Kind:function Name:hci_adv_bcast_annoucement] map[Kind:function Name:hci_cancel_connect_sync] map[Kind:function Name:hci_clear_adv_instance_sync] map[Kind:function Name:hci_clear_adv_sets_sync] map[Kind:function Name:hci_clear_adv_sync] map[Kind:function Name:hci_clear_event_filter_sync] map[Kind:function Name:hci_cmd_sync] map[Kind:function Name:hci_cmd_sync] map[Kind:function Name:hci_cmd_sync_add] map[Kind:function Name:hci_cmd_sync_alloc] map[Kind:function Name:hci_cmd_sync_cancel] map[Kind:function Name:hci_cmd_sync_cancel] map[Kind:function Name:hci_cmd_sync_cancel_entry] map[Kind:function Name:hci_cmd_sync_cancel_entry] map[Kind:function Name:hci_cmd_sync_cancel_sync] map[Kind:function Name:hci_cmd_sync_cancel_sync] map[Kind:function Name:hci_cmd_sync_cancel_work] map[Kind:function Name:hci_cmd_sync_clear] map[Kind:function Name:hci_cmd_sync_complete] map[Kind:function Name:hci_cmd_sync_dequeue] map[Kind:function Name:hci_cmd_sync_dequeue] map[Kind:function Name:hci_cmd_sync_dequeue_once] map[Kind:function Name:hci_cmd_sync_dequeue_once] map[Kind:function Name:hci_cmd_sync_init] map[Kind:function Name:hci_cmd_sync_lookup_entry] map[Kind:function Name:hci_cmd_sync_lookup_entry] map[Kind:function Name:hci_cmd_sync_queue] map[Kind:function Name:hci_cmd_sync_queue] map[Kind:function Name:hci_cmd_sync_queue_once] map[Kind:function Name:hci_cmd_sync_queue_once] map[Kind:function Name:hci_cmd_sync_run] map[Kind:function Name:hci_cmd_sync_run] map[Kind:function Name:hci_cmd_sync_run_once] map[Kind:function Name:hci_cmd_sync_run_once] map[Kind:function Name:hci_cmd_sync_status] map[Kind:function Name:hci_cmd_sync_status] map[Kind:function Name:hci_cmd_sync_submit] map[Kind:function Name:hci_cmd_sync_submit] map[Kind:function Name:hci_cmd_sync_work] map[Kind:function Name:hci_connect_acl_sync] map[Kind:function Name:hci_connect_big_sync] map[Kind:function Name:hci_connect_cancel_sync] map[Kind:function Name:hci_connect_le_sync] map[Kind:function Name:hci_connect_pa_sync] map[Kind:function Name:hci_delete_stored_link_key_sync] map[Kind:function Name:hci_dev_close_sync] map[Kind:function Name:hci_dev_get_bd_addr_from_property] map[Kind:function Name:hci_dev_init_sync] map[Kind:function Name:hci_dev_open_sync] map[Kind:function Name:hci_dev_setup_sync] map[Kind:function Name:hci_dev_shutdown] map[Kind:function Name:hci_disable_advertising_sync] map[Kind:function Name:hci_disable_ext_adv_instance_sync] map[Kind:function Name:hci_disable_per_advertising_sync] map[Kind:function Name:hci_disconnect_all_sync] map[Kind:function Name:hci_disconnect_sync] map[Kind:function Name:hci_enable_advertising] map[Kind:function Name:hci_enable_advertising_sync] map[Kind:function Name:hci_enable_ext_advertising_sync] map[Kind:function Name:hci_enable_per_advertising_sync] map[Kind:function Name:hci_get_mws_transport_config_sync] map[Kind:function Name:hci_get_random_address] map[Kind:function Name:hci_init0_sync] map[Kind:function Name:hci_init1_sync] map[Kind:function Name:hci_init2_sync] map[Kind:function Name:hci_init3_sync] map[Kind:function Name:hci_init4_sync] map[Kind:function Name:hci_init_stage_sync] map[Kind:function Name:hci_init_sync] map[Kind:function Name:hci_inquiry_sync] map[Kind:function Name:hci_le_add_accept_list_sync] map[Kind:function Name:hci_le_add_resolve_list_sync] map[Kind:function Name:hci_le_big_create_sync] map[Kind:function Name:hci_le_big_terminate_sync] map[Kind:function Name:hci_le_clear_accept_list_sync] map[Kind:function Name:hci_le_clear_resolv_list_sync] map[Kind:function Name:hci_le_conn_update_sync] map[Kind:function Name:hci_le_connect_cancel_sync] map[Kind:function Name:hci_le_create_cis_sync] map[Kind:function Name:hci_le_create_conn_sync] map[Kind:function Name:hci_le_del_accept_list_sync] map[Kind:function Name:hci_le_del_resolve_list_sync] map[Kind:function Name:hci_le_directed_advertising_sync] map[Kind:function Name:hci_le_ext_create_conn_sync] map[Kind:function Name:hci_le_ext_directed_advertising_sync] map[Kind:function Name:hci_le_pa_create_sync] map[Kind:function Name:hci_le_pa_terminate_sync] map[Kind:function Name:hci_le_past_params_sync] map[Kind:function Name:hci_le_past_set_info_sync] map[Kind:function Name:hci_le_past_sync] map[Kind:function Name:hci_le_read_accept_list_size_sync] map[Kind:function Name:hci_le_read_adv_tx_power_sync] map[Kind:function Name:hci_le_read_all_remote_features_sync] map[Kind:function Name:hci_le_read_buffer_size_sync] map[Kind:function Name:hci_le_read_def_data_len_sync] map[Kind:function Name:hci_le_read_local_features_sync] map[Kind:function Name:hci_le_read_max_data_len_sync] map[Kind:function Name:hci_le_read_num_support_adv_sets_sync] map[Kind:function Name:hci_le_read_remote_features] map[Kind:function Name:hci_le_read_remote_features_sync] map[Kind:function Name:hci_le_read_resolv_list_size_sync] map[Kind:function Name:hci_le_read_supported_states_sync] map[Kind:function Name:hci_le_read_tx_power_sync] map[Kind:function Name:hci_le_reject_cis_sync] map[Kind:function Name:hci_le_remove_cig_sync] map[Kind:function Name:hci_le_scan_phy_params] map[Kind:function Name:hci_le_set_addr_resolution_enable_sync] map[Kind:function Name:hci_le_set_default_phy_sync] map[Kind:function Name:hci_le_set_event_mask_sync] map[Kind:function Name:hci_le_set_ext_scan_enable_sync] map[Kind:function Name:hci_le_set_ext_scan_param_sync] map[Kind:function Name:hci_le_set_host_feature_sync] map[Kind:function Name:hci_le_set_privacy_mode_sync] map[Kind:function Name:hci_le_set_rpa_timeout_sync] map[Kind:function Name:hci_le_set_scan_enable_sync] map[Kind:function Name:hci_le_set_scan_enable_sync] map[Kind:function Name:hci_le_set_scan_param_sync] map[Kind:function Name:hci_le_set_write_def_data_len_sync] map[Kind:function Name:hci_le_terminate_big_sync] map[Kind:function Name:hci_passive_scan_sync] map[Kind:function Name:hci_passive_scan_sync] map[Kind:function Name:hci_past_sync] map[Kind:function Name:hci_pause_addr_resolution] map[Kind:function Name:hci_pause_advertising_sync] map[Kind:function Name:hci_pause_discovery_sync] map[Kind:function Name:hci_pause_scan_sync] map[Kind:function Name:hci_pend_le_actions_clear] map[Kind:function Name:hci_power_off_sync] map[Kind:function Name:hci_power_on_sync] map[Kind:function Name:hci_powered_update_adv_sync] map[Kind:function Name:hci_powered_update_sync] map[Kind:function Name:hci_read_bd_addr_sync] map[Kind:function Name:hci_read_buffer_size_sync] map[Kind:function Name:hci_read_clock_sync] map[Kind:function Name:hci_read_current_iac_lap_sync] map[Kind:function Name:hci_read_def_err_data_reporting_sync] map[Kind:function Name:hci_read_dev_class_sync] map[Kind:function Name:hci_read_inq_rsp_tx_power_sync] map[Kind:function Name:hci_read_local_cmds_sync] map[Kind:function Name:hci_read_local_codecs_sync] map[Kind:function Name:hci_read_local_ext_features_1_sync] map[Kind:function Name:hci_read_local_ext_features_all_sync] map[Kind:function Name:hci_read_local_ext_features_sync] map[Kind:function Name:hci_read_local_features_sync] map[Kind:function Name:hci_read_local_name_sync] map[Kind:function Name:hci_read_local_oob_data_sync] map[Kind:function Name:hci_read_local_pairing_opts_sync] map[Kind:function Name:hci_read_local_version_sync] map[Kind:function Name:hci_read_num_supported_iac_sync] map[Kind:function Name:hci_read_page_scan_activity_sync] map[Kind:function Name:hci_read_page_scan_type_sync] map[Kind:function Name:hci_read_rssi_sync] map[Kind:function Name:hci_read_stored_link_key_sync] map[Kind:function Name:hci_read_sync_train_params_sync] map[Kind:function Name:hci_read_tx_power_sync] map[Kind:function Name:hci_read_voice_setting_sync] map[Kind:function Name:hci_reject_conn_sync] map[Kind:function Name:hci_reject_sco_sync] map[Kind:function Name:hci_remote_name_cancel_sync] map[Kind:function Name:hci_remove_adv_sync] map[Kind:function Name:hci_remove_advertising_sync] map[Kind:function Name:hci_remove_ext_adv_instance_sync] map[Kind:function Name:hci_req_sync_run] map[Kind:function Name:hci_request_init] map[Kind:function Name:hci_reset_sync] map[Kind:function Name:hci_resume_advertising_sync] map[Kind:function Name:hci_resume_discovery_sync] map[Kind:function Name:hci_resume_monitor_sync] map[Kind:function Name:hci_resume_scan_sync] map[Kind:function Name:hci_resume_sync] map[Kind:function Name:hci_scan_disable_sync] map[Kind:function Name:hci_scan_disable_sync] map[Kind:function Name:hci_schedule_adv_instance_sync] map[Kind:function Name:hci_set_adv_data_sync] map[Kind:function Name:hci_set_adv_set_random_addr_sync] map[Kind:function Name:hci_set_err_data_report_sync] map[Kind:function Name:hci_set_event_filter_sync] map[Kind:function Name:hci_set_event_mask_page_2_sync] map[Kind:function Name:hci_set_event_mask_sync] map[Kind:function Name:hci_set_ext_adv_data_sync] map[Kind:function Name:hci_set_ext_adv_params_sync] map[Kind:function Name:hci_set_ext_scan_rsp_data_sync] map[Kind:function Name:hci_set_le_support_sync] map[Kind:function Name:hci_set_per_adv_data_sync] map[Kind:function Name:hci_set_per_adv_params_sync] map[Kind:function Name:hci_set_powered_sync] map[Kind:function Name:hci_set_random_addr_sync] map[Kind:function Name:hci_setup_ext_adv_instance_sync] map[Kind:function Name:hci_setup_link_policy_sync] map[Kind:function Name:hci_start_adv_sync] map[Kind:function Name:hci_start_discovery_sync] map[Kind:function Name:hci_start_ext_adv_sync] map[Kind:function Name:hci_start_interleave_scan] map[Kind:function Name:hci_start_interleaved_discovery_sync] map[Kind:function Name:hci_start_per_adv_sync] map[Kind:function Name:hci_start_scan_sync] map[Kind:function Name:hci_stop_discovery_sync] map[Kind:function Name:hci_suspend_monitor_sync] map[Kind:function Name:hci_suspend_sync] map[Kind:function Name:hci_unconf_init_sync] map[Kind:function Name:hci_update_accept_list_sync] map[Kind:function Name:hci_update_adv_data] map[Kind:function Name:hci_update_adv_data_sync] map[Kind:function Name:hci_update_class_sync] map[Kind:function Name:hci_update_connectable_sync] map[Kind:function Name:hci_update_discoverable] map[Kind:function Name:hci_update_discoverable_sync] map[Kind:function Name:hci_update_eir_sync] map[Kind:function Name:hci_update_event_filter_sync] map[Kind:function Name:hci_update_interleaved_scan_sync] map[Kind:function Name:hci_update_name_sync] map[Kind:function Name:hci_update_passive_scan] map[Kind:function Name:hci_update_passive_scan_sync] map[Kind:function Name:hci_update_random_address_sync] map[Kind:function Name:hci_update_scan] map[Kind:function Name:hci_update_scan_rsp_data_sync] map[Kind:function Name:hci_update_scan_sync] map[Kind:function Name:hci_write_auth_enable_sync] map[Kind:function Name:hci_write_ca_timeout_sync] map[Kind:function Name:hci_write_eir_sync] map[Kind:function Name:hci_write_fast_connectable_sync] map[Kind:function Name:hci_write_iac_sync] map[Kind:function Name:hci_write_inquiry_mode_sync] map[Kind:function Name:hci_write_le_host_supported_sync] map[Kind:function Name:hci_write_sc_support_1_sync] map[Kind:function Name:hci_write_sc_support_sync] map[Kind:function Name:hci_write_scan_enable_sync] map[Kind:function Name:hci_write_ssp_mode_1_sync] map[Kind:function Name:hci_write_ssp_mode_sync] map[Kind:function Name:hci_write_sync_flowctl_sync] map[Kind:function Name:interleave_scan_work] map[Kind:function Name:interleaved_inquiry_sync] map[Kind:function Name:is_advertising_allowed] map[Kind:function Name:is_interleave_scanning] map[Kind:function Name:le_read_features_complete] map[Kind:function Name:le_scan_disable] map[Kind:function Name:past_complete] map[Kind:function Name:reenable_adv] map[Kind:function Name:reenable_adv_sync] map[Kind:function Name:scan_disable_sync] map[Kind:function Name:scan_use_rpa] map[Kind:function Name:set_ext_conn_params] map[Kind:function Name:update_discoverable_sync] map[Kind:function Name:update_passive_scan_sync] map[Kind:function Name:update_scan_sync]] Missing:false] |
| 7/2 | 2026/01/15 01:31 | llm | expert |
0mModel:unknown Thoughts: Okay, here's my take on those code snippets, thinking through the potential issues, as a seasoned pro. **Checking Key HCI Command Synchronization Points** Alright, let's dive in. Based on this, it seems we're looking at some synchronization issues within the HCI command handling. My gut tells me these could be tricky. The mention of `__hci_cmd_sync_sk` around line 176 immediately flags something important – socket-level synchronization related to HCI commands, most likely related to the underlying transport for Bluetooth. I need to understand how the socket is being used and how this function plays into it. Is this a critical section? Is it a potential bottleneck? Are there race conditions? I need to check the surrounding code for locks, atomic operations, and how it interacts with other threads. Then, there's `hci_cmd_sync_cancel_sync` around line 691. The name says it all – cancellation of a synchronous command. This is where things get really interesting. Cancellation is often a source of subtle bugs. How is the cancellation implemented? Are we handling all possible states of the command execution? What happens if the command completes just as the cancellation is triggered? Is there proper cleanup? Are resources being released correctly? This needs careful inspection, and it is likely a common source of bugs. It looks like we are cancelling a synchronous HCI command, so I would want to know what conditions would cause the cancellation to happen. The interplay between these two functions is probably key. The initial command setup/execution (handled by `__hci_cmd_sync_sk`) and the cancellation path (handled by `hci_cmd_sync_cancel_sync`) – if these aren't tightly coordinated, that's where I will likely find the problem. It could be something as simple as a missing lock or an improper use of condition variables. So I need to dig deep into the control flow and data dependencies, and I'll pay close attention to the lock or synchronization mechanisms and all the state transitions. I have seen the same problems many times, especially when synchronous calls are involved. |
| 8/2 | 2026/01/15 01:31 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:__hci_cmd_sync_sk SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:false SourceCode: 154: /* This function requires the caller holds hdev->req_lock. */
155: struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
156: const void *param, u8 event, u32 timeout,
157: struct sock *sk)
158: {
159: struct hci_request req;
160: struct sk_buff *skb;
161: int err = 0;
162:
163: bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
164:
165: hci_request_init(&req, hdev);
166:
167: hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
168:
169: hdev->req_status = HCI_REQ_PEND;
170:
171: err = hci_req_sync_run(&req);
172: if (err < 0)
173: return ERR_PTR(err);
174:
175: err = wait_event_interruptible_timeout(hdev->req_wait_q,
176: hdev->req_status != HCI_REQ_PEND,
177: timeout);
178:
179: if (err == -ERESTARTSYS)
180: return ERR_PTR(-EINTR);
181:
182: switch (hdev->req_status) {
183: case HCI_REQ_DONE:
184: err = -bt_to_errno(hdev->req_result);
185: break;
186:
187: case HCI_REQ_CANCELED:
188: err = -hdev->req_result;
189: break;
190:
191: default:
192: err = -ETIMEDOUT;
193: break;
194: }
195:
196: hdev->req_status = 0;
197: hdev->req_result = 0;
198: skb = hdev->req_rsp;
199: hdev->req_rsp = NULL;
200:
201: bt_dev_dbg(hdev, "end: err %d", err);
202:
203: if (err < 0) {
204: kfree_skb(skb);
205: return ERR_PTR(err);
206: }
207:
208: /* If command return a status event skb will be set to NULL as there are
209: * no parameters.
210: */
211: if (!skb)
212: return ERR_PTR(-ENODATA);
213:
214: return skb;
215: }
SourceFile:net/bluetooth/hci_sync.c] |
| 9/2 | 2026/01/15 01:31 | llm | expert |
0mModel:unknown Thoughts: **Deconstructing Bluetooth Command Synchronization** Okay, so I'm looking at this `__hci_cmd_sync_sk` function, specifically at line 176. It seems we're dealing with a `wait_event_interruptible_timeout` call, which is fairly standard in this context. The interesting part is the condition it's waiting on: `hdev->req_status != HCI_REQ_PEND`. That suggests this code block is designed to block until the `req_status` field within the `hdev` struct changes from a pending state (`HCI_REQ_PEND`). It's a classic synchronization pattern, waiting for the completion or rejection of a command. Now, I want to see how this request status is being set, cancelled and what states it can have. Let me check the `hci_cmd_sync_cancel_sync` function at `net/bluetooth/hci_sync.c:691`. |
| 10/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_cmd_sync_cancel_sync SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:false SourceCode: 676: /* Cancel ongoing command request synchronously:
677: *
678: * - Set result and mark status to HCI_REQ_CANCELED
679: * - Wakeup command sync thread
680: */
681: void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err)
682: {
683: bt_dev_dbg(hdev, "err 0x%2.2x", err);
684:
685: if (hdev->req_status == HCI_REQ_PEND) {
686: /* req_result is __u32 so error must be positive to be properly
687: * propagated.
688: */
689: hdev->req_result = err < 0 ? -err : err;
690: hdev->req_status = HCI_REQ_CANCELED;
691:
692: wake_up_interruptible(&hdev->req_wait_q);
693: }
694: }
SourceFile:net/bluetooth/hci_sync.c] |
| 11/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: **Investigating a Bluetooth HCI Request Cancellation** Okay, so I'm looking at this crash report, and it pinpoints line 691 in `hci_sync.c` as the culprit, a write operation. Let me double-check the code. Hmm, line 690 is actually the relevant one now that I have the source locally. And it's writing to `hdev->req_status`, setting it to `HCI_REQ_CANCELED`. A slight discrepancy in the line number, which isn't unusual with potential compiler optimizations or different kernel versions. The report indicates a value change from `0x00000001` to `0x00000002`. I need to figure out what those values actually *mean*. So, I need to look up the definitions of `HCI_REQ_PEND` and `HCI_REQ_CANCELED`. Those should be in `include/net/bluetooth/hci_core.h`, or somewhere very similar. That's the key to understanding the state transition and, ultimately, what might be going wrong with this cancellation process. |
| 12/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_dev SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 13/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: Here's the summary, tailored to an expert audience: **Debugging My Code – Where's `hci_dev`?** Okay, so I'm chasing a lead on this `hci_dev` structure. Something's not quite right with its usage, and I suspect it's defined elsewhere. Given how this codebase is structured, it's highly likely that the definition isn't in this specific file. Time to efficiently track down where `hci_dev` is actually declared. I need to quickly identify the header or source file responsible for initializing and defining this crucial structure. Let's fire up the search tools and get this pinpointed. |
| 14/2 | 2026/01/15 01:32 | tool | codesearch-file-index |
0mModel:unknown Args: map[SourceFile:include/net/bluetooth/hci_core.h] Results: map[Entities:[map[Kind:function Name:__hci_cmd_send] map[Kind:function Name:__mgmt_power_off] map[Kind:function Name:discovery_init] map[Kind:function Name:hci_abort_conn] map[Kind:function Name:hci_add_adv_instance] map[Kind:function Name:hci_add_adv_monitor] map[Kind:function Name:hci_add_irk] map[Kind:function Name:hci_add_link_key] map[Kind:function Name:hci_add_ltk] map[Kind:function Name:hci_add_per_instance] map[Kind:function Name:hci_add_remote_oob_data] map[Kind:function Name:hci_adv_instance_flags] map[Kind:function Name:hci_adv_instance_is_scannable] map[Kind:function Name:hci_adv_instances_clear] map[Kind:function Name:hci_adv_instances_set_rpa_expired] map[Kind:function Name:hci_adv_monitors_clear] map[Kind:function Name:hci_alloc_dev] map[Kind:function Name:hci_alloc_dev_priv] map[Kind:function Name:hci_auth_cfm] map[Kind:function Name:hci_bdaddr_is_paired] map[Kind:function Name:hci_bdaddr_is_rpa] map[Kind:function Name:hci_bdaddr_list_add] map[Kind:function Name:hci_bdaddr_list_add_with_flags] map[Kind:function Name:hci_bdaddr_list_add_with_irk] map[Kind:function Name:hci_bdaddr_list_clear] map[Kind:function Name:hci_bdaddr_list_del] map[Kind:function Name:hci_bdaddr_list_del_with_irk] map[Kind:function Name:hci_bdaddr_list_lookup] map[Kind:function Name:hci_bdaddr_list_lookup_with_flags] map[Kind:function Name:hci_bdaddr_list_lookup_with_irk] map[Kind:function Name:hci_bind_bis] map[Kind:function Name:hci_bind_cis] map[Kind:function Name:hci_blocked_keys_clear] map[Kind:function Name:hci_chan_create] map[Kind:function Name:hci_chan_del] map[Kind:function Name:hci_chan_list_flush] map[Kind:function Name:hci_chan_lookup_handle] map[Kind:function Name:hci_check_conn_params] map[Kind:function Name:hci_conn_add] map[Kind:function Name:hci_conn_add_sysfs] map[Kind:function Name:hci_conn_add_unset] map[Kind:function Name:hci_conn_big_create_sync] map[Kind:function Name:hci_conn_check_create_cis] map[Kind:function Name:hci_conn_check_link_mode] map[Kind:function Name:hci_conn_check_secure] map[Kind:function Name:hci_conn_count] map[Kind:function Name:hci_conn_del] map[Kind:function Name:hci_conn_del_sysfs] map[Kind:function Name:hci_conn_drop] map[Kind:function Name:hci_conn_enter_active_mode] map[Kind:function Name:hci_conn_failed] map[Kind:function Name:hci_conn_get] map[Kind:function Name:hci_conn_get_phy] map[Kind:function Name:hci_conn_hash_add] map[Kind:function Name:hci_conn_hash_del] map[Kind:function Name:hci_conn_hash_flush] map[Kind:function Name:hci_conn_hash_list_flag] map[Kind:function Name:hci_conn_hash_list_state] map[Kind:function Name:hci_conn_hash_lookup_ba] map[Kind:function Name:hci_conn_hash_lookup_big] map[Kind:function Name:hci_conn_hash_lookup_big_state] map[Kind:function Name:hci_conn_hash_lookup_big_sync_pend] map[Kind:function Name:hci_conn_hash_lookup_bis] map[Kind:function Name:hci_conn_hash_lookup_cig] map[Kind:function Name:hci_conn_hash_lookup_cis] map[Kind:function Name:hci_conn_hash_lookup_create_pa_sync] map[Kind:function Name:hci_conn_hash_lookup_handle] map[Kind:function Name:hci_conn_hash_lookup_le] map[Kind:function Name:hci_conn_hash_lookup_pa_sync_big_handle] map[Kind:function Name:hci_conn_hash_lookup_pa_sync_handle] map[Kind:function Name:hci_conn_hash_lookup_per_adv_bis] map[Kind:function Name:hci_conn_hash_lookup_role] map[Kind:function Name:hci_conn_hold] map[Kind:function Name:hci_conn_init_sysfs] map[Kind:function Name:hci_conn_key_enc_size] map[Kind:function Name:hci_conn_lookup_type] map[Kind:function Name:hci_conn_num] map[Kind:function Name:hci_conn_params_add] map[Kind:function Name:hci_conn_params_clear_disabled] map[Kind:function Name:hci_conn_params_del] map[Kind:function Name:hci_conn_params_free] map[Kind:function Name:hci_conn_params_lookup] map[Kind:function Name:hci_conn_put] map[Kind:function Name:hci_conn_sc_enabled] map[Kind:function Name:hci_conn_security] map[Kind:function Name:hci_conn_set_handle] map[Kind:function Name:hci_conn_ssp_enabled] map[Kind:function Name:hci_conn_switch_role] map[Kind:function Name:hci_conn_tx_dequeue] map[Kind:function Name:hci_conn_tx_queue] map[Kind:function Name:hci_conn_valid] map[Kind:function Name:hci_connect_acl] map[Kind:function Name:hci_connect_bis] map[Kind:function Name:hci_connect_cfm] map[Kind:function Name:hci_connect_cis] map[Kind:function Name:hci_connect_le] map[Kind:function Name:hci_connect_le_scan] map[Kind:function Name:hci_connect_le_scan_cleanup] map[Kind:function Name:hci_connect_sco] map[Kind:function Name:hci_copy_identity_address] map[Kind:function Name:hci_dev_close] map[Kind:function Name:hci_dev_cmd] map[Kind:function Name:hci_dev_do_close] map[Kind:function Name:hci_dev_get] map[Kind:function Name:hci_dev_hold] map[Kind:function Name:hci_dev_open] map[Kind:function Name:hci_dev_put] map[Kind:function Name:hci_dev_reset] map[Kind:function Name:hci_dev_reset_stat] map[Kind:function Name:hci_devcd_setup] map[Kind:function Name:hci_disconn_cfm] map[Kind:function Name:hci_disconnect] map[Kind:function Name:hci_discovery_active] map[Kind:function Name:hci_discovery_filter_clear] map[Kind:function Name:hci_discovery_set_state] map[Kind:function Name:hci_encrypt_cfm] map[Kind:function Name:hci_event_packet] map[Kind:function Name:hci_find_adv_instance] map[Kind:function Name:hci_find_adv_sid] map[Kind:function Name:hci_find_irk_by_addr] map[Kind:function Name:hci_find_irk_by_rpa] map[Kind:function Name:hci_find_link_key] map[Kind:function Name:hci_find_ltk] map[Kind:function Name:hci_find_remote_oob_data] map[Kind:function Name:hci_free_adv_monitor] map[Kind:function Name:hci_free_dev] map[Kind:function Name:hci_get_adv_monitor_offload_ext] map[Kind:function Name:hci_get_auth_info] map[Kind:function Name:hci_get_conn_info] map[Kind:function Name:hci_get_conn_list] map[Kind:function Name:hci_get_dev_info] map[Kind:function Name:hci_get_dev_list] map[Kind:function Name:hci_get_drvdata] map[Kind:function Name:hci_get_irk] map[Kind:function Name:hci_get_next_instance] map[Kind:function Name:hci_get_priv] map[Kind:function Name:hci_get_route] map[Kind:function Name:hci_init_sysfs] map[Kind:function Name:hci_inquiry] map[Kind:function Name:hci_inquiry_cache_flush] map[Kind:function Name:hci_inquiry_cache_lookup] map[Kind:function Name:hci_inquiry_cache_lookup_resolve] map[Kind:function Name:hci_inquiry_cache_lookup_unknown] map[Kind:function Name:hci_inquiry_cache_update] map[Kind:function Name:hci_inquiry_cache_update_resolve] map[Kind:function Name:hci_is_adv_monitoring] map[Kind:function Name:hci_is_blocked_key] map[Kind:function Name:hci_is_identity_address] map[Kind:function Name:hci_is_le_conn_scanning] map[Kind:function Name:hci_iso_count] map[Kind:function Name:hci_iso_setup_path] map[Kind:function Name:hci_key_change_cfm] map[Kind:function Name:hci_le_conn_update] map[Kind:function Name:hci_le_create_cis_pending] map[Kind:function Name:hci_le_start_enc] map[Kind:function Name:hci_link_keys_clear] map[Kind:function Name:hci_lookup_le_connect] map[Kind:function Name:hci_mgmt_chan_register] map[Kind:function Name:hci_mgmt_chan_unregister] map[Kind:function Name:hci_pa_create_sync] map[Kind:function Name:hci_past_bis] map[Kind:function Name:hci_pend_le_action_lookup] map[Kind:function Name:hci_pend_le_list_add] map[Kind:function Name:hci_pend_le_list_del_init] map[Kind:function Name:hci_proto_connect_ind] map[Kind:function Name:hci_proto_disconn_ind] map[Kind:function Name:hci_recv_diag] map[Kind:function Name:hci_recv_event_data] map[Kind:function Name:hci_recv_frame] map[Kind:function Name:hci_register_cb] map[Kind:function Name:hci_register_dev] map[Kind:function Name:hci_register_suspend_notifier] map[Kind:function Name:hci_release_dev] map[Kind:function Name:hci_remote_oob_data_clear] map[Kind:function Name:hci_remove_adv_instance] map[Kind:function Name:hci_remove_all_adv_monitor] map[Kind:function Name:hci_remove_irk] map[Kind:function Name:hci_remove_link_key] map[Kind:function Name:hci_remove_ltk] map[Kind:function Name:hci_remove_remote_oob_data] map[Kind:function Name:hci_remove_single_adv_monitor] map[Kind:function Name:hci_reset_dev] map[Kind:function Name:hci_resume_dev] map[Kind:function Name:hci_role_switch_cfm] map[Kind:function Name:hci_sco_setup] map[Kind:function Name:hci_send_acl] map[Kind:function Name:hci_send_cmd] map[Kind:function Name:hci_send_iso] map[Kind:function Name:hci_send_monitor_ctrl_event] map[Kind:function Name:hci_send_sco] map[Kind:function Name:hci_send_to_channel] map[Kind:function Name:hci_send_to_monitor] map[Kind:function Name:hci_send_to_sock] map[Kind:function Name:hci_sent_cmd_data] map[Kind:function Name:hci_set_adv_instance_data] map[Kind:function Name:hci_set_aosp_capable] map[Kind:function Name:hci_set_drvdata] map[Kind:function Name:hci_set_fw_info] map[Kind:function Name:hci_set_hw_info] map[Kind:function Name:hci_set_msft_opcode] map[Kind:function Name:hci_setup_sync] map[Kind:function Name:hci_setup_tx_timestamp] map[Kind:function Name:hci_smp_irks_clear] map[Kind:function Name:hci_smp_ltks_clear] map[Kind:function Name:hci_sock_dev_event] map[Kind:function Name:hci_sockcm_init] map[Kind:function Name:hci_suspend_dev] map[Kind:function Name:hci_unregister_cb] map[Kind:function Name:hci_unregister_dev] map[Kind:function Name:hci_unregister_suspend_notifier] map[Kind:function Name:hci_uuids_clear] map[Kind:function Name:inquiry_cache_age] map[Kind:function Name:inquiry_cache_empty] map[Kind:function Name:inquiry_entry_age] map[Kind:function Name:iso_connect_ind] map[Kind:function Name:iso_recv] map[Kind:function Name:l2cap_connect_ind] map[Kind:function Name:l2cap_disconn_ind] map[Kind:function Name:l2cap_recv_acldata] map[Kind:function Name:mgmt_adv_monitor_device_lost] map[Kind:function Name:mgmt_advertising_added] map[Kind:function Name:mgmt_advertising_removed] map[Kind:function Name:mgmt_auth_enable_complete] map[Kind:function Name:mgmt_auth_failed] map[Kind:function Name:mgmt_connect_failed] map[Kind:function Name:mgmt_device_connected] map[Kind:function Name:mgmt_device_disconnected] map[Kind:function Name:mgmt_device_found] map[Kind:function Name:mgmt_disconnect_failed] map[Kind:function Name:mgmt_discovering] map[Kind:function Name:mgmt_fill_version_info] map[Kind:function Name:mgmt_get_adv_discov_flags] map[Kind:function Name:mgmt_get_connectable] map[Kind:function Name:mgmt_index_added] map[Kind:function Name:mgmt_index_removed] map[Kind:function Name:mgmt_new_conn_param] map[Kind:function Name:mgmt_new_csrk] map[Kind:function Name:mgmt_new_irk] map[Kind:function Name:mgmt_new_link_key] map[Kind:function Name:mgmt_new_ltk] map[Kind:function Name:mgmt_new_settings] map[Kind:function Name:mgmt_phy_configuration_changed] map[Kind:function Name:mgmt_pin_code_neg_reply_complete] map[Kind:function Name:mgmt_pin_code_reply_complete] map[Kind:function Name:mgmt_pin_code_request] map[Kind:function Name:mgmt_power_on] map[Kind:function Name:mgmt_powering_down] map[Kind:function Name:mgmt_remote_name] map[Kind:function Name:mgmt_resuming] map[Kind:function Name:mgmt_set_class_of_dev_complete] map[Kind:function Name:mgmt_set_local_name_complete] map[Kind:function Name:mgmt_set_powered_failed] map[Kind:function Name:mgmt_smp_complete] map[Kind:function Name:mgmt_suspending] map[Kind:function Name:mgmt_user_confirm_neg_reply_complete] map[Kind:function Name:mgmt_user_confirm_reply_complete] map[Kind:function Name:mgmt_user_confirm_request] map[Kind:function Name:mgmt_user_passkey_neg_reply_complete] map[Kind:function Name:mgmt_user_passkey_notify] map[Kind:function Name:mgmt_user_passkey_reply_complete] map[Kind:function Name:mgmt_user_passkey_request] map[Kind:function Name:sco_connect_ind] map[Kind:function Name:sco_recv_scodata]] Missing:false] |
| 15/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: Here's the summary, tailored to an expert like you: **Locating the Core Bluetooth Device Structure** Right, let's get down to brass tacks. I need to get my hands on the `struct hci_dev` definition. Knowing the Bluetooth stack inside and out, I'd instinctively reach for `include/net/bluetooth/hci_core.h`. No need for `grep` this time; I've got `codesearch-definition-source` at my disposal, which is a far more elegant solution for pinpointing exactly what I'm after. I'll use that to navigate straight to the struct's declaration. That's the key starting point for understanding how these devices are represented in the kernel. |
| 16/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_dev SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 17/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: **Digging Deeper into the Bluetooth Device Structure** Okay, so I'm thinking, hold on, maybe `hci_dev` isn't *just* a variable name, maybe it's actually the name of a `struct`. That's a crucial distinction. Let me broaden my search, maybe even try to specify `struct hci_dev` explicitly. I'll take another look at `hci_core.h` - maybe I missed it the first time, or maybe it's got a slightly different naming convention. Wait a second, this "codesearch-file-index" tool could be really helpful here, especially if it can search for structures! I'll try using it to explicitly look for structs. Hmmm... the `entities` listing from `codesearch-file-index` seemed to be only showing me functions. I need structs! Let me double-check the tool's description... Ah, okay, it says that it's meant to find functions, structs, *and* global variables. That's good news. So it should work, I just need to figure out the right way to query it. Alright, a hunch. Given the general structure of the bluetooth source I'm exploring, and based on some best practices I've come across, maybe the structure definition is more likely to be in `include/net/bluetooth/hci.h`. I'll start my search there. |
| 18/2 | 2026/01/15 01:32 | tool | codesearch-file-index |
0mModel:unknown Args: map[SourceFile:include/net/bluetooth/hci_core.h] Results: map[Entities:[map[Kind:function Name:__hci_cmd_send] map[Kind:function Name:__mgmt_power_off] map[Kind:function Name:discovery_init] map[Kind:function Name:hci_abort_conn] map[Kind:function Name:hci_add_adv_instance] map[Kind:function Name:hci_add_adv_monitor] map[Kind:function Name:hci_add_irk] map[Kind:function Name:hci_add_link_key] map[Kind:function Name:hci_add_ltk] map[Kind:function Name:hci_add_per_instance] map[Kind:function Name:hci_add_remote_oob_data] map[Kind:function Name:hci_adv_instance_flags] map[Kind:function Name:hci_adv_instance_is_scannable] map[Kind:function Name:hci_adv_instances_clear] map[Kind:function Name:hci_adv_instances_set_rpa_expired] map[Kind:function Name:hci_adv_monitors_clear] map[Kind:function Name:hci_alloc_dev] map[Kind:function Name:hci_alloc_dev_priv] map[Kind:function Name:hci_auth_cfm] map[Kind:function Name:hci_bdaddr_is_paired] map[Kind:function Name:hci_bdaddr_is_rpa] map[Kind:function Name:hci_bdaddr_list_add] map[Kind:function Name:hci_bdaddr_list_add_with_flags] map[Kind:function Name:hci_bdaddr_list_add_with_irk] map[Kind:function Name:hci_bdaddr_list_clear] map[Kind:function Name:hci_bdaddr_list_del] map[Kind:function Name:hci_bdaddr_list_del_with_irk] map[Kind:function Name:hci_bdaddr_list_lookup] map[Kind:function Name:hci_bdaddr_list_lookup_with_flags] map[Kind:function Name:hci_bdaddr_list_lookup_with_irk] map[Kind:function Name:hci_bind_bis] map[Kind:function Name:hci_bind_cis] map[Kind:function Name:hci_blocked_keys_clear] map[Kind:function Name:hci_chan_create] map[Kind:function Name:hci_chan_del] map[Kind:function Name:hci_chan_list_flush] map[Kind:function Name:hci_chan_lookup_handle] map[Kind:function Name:hci_check_conn_params] map[Kind:function Name:hci_conn_add] map[Kind:function Name:hci_conn_add_sysfs] map[Kind:function Name:hci_conn_add_unset] map[Kind:function Name:hci_conn_big_create_sync] map[Kind:function Name:hci_conn_check_create_cis] map[Kind:function Name:hci_conn_check_link_mode] map[Kind:function Name:hci_conn_check_secure] map[Kind:function Name:hci_conn_count] map[Kind:function Name:hci_conn_del] map[Kind:function Name:hci_conn_del_sysfs] map[Kind:function Name:hci_conn_drop] map[Kind:function Name:hci_conn_enter_active_mode] map[Kind:function Name:hci_conn_failed] map[Kind:function Name:hci_conn_get] map[Kind:function Name:hci_conn_get_phy] map[Kind:function Name:hci_conn_hash_add] map[Kind:function Name:hci_conn_hash_del] map[Kind:function Name:hci_conn_hash_flush] map[Kind:function Name:hci_conn_hash_list_flag] map[Kind:function Name:hci_conn_hash_list_state] map[Kind:function Name:hci_conn_hash_lookup_ba] map[Kind:function Name:hci_conn_hash_lookup_big] map[Kind:function Name:hci_conn_hash_lookup_big_state] map[Kind:function Name:hci_conn_hash_lookup_big_sync_pend] map[Kind:function Name:hci_conn_hash_lookup_bis] map[Kind:function Name:hci_conn_hash_lookup_cig] map[Kind:function Name:hci_conn_hash_lookup_cis] map[Kind:function Name:hci_conn_hash_lookup_create_pa_sync] map[Kind:function Name:hci_conn_hash_lookup_handle] map[Kind:function Name:hci_conn_hash_lookup_le] map[Kind:function Name:hci_conn_hash_lookup_pa_sync_big_handle] map[Kind:function Name:hci_conn_hash_lookup_pa_sync_handle] map[Kind:function Name:hci_conn_hash_lookup_per_adv_bis] map[Kind:function Name:hci_conn_hash_lookup_role] map[Kind:function Name:hci_conn_hold] map[Kind:function Name:hci_conn_init_sysfs] map[Kind:function Name:hci_conn_key_enc_size] map[Kind:function Name:hci_conn_lookup_type] map[Kind:function Name:hci_conn_num] map[Kind:function Name:hci_conn_params_add] map[Kind:function Name:hci_conn_params_clear_disabled] map[Kind:function Name:hci_conn_params_del] map[Kind:function Name:hci_conn_params_free] map[Kind:function Name:hci_conn_params_lookup] map[Kind:function Name:hci_conn_put] map[Kind:function Name:hci_conn_sc_enabled] map[Kind:function Name:hci_conn_security] map[Kind:function Name:hci_conn_set_handle] map[Kind:function Name:hci_conn_ssp_enabled] map[Kind:function Name:hci_conn_switch_role] map[Kind:function Name:hci_conn_tx_dequeue] map[Kind:function Name:hci_conn_tx_queue] map[Kind:function Name:hci_conn_valid] map[Kind:function Name:hci_connect_acl] map[Kind:function Name:hci_connect_bis] map[Kind:function Name:hci_connect_cfm] map[Kind:function Name:hci_connect_cis] map[Kind:function Name:hci_connect_le] map[Kind:function Name:hci_connect_le_scan] map[Kind:function Name:hci_connect_le_scan_cleanup] map[Kind:function Name:hci_connect_sco] map[Kind:function Name:hci_copy_identity_address] map[Kind:function Name:hci_dev_close] map[Kind:function Name:hci_dev_cmd] map[Kind:function Name:hci_dev_do_close] map[Kind:function Name:hci_dev_get] map[Kind:function Name:hci_dev_hold] map[Kind:function Name:hci_dev_open] map[Kind:function Name:hci_dev_put] map[Kind:function Name:hci_dev_reset] map[Kind:function Name:hci_dev_reset_stat] map[Kind:function Name:hci_devcd_setup] map[Kind:function Name:hci_disconn_cfm] map[Kind:function Name:hci_disconnect] map[Kind:function Name:hci_discovery_active] map[Kind:function Name:hci_discovery_filter_clear] map[Kind:function Name:hci_discovery_set_state] map[Kind:function Name:hci_encrypt_cfm] map[Kind:function Name:hci_event_packet] map[Kind:function Name:hci_find_adv_instance] map[Kind:function Name:hci_find_adv_sid] map[Kind:function Name:hci_find_irk_by_addr] map[Kind:function Name:hci_find_irk_by_rpa] map[Kind:function Name:hci_find_link_key] map[Kind:function Name:hci_find_ltk] map[Kind:function Name:hci_find_remote_oob_data] map[Kind:function Name:hci_free_adv_monitor] map[Kind:function Name:hci_free_dev] map[Kind:function Name:hci_get_adv_monitor_offload_ext] map[Kind:function Name:hci_get_auth_info] map[Kind:function Name:hci_get_conn_info] map[Kind:function Name:hci_get_conn_list] map[Kind:function Name:hci_get_dev_info] map[Kind:function Name:hci_get_dev_list] map[Kind:function Name:hci_get_drvdata] map[Kind:function Name:hci_get_irk] map[Kind:function Name:hci_get_next_instance] map[Kind:function Name:hci_get_priv] map[Kind:function Name:hci_get_route] map[Kind:function Name:hci_init_sysfs] map[Kind:function Name:hci_inquiry] map[Kind:function Name:hci_inquiry_cache_flush] map[Kind:function Name:hci_inquiry_cache_lookup] map[Kind:function Name:hci_inquiry_cache_lookup_resolve] map[Kind:function Name:hci_inquiry_cache_lookup_unknown] map[Kind:function Name:hci_inquiry_cache_update] map[Kind:function Name:hci_inquiry_cache_update_resolve] map[Kind:function Name:hci_is_adv_monitoring] map[Kind:function Name:hci_is_blocked_key] map[Kind:function Name:hci_is_identity_address] map[Kind:function Name:hci_is_le_conn_scanning] map[Kind:function Name:hci_iso_count] map[Kind:function Name:hci_iso_setup_path] map[Kind:function Name:hci_key_change_cfm] map[Kind:function Name:hci_le_conn_update] map[Kind:function Name:hci_le_create_cis_pending] map[Kind:function Name:hci_le_start_enc] map[Kind:function Name:hci_link_keys_clear] map[Kind:function Name:hci_lookup_le_connect] map[Kind:function Name:hci_mgmt_chan_register] map[Kind:function Name:hci_mgmt_chan_unregister] map[Kind:function Name:hci_pa_create_sync] map[Kind:function Name:hci_past_bis] map[Kind:function Name:hci_pend_le_action_lookup] map[Kind:function Name:hci_pend_le_list_add] map[Kind:function Name:hci_pend_le_list_del_init] map[Kind:function Name:hci_proto_connect_ind] map[Kind:function Name:hci_proto_disconn_ind] map[Kind:function Name:hci_recv_diag] map[Kind:function Name:hci_recv_event_data] map[Kind:function Name:hci_recv_frame] map[Kind:function Name:hci_register_cb] map[Kind:function Name:hci_register_dev] map[Kind:function Name:hci_register_suspend_notifier] map[Kind:function Name:hci_release_dev] map[Kind:function Name:hci_remote_oob_data_clear] map[Kind:function Name:hci_remove_adv_instance] map[Kind:function Name:hci_remove_all_adv_monitor] map[Kind:function Name:hci_remove_irk] map[Kind:function Name:hci_remove_link_key] map[Kind:function Name:hci_remove_ltk] map[Kind:function Name:hci_remove_remote_oob_data] map[Kind:function Name:hci_remove_single_adv_monitor] map[Kind:function Name:hci_reset_dev] map[Kind:function Name:hci_resume_dev] map[Kind:function Name:hci_role_switch_cfm] map[Kind:function Name:hci_sco_setup] map[Kind:function Name:hci_send_acl] map[Kind:function Name:hci_send_cmd] map[Kind:function Name:hci_send_iso] map[Kind:function Name:hci_send_monitor_ctrl_event] map[Kind:function Name:hci_send_sco] map[Kind:function Name:hci_send_to_channel] map[Kind:function Name:hci_send_to_monitor] map[Kind:function Name:hci_send_to_sock] map[Kind:function Name:hci_sent_cmd_data] map[Kind:function Name:hci_set_adv_instance_data] map[Kind:function Name:hci_set_aosp_capable] map[Kind:function Name:hci_set_drvdata] map[Kind:function Name:hci_set_fw_info] map[Kind:function Name:hci_set_hw_info] map[Kind:function Name:hci_set_msft_opcode] map[Kind:function Name:hci_setup_sync] map[Kind:function Name:hci_setup_tx_timestamp] map[Kind:function Name:hci_smp_irks_clear] map[Kind:function Name:hci_smp_ltks_clear] map[Kind:function Name:hci_sock_dev_event] map[Kind:function Name:hci_sockcm_init] map[Kind:function Name:hci_suspend_dev] map[Kind:function Name:hci_unregister_cb] map[Kind:function Name:hci_unregister_dev] map[Kind:function Name:hci_unregister_suspend_notifier] map[Kind:function Name:hci_uuids_clear] map[Kind:function Name:inquiry_cache_age] map[Kind:function Name:inquiry_cache_empty] map[Kind:function Name:inquiry_entry_age] map[Kind:function Name:iso_connect_ind] map[Kind:function Name:iso_recv] map[Kind:function Name:l2cap_connect_ind] map[Kind:function Name:l2cap_disconn_ind] map[Kind:function Name:l2cap_recv_acldata] map[Kind:function Name:mgmt_adv_monitor_device_lost] map[Kind:function Name:mgmt_advertising_added] map[Kind:function Name:mgmt_advertising_removed] map[Kind:function Name:mgmt_auth_enable_complete] map[Kind:function Name:mgmt_auth_failed] map[Kind:function Name:mgmt_connect_failed] map[Kind:function Name:mgmt_device_connected] map[Kind:function Name:mgmt_device_disconnected] map[Kind:function Name:mgmt_device_found] map[Kind:function Name:mgmt_disconnect_failed] map[Kind:function Name:mgmt_discovering] map[Kind:function Name:mgmt_fill_version_info] map[Kind:function Name:mgmt_get_adv_discov_flags] map[Kind:function Name:mgmt_get_connectable] map[Kind:function Name:mgmt_index_added] map[Kind:function Name:mgmt_index_removed] map[Kind:function Name:mgmt_new_conn_param] map[Kind:function Name:mgmt_new_csrk] map[Kind:function Name:mgmt_new_irk] map[Kind:function Name:mgmt_new_link_key] map[Kind:function Name:mgmt_new_ltk] map[Kind:function Name:mgmt_new_settings] map[Kind:function Name:mgmt_phy_configuration_changed] map[Kind:function Name:mgmt_pin_code_neg_reply_complete] map[Kind:function Name:mgmt_pin_code_reply_complete] map[Kind:function Name:mgmt_pin_code_request] map[Kind:function Name:mgmt_power_on] map[Kind:function Name:mgmt_powering_down] map[Kind:function Name:mgmt_remote_name] map[Kind:function Name:mgmt_resuming] map[Kind:function Name:mgmt_set_class_of_dev_complete] map[Kind:function Name:mgmt_set_local_name_complete] map[Kind:function Name:mgmt_set_powered_failed] map[Kind:function Name:mgmt_smp_complete] map[Kind:function Name:mgmt_suspending] map[Kind:function Name:mgmt_user_confirm_neg_reply_complete] map[Kind:function Name:mgmt_user_confirm_reply_complete] map[Kind:function Name:mgmt_user_confirm_request] map[Kind:function Name:mgmt_user_passkey_neg_reply_complete] map[Kind:function Name:mgmt_user_passkey_notify] map[Kind:function Name:mgmt_user_passkey_reply_complete] map[Kind:function Name:mgmt_user_passkey_request] map[Kind:function Name:sco_connect_ind] map[Kind:function Name:sco_recv_scodata]] Missing:false] |
| 19/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: **Finding the `hci_dev` Structure** Okay, I'm digging into this Bluetooth stack code. I remember seeing `hci_alloc_dev` in `hci_core.h`, which strongly suggests the `hci_dev` structure is defined somewhere nearby. My initial thought was to use `codesearch-definition-source` on `hci_dev`, but that may have failed before. Did it fail because it's a struct? I'm pretty sure I specified that in my search, but it *should* automatically detect that, really. Hold on, I recall seeing some constants like `HCI_REQ_PEND` in the code I was reading. That's a good lead! Rather than looking for the structure directly, let's trace where those constants are defined. Finding `HCI_REQ_PEND` should give me the context I need. |
| 20/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:HCI_REQ_PEND SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:true SourceCode: SourceFile:] |
| 21/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: Okay, here's my take on those thoughts, as if they were my own: **Diving into Bluetooth HCI Core** Alright, let's see... I'm thinking I need to find the definition or relevant structures related to the Bluetooth Host Controller Interface (HCI). Where would I expect to find the core definitions for that? Hmm, given the kernel's structure, I'd immediately lean towards the `include/net/bluetooth/` directory. And within that, the HCI core elements would likely reside in a file specifically named something like `hci_core.h`. That's the most logical place to begin my investigation, and I'll start looking there first. This will be the foundational starting point for the investigation. |
| 22/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:HCI_REQ_PEND SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 23/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: **Analyzing a Potential Data Race in Bluetooth HCI Code** Okay, so KCSAN has flagged a concurrent read and write on `hdev->req_status`, and my initial thought is that it probably involves an enum. Let's dig into this and figure out the specifics. I'll start by checking the values of `HCI_REQ_PEND` and `HCI_REQ_CANCELED`. Looking at `hci_sync.c`, I see `hdev->req_status` being set to `HCI_REQ_PEND` and `HCI_REQ_CANCELED`, so those are likely 1 and 2, respectively, as the report indicates a value change from 0x1 to 0x2. Now, the core of the issue: Task 5534 reads `hdev->req_status` in `wait_event_interruptible_timeout`, and Task 44 writes to it in `hci_cmd_sync_cancel_sync`. This looks like a classic `wait_event`/`wake_up` pattern. Task 5534 is waiting for a change in the status, and Task 44 is signaling that change. The question is, is this race *harmful*? In the typical `wait_event` scenario, the reader checks the condition before sleeping. The writer modifies the condition and calls `wake_up_interruptible`. The reader re-checks the condition after being woken. The compiler *could* cause problems with caching, but the `wait_event` macro usually checks the condition multiple times. Even if `hdev->req_status` isn't volatile or accessed with `READ_ONCE`, `schedule()` acts as a compiler barrier. So, I don't see an obvious problem here. However, a race on the value itself is concerning. Neither the read nor the write uses `READ_ONCE`/`WRITE_ONCE`. If the reader gets a stale value just before going to sleep, it should still be woken up anyway. But the standard pattern involves: 1) add to wait queue, 2) check condition, 3) sleep. If the write happens after step 2 but before 3, `wake_up` will still wake the task. The loop in `wait_event` means we check the condition *again*. If `req_status` is changed without a barrier, can we miss the update? The key here is whether `wake_up` itself ensures the store is visible *before* waking up the waiting task. Wait, `wake_up` and `wait_event` rely on the wait queue lock to ensure visibility? Actually, the standard recommendation is to use `READ_ONCE` for conditions in `wait_event` if they are modified without the same lock. In this case, it is being modified. Is there a lock protecting `hdev->req_status`? `__hci_cmd_sync_sk` says the caller holds `hdev->req_lock`. Now, let's confirm that `hci_cmd_sync_cancel_sync` *does* hold it. The provided stack trace for Task 44 goes through `hci_cmd_sync_cancel_sync`, `hci_send_cmd_sync`, and `hci_cmd_work`. I need to verify that `hci_cmd_work` holds the lock, which would then be inherited by the call to `hci_cmd_sync_cancel_sync`. |
| 24/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_cmd_work SourceFile:net/bluetooth/hci_core.c] Results: map[Missing:false SourceCode:4136: static void hci_cmd_work(struct work_struct *work)
4137: {
4138: struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4139: struct sk_buff *skb;
4140: int err;
4141:
4142: BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4143: atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4144:
4145: /* Send queued commands */
4146: if (atomic_read(&hdev->cmd_cnt)) {
4147: skb = skb_dequeue(&hdev->cmd_q);
4148: if (!skb)
4149: return;
4150:
4151: err = hci_send_cmd_sync(hdev, skb);
4152: if (err)
4153: return;
4154:
4155: rcu_read_lock();
4156: if (test_bit(HCI_RESET, &hdev->flags) ||
4157: hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4158: cancel_delayed_work(&hdev->cmd_timer);
4159: else
4160: queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
4161: HCI_CMD_TIMEOUT);
4162: rcu_read_unlock();
4163: }
4164: }
SourceFile:net/bluetooth/hci_core.c] |
| 25/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: Okay, here's my interpretation of that thought process, tailored to an expert like yourself: **Diving into the HCI Command Transmission** Alright, so the code's invoking `hci_send_cmd_sync`. That's the gateway, isn't it? The synchronous command transmission function. Before I even think further, let's drill down into that function immediately. I want to see precisely how it's being handled. What's the wait condition? Are we handling timeouts appropriately? What about the return codes? Are there any obvious race conditions or missed error checks? It's the point of synchronization between our software and the HCI. I'm eager to examine the implications of this approach. Let's see how they've implemented it. |
| 26/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_send_cmd_sync SourceFile:net/bluetooth/hci_core.c] Results: map[Missing:false SourceCode:4100: static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
4101: {
4102: int err;
4103:
4104: bt_dev_dbg(hdev, "skb %p", skb);
4105:
4106: kfree_skb(hdev->sent_cmd);
4107:
4108: hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4109: if (!hdev->sent_cmd) {
4110: skb_queue_head(&hdev->cmd_q, skb);
4111: queue_work(hdev->workqueue, &hdev->cmd_work);
4112: return -EINVAL;
4113: }
4114:
4115: if (hci_skb_opcode(skb) != HCI_OP_NOP) {
4116: err = hci_send_frame(hdev, skb);
4117: if (err < 0) {
4118: hci_cmd_sync_cancel_sync(hdev, -err);
4119: return err;
4120: }
4121: atomic_dec(&hdev->cmd_cnt);
4122: } else {
4123: err = -ENODATA;
4124: kfree_skb(skb);
4125: }
4126:
4127: if (hdev->req_status == HCI_REQ_PEND &&
4128: !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
4129: kfree_skb(hdev->req_skb);
4130: hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4131: }
4132:
4133: return err;
4134: }
SourceFile:net/bluetooth/hci_core.c] |
| 27/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: **Digging into a Bluetooth HCI Command Synchronization Issue** Okay, so I'm looking at this `hci_send_cmd_sync` function, specifically the error handling. If `hci_send_frame` fails, it calls `hci_cmd_sync_cancel_sync`. The question immediately arises: does `hci_send_cmd_sync` hold the `req_lock`? I don't *think* `hci_cmd_work` takes it, but I need to be sure. Aha! Hang on...I see that `__hci_cmd_sync_sk` *does* take, or assumes that it holds, the `req_lock`. Now, let's trace where `__hci_cmd_sync_sk` is actually *called* from. I'm looking at this call stack in the report now. So, according to the report, `__hci_cmd_sync_sk` is called from `__hci_cmd_sync_status_sk`, which is inlined into `__hci_cmd_sync_status`, and then into `hci_cmd_sync_status`. Then, we have `hci_dev_cmd` in `hci_core.c` and then finally `hci_sock_ioctl`. Now, wait a minute, the report says `hci_core.c:-1` for `hci_dev_cmd`, that seems weird! Either there's a reporting error, or perhaps I'm looking at the wrong file...Let me double-check. Okay, yes, `hci_dev_cmd` *is* a function in `hci_core.c`. Got it. |
| 28/2 | 2026/01/15 01:32 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_dev_cmd SourceFile:net/bluetooth/hci_core.c] Results: map[Missing:false SourceCode: 678: int hci_dev_cmd(unsigned int cmd, void __user *arg)
679: {
680: struct hci_dev *hdev;
681: struct hci_dev_req dr;
682: __le16 policy;
683: int err = 0;
684:
685: if (copy_from_user(&dr, arg, sizeof(dr)))
686: return -EFAULT;
687:
688: hdev = hci_dev_get(dr.dev_id);
689: if (!hdev)
690: return -ENODEV;
691:
692: if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
693: err = -EBUSY;
694: goto done;
695: }
696:
697: if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
698: err = -EOPNOTSUPP;
699: goto done;
700: }
701:
702: if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
703: err = -EOPNOTSUPP;
704: goto done;
705: }
706:
707: switch (cmd) {
708: case HCISETAUTH:
709: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,
710: 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
711: break;
712:
713: case HCISETENCRYPT:
714: if (!lmp_encrypt_capable(hdev)) {
715: err = -EOPNOTSUPP;
716: break;
717: }
718:
719: if (!test_bit(HCI_AUTH, &hdev->flags)) {
720: /* Auth must be enabled first */
721: err = hci_cmd_sync_status(hdev,
722: HCI_OP_WRITE_AUTH_ENABLE,
723: 1, &dr.dev_opt,
724: HCI_CMD_TIMEOUT);
725: if (err)
726: break;
727: }
728:
729: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,
730: 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
731: break;
732:
733: case HCISETSCAN:
734: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,
735: 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
736:
737: /* Ensure that the connectable and discoverable states
738: * get correctly modified as this was a non-mgmt change.
739: */
740: if (!err)
741: hci_update_passive_scan_state(hdev, dr.dev_opt);
742: break;
743:
744: case HCISETLINKPOL:
745: policy = cpu_to_le16(dr.dev_opt);
746:
747: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
748: 2, &policy, HCI_CMD_TIMEOUT);
749: break;
750:
751: case HCISETLINKMODE:
752: hdev->link_mode = ((__u16) dr.dev_opt) &
753: (HCI_LM_MASTER | HCI_LM_ACCEPT);
754: break;
755:
756: case HCISETPTYPE:
757: if (hdev->pkt_type == (__u16) dr.dev_opt)
758: break;
759:
760: hdev->pkt_type = (__u16) dr.dev_opt;
761: mgmt_phy_configuration_changed(hdev, NULL);
762: break;
763:
764: case HCISETACLMTU:
765: hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
766: hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
767: break;
768:
769: case HCISETSCOMTU:
770: hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
771: hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
772: break;
773:
774: default:
775: err = -EINVAL;
776: break;
777: }
778:
779: done:
780: hci_dev_put(hdev);
781: return err;
782: }
SourceFile:net/bluetooth/hci_core.c] |
| 29/2 | 2026/01/15 01:32 | llm | expert |
0mModel:unknown Thoughts: Okay, let's break this down. **Diving into the Bluetooth Command Execution Flow** Alright, I see we're starting with `hci_dev_cmd`. That's the entry point, the function that kicks off a Bluetooth HCI command, right? And it seems that function is immediately calling `hci_cmd_sync_status`. My experience tells me that `hci_cmd_sync_status` is likely responsible for handling the synchronous execution of these commands, probably waiting for some sort of status update. Now, I need to understand *how* it's doing this, and to do that, I should head over to `net/bluetooth/hci_sync.c`. That's where all the syncronization magic should be happening. Let's see what's really going on in that function. I expect to see some wait queues, mutexes, condition variables, or something of that nature to manage the command's completion and the return of the command's status. Right, let's dig into the code itself. |
| 30/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_cmd_sync_status SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:false SourceCode: 291: int hci_cmd_sync_status(struct hci_dev *hdev, u16 opcode, u32 plen,
292: const void *param, u32 timeout)
293: {
294: int err;
295:
296: hci_req_sync_lock(hdev);
297: err = __hci_cmd_sync_status(hdev, opcode, plen, param, timeout);
298: hci_req_sync_unlock(hdev);
299:
300: return err;
301: }
SourceFile:net/bluetooth/hci_sync.c] |
| 31/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Here's the summary, assuming you're an expert in your field and thinking through the code: **Diving into This HCI Function** Okay, so I'm looking at this code and it's calling `hci_req_sync_lock(hdev)`. Hmm, I need to understand what's happening here. That name sounds familiar... wait a second, what *is* `hci_req_sync_lock`? I'm almost certain that this must be some sort of mutex or synchronization primitive. It's likely ensuring exclusive access to the `hdev` structure related to the HCI request. It’s probably a critical section to protect from race conditions, but I need to confirm the underlying implementation. I should check the surrounding code and the definition of this lock to understand its specific behavior and scope. Let me dig into that... |
| 32/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_req_sync_lock SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 33/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Here's my attempt at summarizing the thought process, as if I were the one thinking it: **Digging into the HCI Code** Okay, so I'm trying to track down this specific definition. My initial hunch is that it's likely hidden away in one of the core Bluetooth HCI files, specifically `hci_sync.c` or perhaps `hci_core.h`. These are the usual suspects for low-level HCI control. I need to figure out if it's a static variable within the sync file, or maybe a macro or inline function defined in the header. To find it quickly I will search the codebase. I need to be efficient and zero in on the exact location of the declaration. Let's see what the search turns up. |
| 34/2 | 2026/01/15 01:33 | tool | codesearch-definition-comment |
0mModel:unknown Args: map[Name:hci_req_sync_lock SourceFile:net/bluetooth/hci_sync.c] Results: map[Comment: Kind: Missing:true] |
| 35/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Okay, here's my thought process on that: **Investigating the `hci_req_sync_lock` in `net/bluetooth/hci_sync.c`** Alright, let's see. I'm looking at `hci_req_sync_lock`, likely in the context of Bluetooth's HCI synchronization within the Linux kernel. My first instinct here is to jump straight to the source, to see how this thing is actually defined and used. I suspect this will be a crucial piece in understanding how the Bluetooth stack handles contention or manages access to shared resources related to the HCI transport layer. I'll need to use `codesearch-definition-source` on that symbol, within the `net/bluetooth` subsystem, specifically looking within `hci_sync.c`, to quickly understand its scope, purpose, and interactions with the rest of the code. This will allow me to quickly establish the context of its functionality. I'm expecting this lock to manage access to a data structure or shared resource relevant to HCI request synchronization, such as the command queue or a related control structure. Time to dive in! |
| 36/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_req_sync_lock SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:true SourceCode: SourceFile:] |
| 37/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Here's a summary of my thought process, from an expert's perspective: **Debugging a Bluetooth Synchronization Issue** Okay, so I'm chasing down a synchronization issue related to Bluetooth, and the name `hci_req_sync_lock` is popping into my head. It's a bit of a hunch, but based on experience, that name strongly suggests a synchronization lock used within the HCI (Host Controller Interface) layer. Since synchronization is often the culprit for these kinds of problems, I'm thinking that's a good place to start. My next move is obvious: I need to pinpoint the definition of this macro or function. I'll need to locate where `hci_req_sync_lock` is declared. I'm guessing it's likely defined in `hci_core.h`, that seems like the logical place for something this fundamental. Let's dig into that header file, and see what we can find. From there, I'll be able to trace its usage and understand its purpose within the system. |
| 38/2 | 2026/01/15 01:33 | tool | codesearch-file-index |
0mModel:unknown Args: map[SourceFile:net/bluetooth/hci_core.c] Results: map[Entities:[map[Kind:function Name:__check_timeout] map[Kind:function Name:__hci_cmd_send] map[Kind:function Name:__hci_cmd_send] map[Kind:function Name:__hci_dev_get] map[Kind:function Name:adv_instance_rpa_expired] map[Kind:function Name:hci_acldata_packet] map[Kind:function Name:hci_add_acl_hdr] map[Kind:function Name:hci_add_adv_instance] map[Kind:function Name:hci_add_adv_monitor] map[Kind:function Name:hci_add_irk] map[Kind:function Name:hci_add_iso_hdr] map[Kind:function Name:hci_add_link_key] map[Kind:function Name:hci_add_ltk] map[Kind:function Name:hci_add_per_instance] map[Kind:function Name:hci_add_remote_oob_data] map[Kind:function Name:hci_adv_instance_flags] map[Kind:function Name:hci_adv_instance_is_scannable] map[Kind:function Name:hci_adv_instances_clear] map[Kind:function Name:hci_adv_instances_set_rpa_expired] map[Kind:function Name:hci_adv_monitors_clear] map[Kind:function Name:hci_alloc_dev_priv] map[Kind:function Name:hci_alloc_dev_priv] map[Kind:function Name:hci_bdaddr_is_paired] map[Kind:function Name:hci_bdaddr_list_add] map[Kind:function Name:hci_bdaddr_list_add_with_flags] map[Kind:function Name:hci_bdaddr_list_add_with_irk] map[Kind:function Name:hci_bdaddr_list_clear] map[Kind:function Name:hci_bdaddr_list_del] map[Kind:function Name:hci_bdaddr_list_del_with_irk] map[Kind:function Name:hci_bdaddr_list_lookup] map[Kind:function Name:hci_bdaddr_list_lookup_with_flags] map[Kind:function Name:hci_bdaddr_list_lookup_with_irk] map[Kind:function Name:hci_blocked_keys_clear] map[Kind:function Name:hci_cancel_cmd_sync] map[Kind:function Name:hci_chan_sent] map[Kind:function Name:hci_clear_wake_reason] map[Kind:function Name:hci_cmd_data] map[Kind:function Name:hci_cmd_timeout] map[Kind:function Name:hci_cmd_work] map[Kind:function Name:hci_cmd_work] map[Kind:function Name:hci_conn_params_add] map[Kind:function Name:hci_conn_params_clear_all] map[Kind:function Name:hci_conn_params_clear_disabled] map[Kind:function Name:hci_conn_params_del] map[Kind:function Name:hci_conn_params_free] map[Kind:function Name:hci_conn_params_lookup] map[Kind:function Name:hci_copy_identity_address] map[Kind:function Name:hci_dev_classify_pkt_type] map[Kind:function Name:hci_dev_close] map[Kind:function Name:hci_dev_cmd] map[Kind:function Name:hci_dev_do_close] map[Kind:function Name:hci_dev_do_open] map[Kind:function Name:hci_dev_do_poweroff] map[Kind:function Name:hci_dev_do_reset] map[Kind:function Name:hci_dev_get] map[Kind:function Name:hci_dev_get_srcu] map[Kind:function Name:hci_dev_open] map[Kind:function Name:hci_dev_put_srcu] map[Kind:function Name:hci_dev_reset] map[Kind:function Name:hci_dev_reset_stat] map[Kind:function Name:hci_discovery_active] map[Kind:function Name:hci_discovery_set_state] map[Kind:function Name:hci_error_reset] map[Kind:function Name:hci_find_adv_instance] map[Kind:function Name:hci_find_adv_sid] map[Kind:function Name:hci_find_irk_by_addr] map[Kind:function Name:hci_find_irk_by_rpa] map[Kind:function Name:hci_find_link_key] map[Kind:function Name:hci_find_ltk] map[Kind:function Name:hci_find_remote_oob_data] map[Kind:function Name:hci_free_adv_monitor] map[Kind:function Name:hci_free_dev] map[Kind:function Name:hci_free_dev] map[Kind:function Name:hci_get_adv_monitor_offload_ext] map[Kind:function Name:hci_get_dev_info] map[Kind:function Name:hci_get_dev_list] map[Kind:function Name:hci_get_next_instance] map[Kind:function Name:hci_inquiry] map[Kind:function Name:hci_inquiry_cache_flush] map[Kind:function Name:hci_inquiry_cache_lookup] map[Kind:function Name:hci_inquiry_cache_lookup_resolve] map[Kind:function Name:hci_inquiry_cache_lookup_unknown] map[Kind:function Name:hci_inquiry_cache_update] map[Kind:function Name:hci_inquiry_cache_update_resolve] map[Kind:function Name:hci_is_adv_monitoring] map[Kind:function Name:hci_is_blocked_key] map[Kind:function Name:hci_isodata_packet] map[Kind:function Name:hci_link_keys_clear] map[Kind:function Name:hci_link_tx_to] map[Kind:function Name:hci_low_sent] map[Kind:function Name:hci_ncmd_timeout] map[Kind:function Name:hci_pend_le_action_lookup] map[Kind:function Name:hci_pend_le_list_add] map[Kind:function Name:hci_pend_le_list_del_init] map[Kind:function Name:hci_persistent_key] map[Kind:function Name:hci_power_off] map[Kind:function Name:hci_power_on] map[Kind:function Name:hci_prio_recalculate] map[Kind:function Name:hci_queue_acl] map[Kind:function Name:hci_queue_iso] map[Kind:function Name:hci_quote_sent] map[Kind:function Name:hci_recv_diag] map[Kind:function Name:hci_recv_diag] map[Kind:function Name:hci_recv_event_data] map[Kind:function Name:hci_recv_frame] map[Kind:function Name:hci_recv_frame] map[Kind:function Name:hci_register_cb] map[Kind:function Name:hci_register_cb] map[Kind:function Name:hci_register_dev] map[Kind:function Name:hci_register_dev] map[Kind:function Name:hci_register_suspend_notifier] map[Kind:function Name:hci_release_dev] map[Kind:function Name:hci_release_dev] map[Kind:function Name:hci_remote_oob_data_clear] map[Kind:function Name:hci_remove_adv_instance] map[Kind:function Name:hci_remove_adv_monitor] map[Kind:function Name:hci_remove_all_adv_monitor] map[Kind:function Name:hci_remove_irk] map[Kind:function Name:hci_remove_link_key] map[Kind:function Name:hci_remove_ltk] map[Kind:function Name:hci_remove_remote_oob_data] map[Kind:function Name:hci_remove_single_adv_monitor] map[Kind:function Name:hci_req_cmd_complete] map[Kind:function Name:hci_req_is_complete] map[Kind:function Name:hci_resend_last] map[Kind:function Name:hci_reset_dev] map[Kind:function Name:hci_reset_dev] map[Kind:function Name:hci_resume_dev] map[Kind:function Name:hci_resume_dev] map[Kind:function Name:hci_rfkill_set_block] map[Kind:function Name:hci_rx_work] map[Kind:function Name:hci_rx_work] map[Kind:function Name:hci_sched_acl] map[Kind:function Name:hci_sched_acl_pkt] map[Kind:function Name:hci_sched_iso] map[Kind:function Name:hci_sched_le] map[Kind:function Name:hci_sched_sco] map[Kind:function Name:hci_scodata_packet] map[Kind:function Name:hci_send_acl] map[Kind:function Name:hci_send_cmd] map[Kind:function Name:hci_send_cmd_sync] map[Kind:function Name:hci_send_conn_frame] map[Kind:function Name:hci_send_frame] map[Kind:function Name:hci_send_iso] map[Kind:function Name:hci_send_sco] map[Kind:function Name:hci_sent_cmd_data] map[Kind:function Name:hci_set_adv_instance_data] map[Kind:function Name:hci_set_fw_info] map[Kind:function Name:hci_set_fw_info] map[Kind:function Name:hci_set_hw_info] map[Kind:function Name:hci_set_hw_info] map[Kind:function Name:hci_smp_irks_clear] map[Kind:function Name:hci_smp_ltks_clear] map[Kind:function Name:hci_suspend_dev] map[Kind:function Name:hci_suspend_dev] map[Kind:function Name:hci_suspend_notifier] map[Kind:function Name:hci_tx_work] map[Kind:function Name:hci_tx_work] map[Kind:function Name:hci_unregister_cb] map[Kind:function Name:hci_unregister_cb] map[Kind:function Name:hci_unregister_dev] map[Kind:function Name:hci_unregister_dev] map[Kind:function Name:hci_unregister_suspend_notifier] map[Kind:function Name:hci_update_passive_scan_state] map[Kind:function Name:hci_uuids_clear] map[Kind:function Name:inquiry_cache_dump] map[Kind:function Name:ltk_role]] Missing:false] |
| 39/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Here's my attempt at summarizing the thought process, as if I were the expert: **Locating the Synchronization Primitives** Okay, I need to understand how Bluetooth handles synchronization, specifically related to HCI requests. My initial hunch is that `hci_req_sync_lock` is the key. Given my experience, the `include/net/bluetooth/` directory is the logical place to start. I'm going straight for `hci_core.h`. That's where I expect to find the core definitions and structures, including any critical locking mechanisms that manage HCI request flow. I'm anticipating this header will define how these requests are protected against race conditions, which is crucial for the reliability of the entire stack. |
| 40/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_req_sync_lock SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 41/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: **Investigating the `hci_req_sync_lock` Function** Okay, so I need to figure out where `hci_req_sync_lock` is actually defined. My first instinct is a manual search within `hci_sync.c`, but wait, I recall seeing it used in the context of `hci_cmd_sync_status`. That's a starting point. Now, given its naming convention, it's very possible this is just a macro. Let me confirm that suspicion. Ah, yes, here we go: ```c #define hci_req_sync_lock(hdev) mutex_lock(&(hdev)->req_lock) #define hci_req_sync_unlock(hdev) mutex_unlock(&(hdev)->req_lock) ``` Right, so it wraps `mutex_lock` and `mutex_unlock` on an `req_lock` member of something. Which means I need to identify that structure, and that likely lies within the `hci_dev` struct. Let's dig into that to verify. |
| 42/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_dev SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 43/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Okay, here's the summary, rendered as your internal thought process:
**Chasing that Elusive `hci_dev`**
Alright, still hitting a wall here. I'm failing to locate that `hci_dev` struct. Time to change tactics. Instead of blindly hoping, let's get specific. I'll search the `include/net/bluetooth/hci_core.h` file, specifically looking for "struct hci_dev {". That should be a good starting point to nail down the definition. No need to rely on the search function, just jump straight to the source. It might be faster and prevent me from going down a rabbit hole.
|
| 44/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_alloc_dev SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:false SourceCode:1758: static inline struct hci_dev *hci_alloc_dev(void)
1759: {
1760: return hci_alloc_dev_priv(0);
1761: }
SourceFile:include/net/bluetooth/hci_core.h] |
| 45/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: Here's my attempt at summarizing the thought process, tailored for an expert audience: **Diving into hci_core.h** Okay, let's zero in on `hci_core.h`, specifically around line 500. This probably signifies a critical area, potentially related to a specific HCI event, packet processing, or maybe even initialization routines. I suspect that specific location suggests a region of code where important control flow might occur. I'm going to quickly scan around that line to see the immediate context. I'm looking for function calls, conditional branches, or data structure definitions that might jump out. My goal is to understand how a particular element functions in the system. The specifics will vary depending on the implementation, but my focus is on quickly discerning how data is managed and potential error-handling strategies. Line 500 should provide a good anchor point in the code. |
| 46/2 | 2026/01/15 01:33 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_dev_cmd SourceFile:net/bluetooth/hci_core.c] Results: map[Missing:false SourceCode: 678: int hci_dev_cmd(unsigned int cmd, void __user *arg)
679: {
680: struct hci_dev *hdev;
681: struct hci_dev_req dr;
682: __le16 policy;
683: int err = 0;
684:
685: if (copy_from_user(&dr, arg, sizeof(dr)))
686: return -EFAULT;
687:
688: hdev = hci_dev_get(dr.dev_id);
689: if (!hdev)
690: return -ENODEV;
691:
692: if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
693: err = -EBUSY;
694: goto done;
695: }
696:
697: if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
698: err = -EOPNOTSUPP;
699: goto done;
700: }
701:
702: if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
703: err = -EOPNOTSUPP;
704: goto done;
705: }
706:
707: switch (cmd) {
708: case HCISETAUTH:
709: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,
710: 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
711: break;
712:
713: case HCISETENCRYPT:
714: if (!lmp_encrypt_capable(hdev)) {
715: err = -EOPNOTSUPP;
716: break;
717: }
718:
719: if (!test_bit(HCI_AUTH, &hdev->flags)) {
720: /* Auth must be enabled first */
721: err = hci_cmd_sync_status(hdev,
722: HCI_OP_WRITE_AUTH_ENABLE,
723: 1, &dr.dev_opt,
724: HCI_CMD_TIMEOUT);
725: if (err)
726: break;
727: }
728:
729: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,
730: 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
731: break;
732:
733: case HCISETSCAN:
734: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,
735: 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
736:
737: /* Ensure that the connectable and discoverable states
738: * get correctly modified as this was a non-mgmt change.
739: */
740: if (!err)
741: hci_update_passive_scan_state(hdev, dr.dev_opt);
742: break;
743:
744: case HCISETLINKPOL:
745: policy = cpu_to_le16(dr.dev_opt);
746:
747: err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
748: 2, &policy, HCI_CMD_TIMEOUT);
749: break;
750:
751: case HCISETLINKMODE:
752: hdev->link_mode = ((__u16) dr.dev_opt) &
753: (HCI_LM_MASTER | HCI_LM_ACCEPT);
754: break;
755:
756: case HCISETPTYPE:
757: if (hdev->pkt_type == (__u16) dr.dev_opt)
758: break;
759:
760: hdev->pkt_type = (__u16) dr.dev_opt;
761: mgmt_phy_configuration_changed(hdev, NULL);
762: break;
763:
764: case HCISETACLMTU:
765: hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
766: hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
767: break;
768:
769: case HCISETSCOMTU:
770: hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
771: hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
772: break;
773:
774: default:
775: err = -EINVAL;
776: break;
777: }
778:
779: done:
780: hci_dev_put(hdev);
781: return err;
782: }
SourceFile:net/bluetooth/hci_core.c] |
| 47/2 | 2026/01/15 01:33 | llm | expert |
0mModel:unknown Thoughts: **Bluetooth HCI Command Synchronization: A Deep Dive into a Potential Data Race** Okay, so I'm diving into this KCSAN report, and it looks like we have a classic data race scenario in the Bluetooth HCI synchronization code. My immediate concern is the lack of explicit synchronization between a thread waiting for a synchronous command's completion and another thread that might cancel that command. Let me break down what I'm seeing: `hci_req_sync_lock` seems to control access to `hdev->req_lock`, which is held by Task 5534 during a synchronous HCI command execution, specifically within `__hci_cmd_sync_sk`. Task 44, running `hci_cmd_work`, can call `hci_cmd_sync_cancel_sync` which, crucially, might *not* be holding that lock. This creates the potential for a race. The core of the problem lies with `hdev->req_status`, which appears to act as a flag to signal the completion or cancellation of a synchronous HCI command. `__hci_cmd_sync_sk` sets `hdev->req_status` to `HCI_REQ_PEND` at the start of the process and then waits with `wait_event_interruptible_timeout` for it to change. The `hci_cmd_sync_cancel_sync` function might, if a send fails, update `hdev->req_status` to `HCI_REQ_CANCELED` and wake up the waiting thread. The race occurs because `hci_cmd_sync_cancel_sync` directly updates `hdev->req_status` and `hdev->req_result` without holding the `req_lock`. This allows for a situation where Task 5534, running the command, might read a stale value of `hdev->req_status`. It's reading on line 176 and the race is triggered by the write to line 690. Now, while `wait_event` and `wake_up_interruptible` *do* provide memory barriers, there's still a risk of missed wake-ups if the initial `if` condition within `wait_event` uses a stale value, especially since this initial check happens outside the loop. However, after a deeper analysis, the actual functional impact *should* be minimal. The `schedule()` calls in `wait_event` and the use of barriers in `prepare_to_wait_event` and `wake_up_interruptible` should ensure the correct eventual state is reached. If the initial read *is* stale, the thread will simply go to sleep and be woken up by the subsequent `wake_up_interruptible` call. The bigger risk is that `hdev->req_result` and `hdev->req_status` are modified without a synchronizing primitive like `READ_ONCE` or an atomic. The report shows the value of `hdev->req_status` is changing from `HCI_REQ_PEND` to `HCI_REQ_CANCELED`. But in order to avoid reading the wrong value of `hdev->req_result`, a `wake_up_interruptible` is called. The `wake_up` function should ensure visibility of `hdev->req_result`. This means the reader should see the write of the correct value to `hdev->req_result`. Essentially, the race is flagged by KCSAN because it's a plain, unsynchronized access. It's not a functional bug per se, as the overall logic should still work correctly, but it's a violation of the kernel's memory model guidelines and a potential source of subtle, hard-to-debug issues. I'm thinking we probably need to introduce `READ_ONCE` for accesses to `hdev->req_status` (and perhaps `hdev->req_result`), or potentially use an atomic variable. It looks like the fix would be to modify the check in `wait_event` to use the helper. The report has line numbers, so that should be pretty easy. This will eliminate the data race and ensure that the compiler doesn't optimize the read in a way that breaks the waiting logic. |
| 48/2 | 2026/01/15 01:34 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_req_sync_complete SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:true SourceCode: SourceFile:] |
| 49/2 | 2026/01/15 01:34 | llm | expert |
0mModel:unknown Thoughts: Okay, here's the summary, assuming I'm an expert in the field and approaching this with a similar mindset: **Analyzing the HCI Request Completion Signal** Alright, so I need to track down where this `HCI_REQ_DONE` signal is being handled. I know it's a critical indicator related to HCI (Host Controller Interface) requests, and I need to understand its context. My first instinct is to narrow down the search. Should I start broad, scanning the entire project for every instance of this symbol? Probably not. That could generate a huge number of false positives. Given the nature of Bluetooth, and the likely organization of the code, I should probably focus my initial search within the `net/bluetooth` directory. That's the most logical place to begin, where the core Bluetooth network stack code resides. It'll likely be handled directly in connection with that section of the code, rather than some other portion of the OS. That's where I will find the information I need, or narrow the search from there. |
| 50/2 | 2026/01/15 01:34 | tool | codesearch-file-index |
0mModel:unknown Args: map[SourceFile:net/bluetooth/hci_event.c] Results: map[Entities:[map[Kind:function Name:bredr_oob_data_present] map[Kind:function Name:check_pending_le_conn] map[Kind:function Name:clear_pending_adv_report] map[Kind:function Name:conn_set_key] map[Kind:function Name:cs_le_create_conn] map[Kind:function Name:eir_get_length] map[Kind:function Name:ev_bdaddr_type] map[Kind:function Name:ext_evt_type_to_legacy] map[Kind:function Name:handle_cmd_cnt_and_timer] map[Kind:function Name:has_pending_adv_report] map[Kind:function Name:hci_auth_complete_evt] map[Kind:function Name:hci_cc_delete_stored_link_key] map[Kind:function Name:hci_cc_exit_periodic_inq] map[Kind:function Name:hci_cc_func] map[Kind:function Name:hci_cc_inquiry_cancel] map[Kind:function Name:hci_cc_le_add_to_accept_list] map[Kind:function Name:hci_cc_le_add_to_resolv_list] map[Kind:function Name:hci_cc_le_clear_accept_list] map[Kind:function Name:hci_cc_le_clear_adv_sets] map[Kind:function Name:hci_cc_le_clear_resolv_list] map[Kind:function Name:hci_cc_le_del_from_accept_list] map[Kind:function Name:hci_cc_le_del_from_resolv_list] map[Kind:function Name:hci_cc_le_read_accept_list_size] map[Kind:function Name:hci_cc_le_read_adv_tx_power] map[Kind:function Name:hci_cc_le_read_all_local_features] map[Kind:function Name:hci_cc_le_read_buffer_size] map[Kind:function Name:hci_cc_le_read_buffer_size_v2] map[Kind:function Name:hci_cc_le_read_def_data_len] map[Kind:function Name:hci_cc_le_read_local_features] map[Kind:function Name:hci_cc_le_read_max_data_len] map[Kind:function Name:hci_cc_le_read_num_adv_sets] map[Kind:function Name:hci_cc_le_read_resolv_list_size] map[Kind:function Name:hci_cc_le_read_supported_states] map[Kind:function Name:hci_cc_le_read_transmit_power] map[Kind:function Name:hci_cc_le_remove_adv_set] map[Kind:function Name:hci_cc_le_set_addr_resolution_enable] map[Kind:function Name:hci_cc_le_set_adv_enable] map[Kind:function Name:hci_cc_le_set_adv_set_random_addr] map[Kind:function Name:hci_cc_le_set_cig_params] map[Kind:function Name:hci_cc_le_set_default_phy] map[Kind:function Name:hci_cc_le_set_ext_adv_enable] map[Kind:function Name:hci_cc_le_set_ext_scan_enable] map[Kind:function Name:hci_cc_le_set_ext_scan_param] map[Kind:function Name:hci_cc_le_set_per_adv_enable] map[Kind:function Name:hci_cc_le_set_privacy_mode] map[Kind:function Name:hci_cc_le_set_random_addr] map[Kind:function Name:hci_cc_le_set_scan_enable] map[Kind:function Name:hci_cc_le_set_scan_param] map[Kind:function Name:hci_cc_le_setup_iso_path] map[Kind:function Name:hci_cc_le_write_def_data_len] map[Kind:function Name:hci_cc_periodic_inq] map[Kind:function Name:hci_cc_pin_code_neg_reply] map[Kind:function Name:hci_cc_pin_code_reply] map[Kind:function Name:hci_cc_read_auth_payload_timeout] map[Kind:function Name:hci_cc_read_bd_addr] map[Kind:function Name:hci_cc_read_buffer_size] map[Kind:function Name:hci_cc_read_class_of_dev] map[Kind:function Name:hci_cc_read_clock] map[Kind:function Name:hci_cc_read_def_err_data_reporting] map[Kind:function Name:hci_cc_read_def_link_policy] map[Kind:function Name:hci_cc_read_enc_key_size] map[Kind:function Name:hci_cc_read_inq_rsp_tx_power] map[Kind:function Name:hci_cc_read_link_policy] map[Kind:function Name:hci_cc_read_local_commands] map[Kind:function Name:hci_cc_read_local_ext_features] map[Kind:function Name:hci_cc_read_local_features] map[Kind:function Name:hci_cc_read_local_name] map[Kind:function Name:hci_cc_read_local_oob_data] map[Kind:function Name:hci_cc_read_local_oob_ext_data] map[Kind:function Name:hci_cc_read_local_pairing_opts] map[Kind:function Name:hci_cc_read_local_version] map[Kind:function Name:hci_cc_read_num_supported_iac] map[Kind:function Name:hci_cc_read_page_scan_activity] map[Kind:function Name:hci_cc_read_page_scan_type] map[Kind:function Name:hci_cc_read_rssi] map[Kind:function Name:hci_cc_read_stored_link_key] map[Kind:function Name:hci_cc_read_tx_power] map[Kind:function Name:hci_cc_read_voice_setting] map[Kind:function Name:hci_cc_remote_name_req_cancel] map[Kind:function Name:hci_cc_reset] map[Kind:function Name:hci_cc_role_discovery] map[Kind:function Name:hci_cc_set_adv_param] map[Kind:function Name:hci_cc_set_event_filter] map[Kind:function Name:hci_cc_set_per_adv_param] map[Kind:function Name:hci_cc_skb_pull] map[Kind:function Name:hci_cc_user_confirm_neg_reply] map[Kind:function Name:hci_cc_user_confirm_reply] map[Kind:function Name:hci_cc_user_passkey_neg_reply] map[Kind:function Name:hci_cc_user_passkey_reply] map[Kind:function Name:hci_cc_write_auth_enable] map[Kind:function Name:hci_cc_write_auth_payload_timeout] map[Kind:function Name:hci_cc_write_class_of_dev] map[Kind:function Name:hci_cc_write_def_err_data_reporting] map[Kind:function Name:hci_cc_write_def_link_policy] map[Kind:function Name:hci_cc_write_encrypt_mode] map[Kind:function Name:hci_cc_write_le_host_supported] map[Kind:function Name:hci_cc_write_link_policy] map[Kind:function Name:hci_cc_write_local_name] map[Kind:function Name:hci_cc_write_page_scan_activity] map[Kind:function Name:hci_cc_write_page_scan_type] map[Kind:function Name:hci_cc_write_sc_support] map[Kind:function Name:hci_cc_write_scan_enable] map[Kind:function Name:hci_cc_write_ssp_debug_mode] map[Kind:function Name:hci_cc_write_ssp_mode] map[Kind:function Name:hci_cc_write_voice_setting] map[Kind:function Name:hci_change_link_key_complete_evt] map[Kind:function Name:hci_check_pending_name] map[Kind:function Name:hci_clock_offset_evt] map[Kind:function Name:hci_cmd_complete_evt] map[Kind:function Name:hci_cmd_status_evt] map[Kind:function Name:hci_conn_complete_evt] map[Kind:function Name:hci_conn_request_evt] map[Kind:function Name:hci_cs_add_sco] map[Kind:function Name:hci_cs_auth_requested] map[Kind:function Name:hci_cs_create_conn] map[Kind:function Name:hci_cs_disconnect] map[Kind:function Name:hci_cs_enhanced_setup_sync_conn] map[Kind:function Name:hci_cs_exit_sniff_mode] map[Kind:function Name:hci_cs_inquiry] map[Kind:function Name:hci_cs_le_create_big] map[Kind:function Name:hci_cs_le_create_cis] map[Kind:function Name:hci_cs_le_create_conn] map[Kind:function Name:hci_cs_le_ext_create_conn] map[Kind:function Name:hci_cs_le_read_all_remote_features] map[Kind:function Name:hci_cs_le_read_remote_features] map[Kind:function Name:hci_cs_le_start_enc] map[Kind:function Name:hci_cs_read_remote_ext_features] map[Kind:function Name:hci_cs_read_remote_features] map[Kind:function Name:hci_cs_remote_name_req] map[Kind:function Name:hci_cs_set_conn_encrypt] map[Kind:function Name:hci_cs_setup_sync_conn] map[Kind:function Name:hci_cs_sniff_mode] map[Kind:function Name:hci_cs_switch_role] map[Kind:function Name:hci_disconn_complete_evt] map[Kind:function Name:hci_encrypt_change_evt] map[Kind:function Name:hci_ev_skb_pull] map[Kind:function Name:hci_event_func] map[Kind:function Name:hci_event_packet] map[Kind:function Name:hci_extended_inquiry_result_evt] map[Kind:function Name:hci_get_auth_req] map[Kind:function Name:hci_get_cmd_complete] map[Kind:function Name:hci_hardware_error_evt] map[Kind:function Name:hci_inquiry_complete_evt] map[Kind:function Name:hci_inquiry_result_evt] map[Kind:function Name:hci_inquiry_result_with_rssi_evt] map[Kind:function Name:hci_io_capa_reply_evt] map[Kind:function Name:hci_io_capa_request_evt] map[Kind:function Name:hci_iso_term_big_sync] map[Kind:function Name:hci_key_refresh_complete_evt] map[Kind:function Name:hci_keypress_notify_evt] map[Kind:function Name:hci_le_accept_cis] map[Kind:function Name:hci_le_adv_report_evt] map[Kind:function Name:hci_le_big_info_adv_report_evt] map[Kind:function Name:hci_le_big_sync_established_evt] map[Kind:function Name:hci_le_big_sync_lost_evt] map[Kind:function Name:hci_le_cis_established_evt] map[Kind:function Name:hci_le_cis_req_evt] map[Kind:function Name:hci_le_conn_complete_evt] map[Kind:function Name:hci_le_conn_update_complete_evt] map[Kind:function Name:hci_le_create_big_complete_evt] map[Kind:function Name:hci_le_direct_adv_report_evt] map[Kind:function Name:hci_le_enh_conn_complete_evt] map[Kind:function Name:hci_le_ev_skb_pull] map[Kind:function Name:hci_le_ext_adv_report_evt] map[Kind:function Name:hci_le_ext_adv_term_evt] map[Kind:function Name:hci_le_ltk_request_evt] map[Kind:function Name:hci_le_meta_evt] map[Kind:function Name:hci_le_pa_sync_established_evt] map[Kind:function Name:hci_le_pa_sync_lost_evt] map[Kind:function Name:hci_le_pa_term_sync] map[Kind:function Name:hci_le_past_received_evt] map[Kind:function Name:hci_le_per_adv_report_evt] map[Kind:function Name:hci_le_phy_update_evt] map[Kind:function Name:hci_le_read_all_remote_features_evt] map[Kind:function Name:hci_le_reject_cis] map[Kind:function Name:hci_le_remote_conn_param_req_evt] map[Kind:function Name:hci_le_remote_feat_complete_evt] map[Kind:function Name:hci_link_key_notify_evt] map[Kind:function Name:hci_link_key_request_evt] map[Kind:function Name:hci_mode_change_evt] map[Kind:function Name:hci_num_comp_pkts_evt] map[Kind:function Name:hci_outgoing_auth_needed] map[Kind:function Name:hci_pin_code_request_evt] map[Kind:function Name:hci_pkt_type_change_evt] map[Kind:function Name:hci_pscan_rep_mode_evt] map[Kind:function Name:hci_read_enc_key_size] map[Kind:function Name:hci_reject_conn] map[Kind:function Name:hci_remote_ext_features_evt] map[Kind:function Name:hci_remote_features_evt] map[Kind:function Name:hci_remote_host_features_evt] map[Kind:function Name:hci_remote_name_evt] map[Kind:function Name:hci_remote_oob_data_request_evt] map[Kind:function Name:hci_resolve_name] map[Kind:function Name:hci_resolve_next_name] map[Kind:function Name:hci_role_change_evt] map[Kind:function Name:hci_setup_sync_conn_status] map[Kind:function Name:hci_simple_pair_complete_evt] map[Kind:function Name:hci_store_wake_reason] map[Kind:function Name:hci_sync_conn_complete_evt] map[Kind:function Name:hci_to_mgmt_reason] map[Kind:function Name:hci_unbound_cis_failed] map[Kind:function Name:hci_user_confirm_request_evt] map[Kind:function Name:hci_user_passkey_notify_evt] map[Kind:function Name:hci_user_passkey_request_evt] map[Kind:function Name:le_conn_complete_evt] map[Kind:function Name:le_conn_update_addr] map[Kind:function Name:le_set_scan_enable_complete] map[Kind:function Name:process_adv_report] map[Kind:function Name:send_conn_param_neg_reply] map[Kind:function Name:store_pending_adv_report]] Missing:false] |
| 51/2 | 2026/01/15 01:34 | llm | expert |
0mModel:unknown Thoughts: Okay, let's see... I need to track down how `HCI_REQ_DONE` is handled, specifically in relation to synchronization. My initial thought was to jump right into `hci_req_sync_complete` within `net/bluetooth/hci_sync.c`. I figured that's where the completion logic would reside. Hold on, something's not right. The autocompletion isn't working as expected and it looks like `hci_req_sync_complete` doesn't exist. Time to take a step back and examine `hci_sync.c` more broadly. I'll need to re-evaluate the search strategy, given this unexpected finding and find the appropriate places where `HCI_REQ_DONE` is used. |
| 52/2 | 2026/01/15 01:34 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_cmd_sync_complete SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:false SourceCode: 22: static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
23: struct sk_buff *skb)
24: {
25: bt_dev_dbg(hdev, "result 0x%2.2x", result);
26:
27: if (hdev->req_status != HCI_REQ_PEND)
28: return;
29:
30: hdev->req_result = result;
31: hdev->req_status = HCI_REQ_DONE;
32:
33: /* Free the request command so it is not used as response */
34: kfree_skb(hdev->req_skb);
35: hdev->req_skb = NULL;
36:
37: if (skb) {
38: struct sock *sk = hci_skb_sk(skb);
39:
40: /* Drop sk reference if set */
41: if (sk)
42: sock_put(sk);
43:
44: hdev->req_rsp = skb_get(skb);
45: }
46:
47: wake_up_interruptible(&hdev->req_wait_q);
48: }
SourceFile:net/bluetooth/hci_sync.c] |
| 53/2 | 2026/01/15 01:34 | llm | expert |
0mModel:unknown Thoughts: **Data Race Analysis: HCI Command Synchronization** Okay, so I'm diving into this KCSAN report about a potential data race in the Bluetooth stack, specifically around command synchronization. The core of the issue seems to be how `req_status` is managed between the command completion and cancellation paths. My initial thought is that `hci_cmd_sync_complete` updates `req_status` to `HCI_REQ_DONE` upon command completion. I'm also seeing that it, and `hci_cmd_sync_cancel_sync`, don't seem to hold `req_lock`. Now, I need to figure out the callers of these functions. `hci_event.c` seems like a likely candidate for calling `hci_cmd_sync_complete`. If these functions run concurrently, which seems possible, they both check `hdev->req_status` before modifying it. Since there's no locking, there is a race here and now I can visualize this on the same memory location, one process reading the status, and another trying to write a new status. This is a big flag for me. The thing about `req_status` not being an atomic write gives me a lot of pause. Looking at the code for task 44 (cancellation), and the other task (completion), it's evident that the `req_status` could end up in either `HCI_REQ_DONE` or `HCI_CANCELED`, even if both wake the same queue. Now I'm remembering that `__hci_cmd_sync_sk` checks the status, and it’s critical that it sees the correct *final* state. KCSAN is specifically reporting a data race between `__hci_cmd_sync_sk` (the reader) and `hci_cmd_sync_cancel_sync` (the writer). I see that the reader is waiting for the writer, which is expected, BUT the plain variables without `READ_ONCE`/`WRITE_ONCE` are the issue. In essence, I suspect the compiler might be reordering or caching reads/writes, making the synchronization unreliable. My initial assessment is that this specific race is "benign" in that it's *part* of a synchronization mechanism and is supposed to happen, but that's only because the synchronization is not safe without atomics or `READ_ONCE`. However, now I'm thinking about if this actually *is* benign. If `req_status` becomes `HCI_REQ_CANCELED` but `__hci_cmd_sync_sk` reads it and *then* reads it again...could the value change? `__hci_cmd_sync_sk` is supposed to switch based on what `req_status` is, and I see in `__hci_cmd_sync_sk` that the status is eventually reset to zero, and now I'm starting to remember that this resets the status after it's been handled. Now I am thinking there's a race between `hci_cmd_sync_cancel_sync` and `hci_cmd_sync_complete`, if they both run, and the race is with them both trying to write `req_status` and `req_result`. This could be harmful, but KCSAN didn't flag *that* race. Maybe because `hci_cmd_sync_complete` wasn't involved in the repro? Since `hci_cmd_sync_cancel_sync` is called when `hci_send_frame` fails, and that means the command wasn't sent, then I am not sure `hci_cmd_sync_complete` would be running at the same time. Wait, looking again, `req_status` is updated in *multiple* places. My thinking is now that if multiple threads call `hci_cmd_sync_cancel_sync`, they could race. The `hdev->workqueue` is used so there's not a lot of potential contention here. Now I'm trying to look at all callers of `hci_cmd_sync_cancel_sync`. I'm seeing `hci_cmd_sync_cancel`, and `hci_send_cmd_sync`, and `hci_dev_do_reset`. I see now that a *real* bug is possible if the status updates aren't atomic and the `req_result` and `req_status` are not coordinated. I can also see that there are multiple pathways to cancellation/completion which means the lack of synchronization is even more problematic. Now it's my job to see if a lock *should* be held, and I'm seeing that `__hci_cmd_sync_sk` *does* say a lock is held, but the `hci_cmd_sync |
| 54/2 | 2026/01/15 01:34 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_req_sync_lock SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:true SourceCode: SourceFile:] |
| 55/2 | 2026/01/15 01:34 | llm | expert |
0mModel:unknown Thoughts: Okay, let's see... I need to refresh my memory on the purpose of `hci_req_sync_lock`. It's vaguely familiar, but I want a solid definition. Right, I'll start by searching the entire codebase for that exact term. That should cast a wide net. Hmm, wait a second, there might be a more direct route. I recall that the locking is likely related to device initialization or structure management. Let me quickly revisit how `hci_alloc_dev` or the `hci_dev` struct itself handles concurrency. Maybe the definition is right there. Okay, a good starting point would be looking into `include/net/bluetooth/hci_core.h`. Searching that header file for "req_lock" is probably the most focused approach for now. Hopefully, it'll provide the context I'm after, and I can be done with this quickly. |
| 56/2 | 2026/01/15 01:34 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_req_sync_lock SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 57/2 | 2026/01/15 01:34 | llm | expert |
0mModel:unknown Thoughts: **Tracing `req_lock` in `hci_dev`**
Okay, let's see, I need to find the declaration of `req_lock` within the `hci_dev` structure. I've been down this road before, and I recall needing to get at the source code directly. My first instinct is to leverage `codesearch-definition-source`, but I want to mix things up a bit and approach it with a slightly different search term this time. Instead of relying solely on the exact symbol, I'll search for the general structure definition itself, the string "struct hci_dev {", in the hopes that will yield the context I need.
Ah, damn it, I don't seem to have a readily available tool at my fingertips for string searching across the entire codebase. No problem, this is still manageable. I'll simply jump into the include files and manually look for the structure. Based on my familiarity with the Bluetooth stack, I'll start with `include/net/bluetooth/hci_core.h`, starting from line 1. Hopefully, the definition is right there, and I can quickly spot `req_lock` within the context of the structure. This should get me where I need to be.
|
| 58/2 | 2026/01/15 01:34 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_dev_test_flag SourceFile:include/net/bluetooth/hci_core.h] Results: map[Missing:true SourceCode: SourceFile:] |
| 59/2 | 2026/01/15 01:34 | llm | expert |
0mModel:unknown Thoughts: Here's a breakdown of my thought process: **Debugging the Code Search** Okay, so my `codesearch-definition-source` isn't returning what I expect in a few instances. Time to troubleshoot. I'll test it out with a specific example: `hci_dev` within `include/net/bluetooth/hci_core.h`. Let's see if it finds it. Ah, shoot, I already tried that. Okay, scratch that. Hmmm... maybe the source search isn't the right tool. Let's switch gears. What about `codesearch-definition-comment`? Perhaps the information I'm looking for is in a comment. I'll try searching for `hci_dev` using that function instead. That might provide a clue or direction to the correct definition. Let's see what we get. |
| 60/2 | 2026/01/15 01:35 | tool | codesearch-definition-comment |
0mModel:unknown Args: map[Name:hci_dev SourceFile:include/net/bluetooth/hci_core.h] Results: map[Comment: Kind: Missing:true] |
| 61/2 | 2026/01/15 01:35 | llm | expert |
0mModel:unknown Thoughts: Here's a breakdown of my thought process: **Diving into the Bluetooth HCI Synchronization** Alright, I need to get a handle on the synchronization mechanisms used in this Bluetooth HCI core. My initial instinct is to go digging through `hci_core.h`, see what's defined in there. But hold on, I've already listed the entities, I should check that first, rather than repeat steps. Let's revisit the entities I have for `include/net/bluetooth/hci_core.h`, I'll scan through them again. I'm specifically looking for any obvious lock structures or related functions. Hmm, I did see `hci_alloc_dev`, but I'm thinking about synchronization primitives. Ah, right! Now I remember seeing `hci_req_sync_lock` in `hci_sync.c`. Bingo! Let me examine the context in `hci_sync.c` around that call, line 296, to see how it's being used. I need to understand its role. It's likely defined there. Wait a second… strange. The entity listing didn’t pick up `hci_req_sync_lock` in the `hci_sync.c` entities. Okay, maybe it’s a macro then? Time to check the source for the definition of the function/macro. |
| 62/2 | 2026/01/15 01:35 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:__hci_cmd_sync_status_sk SourceFile:net/bluetooth/hci_sync.c] Results: map[Missing:false SourceCode: 254: /* This function requires the caller holds hdev->req_lock. */
255: int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
256: const void *param, u8 event, u32 timeout,
257: struct sock *sk)
258: {
259: struct sk_buff *skb;
260: u8 status;
261:
262: skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);
263:
264: /* If command return a status event, skb will be set to -ENODATA */
265: if (skb == ERR_PTR(-ENODATA))
266: return 0;
267:
268: if (IS_ERR(skb)) {
269: if (!event)
270: bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", opcode,
271: PTR_ERR(skb));
272: return PTR_ERR(skb);
273: }
274:
275: status = skb->data[0];
276:
277: kfree_skb(skb);
278:
279: return status;
280: }
SourceFile:net/bluetooth/hci_sync.c] |
| 63/2 | 2026/01/15 01:35 | llm | expert |
0mModel:unknown Thoughts: Okay, here's my take on those thoughts, as if I were the one thinking them: **Navigating a Kernel Lock Dependency** Alright, the documentation for this function is clear; it *demands* that the caller already has a handle on `hdev->req_lock`. So, the lock in question is definitely named `req_lock`. That's a helpful starting point. Now, to truly understand the intended usage, I need to trace back and determine where this `req_lock` is initialized and how it's intended to be managed. Time to crack open the `hci_core.c` file and dive in. Let's see if I can pinpoint that initialization sequence. |
| 64/2 | 2026/01/15 01:35 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_alloc_dev_priv SourceFile:net/bluetooth/hci_core.c] Results: map[Missing:false SourceCode:2435: /* Alloc HCI device */
2436: struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
2437: {
2438: struct hci_dev *hdev;
2439: unsigned int alloc_size;
2440:
2441: alloc_size = sizeof(*hdev);
2442: if (sizeof_priv) {
2443: /* Fixme: May need ALIGN-ment? */
2444: alloc_size += sizeof_priv;
2445: }
2446:
2447: hdev = kzalloc(alloc_size, GFP_KERNEL);
2448: if (!hdev)
2449: return NULL;
2450:
2451: if (init_srcu_struct(&hdev->srcu)) {
2452: kfree(hdev);
2453: return NULL;
2454: }
2455:
2456: hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2457: hdev->esco_type = (ESCO_HV1);
2458: hdev->link_mode = (HCI_LM_ACCEPT);
2459: hdev->num_iac = 0x01; /* One IAC support is mandatory */
2460: hdev->io_capability = 0x03; /* No Input No Output */
2461: hdev->manufacturer = 0xffff; /* Default to internal use */
2462: hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2463: hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2464: hdev->adv_instance_cnt = 0;
2465: hdev->cur_adv_instance = 0x00;
2466: hdev->adv_instance_timeout = 0;
2467:
2468: hdev->advmon_allowlist_duration = 300;
2469: hdev->advmon_no_filter_duration = 500;
2470: hdev->enable_advmon_interleave_scan = 0x00; /* Default to disable */
2471:
2472: hdev->sniff_max_interval = 800;
2473: hdev->sniff_min_interval = 80;
2474:
2475: hdev->le_adv_channel_map = 0x07;
2476: hdev->le_adv_min_interval = 0x0800;
2477: hdev->le_adv_max_interval = 0x0800;
2478: hdev->le_scan_interval = DISCOV_LE_SCAN_INT_FAST;
2479: hdev->le_scan_window = DISCOV_LE_SCAN_WIN_FAST;
2480: hdev->le_scan_int_suspend = DISCOV_LE_SCAN_INT_SLOW1;
2481: hdev->le_scan_window_suspend = DISCOV_LE_SCAN_WIN_SLOW1;
2482: hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT;
2483: hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN;
2484: hdev->le_scan_int_adv_monitor = DISCOV_LE_SCAN_INT_FAST;
2485: hdev->le_scan_window_adv_monitor = DISCOV_LE_SCAN_WIN_FAST;
2486: hdev->le_scan_int_connect = DISCOV_LE_SCAN_INT_CONN;
2487: hdev->le_scan_window_connect = DISCOV_LE_SCAN_WIN_CONN;
2488: hdev->le_conn_min_interval = 0x0018;
2489: hdev->le_conn_max_interval = 0x0028;
2490: hdev->le_conn_latency = 0x0000;
2491: hdev->le_supv_timeout = 0x002a;
2492: hdev->le_def_tx_len = 0x001b;
2493: hdev->le_def_tx_time = 0x0148;
2494: hdev->le_max_tx_len = 0x001b;
2495: hdev->le_max_tx_time = 0x0148;
2496: hdev->le_max_rx_len = 0x001b;
2497: hdev->le_max_rx_time = 0x0148;
2498: hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
2499: hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
2500: hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
2501: hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
2502: hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
2503: hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION;
2504: hdev->def_le_autoconnect_timeout = HCI_LE_CONN_TIMEOUT;
2505: hdev->min_le_tx_power = HCI_TX_POWER_INVALID;
2506: hdev->max_le_tx_power = HCI_TX_POWER_INVALID;
2507:
2508: hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2509: hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2510: hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2511: hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2512: hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
2513: hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
2514:
2515: /* default 1.28 sec page scan */
2516: hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD;
2517: hdev->def_page_scan_int = 0x0800;
2518: hdev->def_page_scan_window = 0x0012;
2519:
2520: mutex_init(&hdev->lock);
2521: mutex_init(&hdev->req_lock);
2522: mutex_init(&hdev->mgmt_pending_lock);
2523:
2524: ida_init(&hdev->unset_handle_ida);
2525:
2526: INIT_LIST_HEAD(&hdev->mesh_pending);
2527: INIT_LIST_HEAD(&hdev->mgmt_pending);
2528: INIT_LIST_HEAD(&hdev->reject_list);
2529: INIT_LIST_HEAD(&hdev->accept_list);
2530: INIT_LIST_HEAD(&hdev->uuids);
2531: INIT_LIST_HEAD(&hdev->link_keys);
2532: INIT_LIST_HEAD(&hdev->long_term_keys);
2533: INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2534: INIT_LIST_HEAD(&hdev->remote_oob_data);
2535: INIT_LIST_HEAD(&hdev->le_accept_list);
2536: INIT_LIST_HEAD(&hdev->le_resolv_list);
2537: INIT_LIST_HEAD(&hdev->le_conn_params);
2538: INIT_LIST_HEAD(&hdev->pend_le_conns);
2539: INIT_LIST_HEAD(&hdev->pend_le_reports);
2540: INIT_LIST_HEAD(&hdev->conn_hash.list);
2541: INIT_LIST_HEAD(&hdev->adv_instances);
2542: INIT_LIST_HEAD(&hdev->blocked_keys);
2543: INIT_LIST_HEAD(&hdev->monitored_devices);
2544:
2545: INIT_LIST_HEAD(&hdev->local_codecs);
2546: INIT_WORK(&hdev->rx_work, hci_rx_work);
2547: INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2548: INIT_WORK(&hdev->tx_work, hci_tx_work);
2549: INIT_WORK(&hdev->power_on, hci_power_on);
2550: INIT_WORK(&hdev->error_reset, hci_error_reset);
2551:
2552: hci_cmd_sync_init(hdev);
2553:
2554: INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2555:
2556: skb_queue_head_init(&hdev->rx_q);
2557: skb_queue_head_init(&hdev->cmd_q);
2558: skb_queue_head_init(&hdev->raw_q);
2559:
2560: init_waitqueue_head(&hdev->req_wait_q);
2561:
2562: INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
2563: INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout);
2564:
2565: hci_devcd_setup(hdev);
2566:
2567: hci_init_sysfs(hdev);
2568: discovery_init(hdev);
2569:
2570: return hdev;
2571: }
SourceFile:net/bluetooth/hci_core.c] |
| 65/2 | 2026/01/15 01:35 | llm | expert |
0mModel:unknown Thoughts: **My Analysis of the Bluetooth HCI Sync Code** Okay, so I'm looking at this KCSAN report about a data race in the Bluetooth HCI sync code. The report flags a race between `__hci_cmd_sync_sk` and `hci_cmd_sync_cancel_sync` on the `req_status` field, which is a mutex. My initial thought is to figure out if this is actually a problem and not some benign race, the first thing I notice is that the locking is handled in such a way as to avoid deadlock. However, this has led to potential for data race condition. If `hci_cmd_work` would take `req_lock`, there's a dead lock and that's not what we want. The fact that the latter doesn't hold the `req_lock` is intentional to prevent a deadlock. This implies that access to `req_status` is unsynchronized. The core concern here is whether updates to `req_status` and `req_result` are visible in the correct order, without corruption. The fields are 4 bytes, so atomic on x86, but ordering is still a problem. I know `wake_up` and `wait_event` have barriers. Now, can `hci_cmd_sync_cancel_sync` and `hci_cmd_sync_complete` overwrite each other? They both check `req_status == HCI_REQ_PEND` first. Without locks, both could pass and then write. Is that okay? Potentially, the waiter will see either "success" or "cancel". KCSAN is reporting a Reader-Writer race. Often, in the kernel, these are benign on status flags, or fixed with `READ_ONCE`/`WRITE_ONCE`. I'm going to look for related commits to see if this has been addressed. I found a commit, but I didn't see `WRITE_ONCE` used. I'm looking at the state transition. If it's a real bug, does the waiter get the wrong `req_result`? Barriers in `wake_up` / `wait_event` *should* handle that. What if `hdev->req_status` is read as 0? In `__hci_cmd_sync_sk`, it is set to 0 after finishing. If cancel runs *after* complete, the check `hdev->req_status == HCI_REQ_PEND` is false, and nothing happens, so that's correct. Is it possible that `hci_cmd_sync_cancel_sync` is called with a freed `hdev`? No, workqueue and `hci_dev_get` handling should prevent that. What if the status changes from `CANCELED` to `DONE` between the check (line 176) and the switch (line 182) in the reader? That is possible. If `hci_cmd_sync_complete` runs right after `hci_cmd_sync_cancel_sync`. But `hci_cmd_sync_complete` also checks, so if cancel already set it to `CANCELED`, complete will return early. UNLESS they raced and both passed the check. If they both passed, then yes, one overwrites the other. But that's a Writer-Writer race, KCSAN is reporting Reader-Writer. Is this benign? Given `wait_event`, `wake_up`, and compiler barriers, it *shouldn't* hang or crash. The logic *seems* to hold. But, with this style of data race, sometimes the kernel marks these as benign, sometimes they require `READ_ONCE`. Since I can't find `READ_ONCE` in the recent changes, and I've verified the state machine logic, I'm going to assume this is not benign. The fact that it is a Writer-Writer and Writer-Reader race on the state transition is a problem. The KCSAN report makes me think it's not benign. Now, the syzkaller report gives me more context. The error `-22` is `-EINVAL`. If `hci_send_frame` returns `-EINVAL`, `hci_cmd_sync_cancel_sync(hdev, 22)` is called. `hdev->req_result` becomes `22`. `hdev->req_status` becomes `HCI_REQ_CANCELED`. Then `__hci_cmd_sync_sk` wakes up and sees `HCI_REQ_CANCELED`, so `err` becomes `-22`. That's correct. So, the data race is KCSAN noticing the unsynchronized `req_status` access. If it's just |
| 66/2 | 2026/01/15 01:35 | tool | codesearch-definition-source |
0mModel:unknown Args: map[IncludeLines:true Name:hci_cmd_work SourceFile:net/bluetooth/hci_core.c] Results: map[Missing:false SourceCode:4136: static void hci_cmd_work(struct work_struct *work)
4137: {
4138: struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4139: struct sk_buff *skb;
4140: int err;
4141:
4142: BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4143: atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4144:
4145: /* Send queued commands */
4146: if (atomic_read(&hdev->cmd_cnt)) {
4147: skb = skb_dequeue(&hdev->cmd_q);
4148: if (!skb)
4149: return;
4150:
4151: err = hci_send_cmd_sync(hdev, skb);
4152: if (err)
4153: return;
4154:
4155: rcu_read_lock();
4156: if (test_bit(HCI_RESET, &hdev->flags) ||
4157: hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4158: cancel_delayed_work(&hdev->cmd_timer);
4159: else
4160: queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
4161: HCI_CMD_TIMEOUT);
4162: rcu_read_unlock();
4163: }
4164: }
SourceFile:net/bluetooth/hci_core.c] |
| 67/2 | 2026/01/15 01:35 | llm | expert |
0mModel:unknown Thoughts: **Diving Deep into the Synchronization (or Lack Thereof)** Okay, so I'm thinking through this access pattern, and it's starting to crystallize. It's clear that neither `hdev->lock` nor `hdev->req_lock` are being taken. It's only that `rcu_read_lock()` at the very end. That means this whole thing is essentially unsynchronized, which is a bit of a red flag, right? Alright, let's see if there is another way this could possibly be synchronized. Let's see... `hci_send_cmd_sync` does call `hci_send_frame`. And from my experience, that function, `hci_send_frame`, is usually implemented by the specific driver. I'm recalling the details, that if `hci_send_frame` bails, it triggers `hci_cmd_sync_cancel_sync`. Could it be that the `hdev->req_status` field is declared as `volatile`? That's what I'd expect here. Time to dig into the `hci_dev` struct to confirm. Let me see... I can't quite get a jump with `codesearch-definition-source`. I'm going to head directly to `hci_core.h`, I expect it to be in there. Let me start around line 500, and I'll find it. |
| 68/2 | 2026/01/15 01:35 | tool | codesearch-file-index |
0mModel:unknown Args: map[SourceFile:include/net/bluetooth/hci_core.h] Results: map[Entities:[map[Kind:function Name:__hci_cmd_send] map[Kind:function Name:__mgmt_power_off] map[Kind:function Name:discovery_init] map[Kind:function Name:hci_abort_conn] map[Kind:function Name:hci_add_adv_instance] map[Kind:function Name:hci_add_adv_monitor] map[Kind:function Name:hci_add_irk] map[Kind:function Name:hci_add_link_key] map[Kind:function Name:hci_add_ltk] map[Kind:function Name:hci_add_per_instance] map[Kind:function Name:hci_add_remote_oob_data] map[Kind:function Name:hci_adv_instance_flags] map[Kind:function Name:hci_adv_instance_is_scannable] map[Kind:function Name:hci_adv_instances_clear] map[Kind:function Name:hci_adv_instances_set_rpa_expired] map[Kind:function Name:hci_adv_monitors_clear] map[Kind:function Name:hci_alloc_dev] map[Kind:function Name:hci_alloc_dev_priv] map[Kind:function Name:hci_auth_cfm] map[Kind:function Name:hci_bdaddr_is_paired] map[Kind:function Name:hci_bdaddr_is_rpa] map[Kind:function Name:hci_bdaddr_list_add] map[Kind:function Name:hci_bdaddr_list_add_with_flags] map[Kind:function Name:hci_bdaddr_list_add_with_irk] map[Kind:function Name:hci_bdaddr_list_clear] map[Kind:function Name:hci_bdaddr_list_del] map[Kind:function Name:hci_bdaddr_list_del_with_irk] map[Kind:function Name:hci_bdaddr_list_lookup] map[Kind:function Name:hci_bdaddr_list_lookup_with_flags] map[Kind:function Name:hci_bdaddr_list_lookup_with_irk] map[Kind:function Name:hci_bind_bis] map[Kind:function Name:hci_bind_cis] map[Kind:function Name:hci_blocked_keys_clear] map[Kind:function Name:hci_chan_create] map[Kind:function Name:hci_chan_del] map[Kind:function Name:hci_chan_list_flush] map[Kind:function Name:hci_chan_lookup_handle] map[Kind:function Name:hci_check_conn_params] map[Kind:function Name:hci_conn_add] map[Kind:function Name:hci_conn_add_sysfs] map[Kind:function Name:hci_conn_add_unset] map[Kind:function Name:hci_conn_big_create_sync] map[Kind:function Name:hci_conn_check_create_cis] map[Kind:function Name:hci_conn_check_link_mode] map[Kind:function Name:hci_conn_check_secure] map[Kind:function Name:hci_conn_count] map[Kind:function Name:hci_conn_del] map[Kind:function Name:hci_conn_del_sysfs] map[Kind:function Name:hci_conn_drop] map[Kind:function Name:hci_conn_enter_active_mode] map[Kind:function Name:hci_conn_failed] map[Kind:function Name:hci_conn_get] map[Kind:function Name:hci_conn_get_phy] map[Kind:function Name:hci_conn_hash_add] map[Kind:function Name:hci_conn_hash_del] map[Kind:function Name:hci_conn_hash_flush] map[Kind:function Name:hci_conn_hash_list_flag] map[Kind:function Name:hci_conn_hash_list_state] map[Kind:function Name:hci_conn_hash_lookup_ba] map[Kind:function Name:hci_conn_hash_lookup_big] map[Kind:function Name:hci_conn_hash_lookup_big_state] map[Kind:function Name:hci_conn_hash_lookup_big_sync_pend] map[Kind:function Name:hci_conn_hash_lookup_bis] map[Kind:function Name:hci_conn_hash_lookup_cig] map[Kind:function Name:hci_conn_hash_lookup_cis] map[Kind:function Name:hci_conn_hash_lookup_create_pa_sync] map[Kind:function Name:hci_conn_hash_lookup_handle] map[Kind:function Name:hci_conn_hash_lookup_le] map[Kind:function Name:hci_conn_hash_lookup_pa_sync_big_handle] map[Kind:function Name:hci_conn_hash_lookup_pa_sync_handle] map[Kind:function Name:hci_conn_hash_lookup_per_adv_bis] map[Kind:function Name:hci_conn_hash_lookup_role] map[Kind:function Name:hci_conn_hold] map[Kind:function Name:hci_conn_init_sysfs] map[Kind:function Name:hci_conn_key_enc_size] map[Kind:function Name:hci_conn_lookup_type] map[Kind:function Name:hci_conn_num] map[Kind:function Name:hci_conn_params_add] map[Kind:function Name:hci_conn_params_clear_disabled] map[Kind:function Name:hci_conn_params_del] map[Kind:function Name:hci_conn_params_free] map[Kind:function Name:hci_conn_params_lookup] map[Kind:function Name:hci_conn_put] map[Kind:function Name:hci_conn_sc_enabled] map[Kind:function Name:hci_conn_security] map[Kind:function Name:hci_conn_set_handle] map[Kind:function Name:hci_conn_ssp_enabled] map[Kind:function Name:hci_conn_switch_role] map[Kind:function Name:hci_conn_tx_dequeue] map[Kind:function Name:hci_conn_tx_queue] map[Kind:function Name:hci_conn_valid] map[Kind:function Name:hci_connect_acl] map[Kind:function Name:hci_connect_bis] map[Kind:function Name:hci_connect_cfm] map[Kind:function Name:hci_connect_cis] map[Kind:function Name:hci_connect_le] map[Kind:function Name:hci_connect_le_scan] map[Kind:function Name:hci_connect_le_scan_cleanup] map[Kind:function Name:hci_connect_sco] map[Kind:function Name:hci_copy_identity_address] map[Kind:function Name:hci_dev_close] map[Kind:function Name:hci_dev_cmd] map[Kind:function Name:hci_dev_do_close] map[Kind:function Name:hci_dev_get] map[Kind:function Name:hci_dev_hold] map[Kind:function Name:hci_dev_open] map[Kind:function Name:hci_dev_put] map[Kind:function Name:hci_dev_reset] map[Kind:function Name:hci_dev_reset_stat] map[Kind:function Name:hci_devcd_setup] map[Kind:function Name:hci_disconn_cfm] map[Kind:function Name:hci_disconnect] map[Kind:function Name:hci_discovery_active] map[Kind:function Name:hci_discovery_filter_clear] map[Kind:function Name:hci_discovery_set_state] map[Kind:function Name:hci_encrypt_cfm] map[Kind:function Name:hci_event_packet] map[Kind:function Name:hci_find_adv_instance] map[Kind:function Name:hci_find_adv_sid] map[Kind:function Name:hci_find_irk_by_addr] map[Kind:function Name:hci_find_irk_by_rpa] map[Kind:function Name:hci_find_link_key] map[Kind:function Name:hci_find_ltk] map[Kind:function Name:hci_find_remote_oob_data] map[Kind:function Name:hci_free_adv_monitor] map[Kind:function Name:hci_free_dev] map[Kind:function Name:hci_get_adv_monitor_offload_ext] map[Kind:function Name:hci_get_auth_info] map[Kind:function Name:hci_get_conn_info] map[Kind:function Name:hci_get_conn_list] map[Kind:function Name:hci_get_dev_info] map[Kind:function Name:hci_get_dev_list] map[Kind:function Name:hci_get_drvdata] map[Kind:function Name:hci_get_irk] map[Kind:function Name:hci_get_next_instance] map[Kind:function Name:hci_get_priv] map[Kind:function Name:hci_get_route] map[Kind:function Name:hci_init_sysfs] map[Kind:function Name:hci_inquiry] map[Kind:function Name:hci_inquiry_cache_flush] map[Kind:function Name:hci_inquiry_cache_lookup] map[Kind:function Name:hci_inquiry_cache_lookup_resolve] map[Kind:function Name:hci_inquiry_cache_lookup_unknown] map[Kind:function Name:hci_inquiry_cache_update] map[Kind:function Name:hci_inquiry_cache_update_resolve] map[Kind:function Name:hci_is_adv_monitoring] map[Kind:function Name:hci_is_blocked_key] map[Kind:function Name:hci_is_identity_address] map[Kind:function Name:hci_is_le_conn_scanning] map[Kind:function Name:hci_iso_count] map[Kind:function Name:hci_iso_setup_path] map[Kind:function Name:hci_key_change_cfm] map[Kind:function Name:hci_le_conn_update] map[Kind:function Name:hci_le_create_cis_pending] map[Kind:function Name:hci_le_start_enc] map[Kind:function Name:hci_link_keys_clear] map[Kind:function Name:hci_lookup_le_connect] map[Kind:function Name:hci_mgmt_chan_register] map[Kind:function Name:hci_mgmt_chan_unregister] map[Kind:function Name:hci_pa_create_sync] map[Kind:function Name:hci_past_bis] map[Kind:function Name:hci_pend_le_action_lookup] map[Kind:function Name:hci_pend_le_list_add] map[Kind:function Name:hci_pend_le_list_del_init] map[Kind:function Name:hci_proto_connect_ind] map[Kind:function Name:hci_proto_disconn_ind] map[Kind:function Name:hci_recv_diag] map[Kind:function Name:hci_recv_event_data] map[Kind:function Name:hci_recv_frame] map[Kind:function Name:hci_register_cb] map[Kind:function Name:hci_register_dev] map[Kind:function Name:hci_register_suspend_notifier] map[Kind:function Name:hci_release_dev] map[Kind:function Name:hci_remote_oob_data_clear] map[Kind:function Name:hci_remove_adv_instance] map[Kind:function Name:hci_remove_all_adv_monitor] map[Kind:function Name:hci_remove_irk] map[Kind:function Name:hci_remove_link_key] map[Kind:function Name:hci_remove_ltk] map[Kind:function Name:hci_remove_remote_oob_data] map[Kind:function Name:hci_remove_single_adv_monitor] map[Kind:function Name:hci_reset_dev] map[Kind:function Name:hci_resume_dev] map[Kind:function Name:hci_role_switch_cfm] map[Kind:function Name:hci_sco_setup] map[Kind:function Name:hci_send_acl] map[Kind:function Name:hci_send_cmd] map[Kind:function Name:hci_send_iso] map[Kind:function Name:hci_send_monitor_ctrl_event] map[Kind:function Name:hci_send_sco] map[Kind:function Name:hci_send_to_channel] map[Kind:function Name:hci_send_to_monitor] map[Kind:function Name:hci_send_to_sock] map[Kind:function Name:hci_sent_cmd_data] map[Kind:function Name:hci_set_adv_instance_data] map[Kind:function Name:hci_set_aosp_capable] map[Kind:function Name:hci_set_drvdata] map[Kind:function Name:hci_set_fw_info] map[Kind:function Name:hci_set_hw_info] map[Kind:function Name:hci_set_msft_opcode] map[Kind:function Name:hci_setup_sync] map[Kind:function Name:hci_setup_tx_timestamp] map[Kind:function Name:hci_smp_irks_clear] map[Kind:function Name:hci_smp_ltks_clear] map[Kind:function Name:hci_sock_dev_event] map[Kind:function Name:hci_sockcm_init] map[Kind:function Name:hci_suspend_dev] map[Kind:function Name:hci_unregister_cb] map[Kind:function Name:hci_unregister_dev] map[Kind:function Name:hci_unregister_suspend_notifier] map[Kind:function Name:hci_uuids_clear] map[Kind:function Name:inquiry_cache_age] map[Kind:function Name:inquiry_cache_empty] map[Kind:function Name:inquiry_entry_age] map[Kind:function Name:iso_connect_ind] map[Kind:function Name:iso_recv] map[Kind:function Name:l2cap_connect_ind] map[Kind:function Name:l2cap_disconn_ind] map[Kind:function Name:l2cap_recv_acldata] map[Kind:function Name:mgmt_adv_monitor_device_lost] map[Kind:function Name:mgmt_advertising_added] map[Kind:function Name:mgmt_advertising_removed] map[Kind:function Name:mgmt_auth_enable_complete] map[Kind:function Name:mgmt_auth_failed] map[Kind:function Name:mgmt_connect_failed] map[Kind:function Name:mgmt_device_connected] map[Kind:function Name:mgmt_device_disconnected] map[Kind:function Name:mgmt_device_found] map[Kind:function Name:mgmt_disconnect_failed] map[Kind:function Name:mgmt_discovering] map[Kind:function Name:mgmt_fill_version_info] map[Kind:function Name:mgmt_get_adv_discov_flags] map[Kind:function Name:mgmt_get_connectable] map[Kind:function Name:mgmt_index_added] map[Kind:function Name:mgmt_index_removed] map[Kind:function Name:mgmt_new_conn_param] map[Kind:function Name:mgmt_new_csrk] map[Kind:function Name:mgmt_new_irk] map[Kind:function Name:mgmt_new_link_key] map[Kind:function Name:mgmt_new_ltk] map[Kind:function Name:mgmt_new_settings] map[Kind:function Name:mgmt_phy_configuration_changed] map[Kind:function Name:mgmt_pin_code_neg_reply_complete] map[Kind:function Name:mgmt_pin_code_reply_complete] map[Kind:function Name:mgmt_pin_code_request] map[Kind:function Name:mgmt_power_on] map[Kind:function Name:mgmt_powering_down] map[Kind:function Name:mgmt_remote_name] map[Kind:function Name:mgmt_resuming] map[Kind:function Name:mgmt_set_class_of_dev_complete] map[Kind:function Name:mgmt_set_local_name_complete] map[Kind:function Name:mgmt_set_powered_failed] map[Kind:function Name:mgmt_smp_complete] map[Kind:function Name:mgmt_suspending] map[Kind:function Name:mgmt_user_confirm_neg_reply_complete] map[Kind:function Name:mgmt_user_confirm_reply_complete] map[Kind:function Name:mgmt_user_confirm_request] map[Kind:function Name:mgmt_user_passkey_neg_reply_complete] map[Kind:function Name:mgmt_user_passkey_notify] map[Kind:function Name:mgmt_user_passkey_reply_complete] map[Kind:function Name:mgmt_user_passkey_request] map[Kind:function Name:sco_connect_ind] map[Kind:function Name:sco_recv_scodata]] Missing:false] |
| 69/2 | 2026/01/15 01:35 | llm | expert |
0mModel:unknown Thoughts: **Addressing a Potential Data Race in the Synchronization Logic** Okay, so I'm looking at this code and I'm immediately thinking, "Let's assume `req_status` is just a simple `u8` or `u32`, nothing fancy like a volatile variable." Now, based on my understanding of how this synchronization is supposed to work, here's the problem. It looks like `hdev->req_status` is the key to syncing the thread waiting for a command to complete with the logic that signals completion or handles cancellation. The waiter's holding a lock (`req_lock`), but the completion or cancellation code doesn't and can't, to avoid deadlocks. This is where things start to get dicey. The updates to `req_status`, `req_result`, and `req_rsp` – they're not protected by the same lock on both sides. And I don't see any explicit ordering guarantees, like `smp_store_release`. That’s where the trouble could be; the waiter might see that `req_status` changed, but not have the new `req_result` or `req_rsp` yet. That opens the door to returning the wrong error codes, or even saying a command was successful when it got cancelled or failed. Sounds like a data race to me, and not a harmless one. Hold on, let me quickly re-read that report. Okay, Task 5534 is the reader, Task 44 is the writer. Task 44 changed `req_status` from 1 to 2. That's *exactly* what happens in `hci_cmd_sync_cancel_sync`. So if the reader sees that change *before* it's supposed to, the wait logic breaks. If it sees the `req_status` changed before `req_result` is updated, we have a bug. Alright, I'm ready to explain the issue and possible solutions. |
| 70/2 | 2026/01/15 01:36 | tool | set-results |
0mModel:unknown Args: map[Benign:false Confident:true] Results: map[Benign:false Confident:true] |
| 71/2 | 2026/01/15 01:36 | llm | expert |
0mModel:unknown Thoughts: **Data Race Analysis: HCI Command Synchronization** Okay, so the user wants me to dive into whether this data race is a problem, and the answer, based on my analysis, is a definite "yes." Here's how I'm breaking it down: First off, we've got a classic reader-writer situation with a shared variable, `hdev->req_status`, being the focal point. `__hci_cmd_sync_sk` is acting as the reader, and `hci_cmd_sync_cancel_sync` (and `hci_cmd_sync_complete`) is the writer. The core issue, as I see it, stems from the intentional design choice to *avoid* a deadlock by *not* holding the `hdev->req_lock` during the write operations. That's fine, but this introduces the possibility of unsynchronized access to `hdev->req_status`, which signals the completion of these requests. `__hci_cmd_sync_sk` holds the `req_lock` and patiently waits for `hdev->req_status` to transition out of `HCI_REQ_PEND` before continuing using `wait_event_interruptible_timeout`. This reader is essentially expecting the status change to signal that the other relevant data, like `hdev->req_result` and `hdev->req_rsp`, is now valid and ready to be used. The problem lies in the *absence* of memory barriers. Without a `smp_store_release` on the writer side (for example) and a corresponding `smp_load_acquire` on the reader side, we can easily run into a situation where the reader observes the updated `hdev->req_status` but *not* the subsequently updated `req_result` and/or `req_rsp`. This is where it gets dangerous. Think about `hci_cmd_sync_cancel_sync`. `hdev->req_result` is updated *just before* `hdev->req_status` is modified. Without proper memory ordering, the reader could see `hdev->req_status` as `HCI_REQ_CANCELED`, but still find `hdev->req_result` as whatever stale value it had before. This means the code might incorrectly think the command succeeded or it'll return a wrong error code to the caller. Similarly, in `hci_cmd_sync_complete`, the `hdev->req_rsp` field is updated *after* `hdev->req_status`. A similar ordering problem could occur where the reader sees `HCI_REQ_DONE` but finds the response pointer `NULL`, potentially leading to a misleading `-ENODATA` error. Essentially, by allowing this unsynchronized access to `hdev->req_status`, the code introduces a harmful data race. The lack of memory barriers means the reader might observe inconsistent states, potentially leading to incorrect behavior, memory corruption, and subtle bugs. |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|