Bluetooth: Controller: Fix use-after-release in lll_scan/lll_scan_aux #98024
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a use-after-release bug in the Bluetooth controller's scanning functionality when using deferred execution for offset calculations. The issue occurs when a prepare parameter passed to mayfly_enqueue goes out of scope before the deferred callback executes.
- Adds persistent storage for prepare parameters in the
lll_scanstructure - Copies required values from stack-allocated parameters to the persistent storage before enqueueing
- Updates variable naming for consistency (
retval→ret)
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| subsys/bluetooth/controller/ll_sw/lll_scan.h | Adds prepare_param field to lll_scan struct under CONFIG_BT_CTLR_SCHED_ADVANCED |
| subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan_aux.c | Copies prepare parameters to persistent storage before mayfly enqueue |
| subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c | Copies prepare parameters to persistent storage and fixes variable naming |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
1 task
zephyrbot
requested review from
Tronil,
carlescufi,
erbr-ot,
ppryga,
thoh-ot and
wopu-ot
cvinayak
force-pushed
the
github_use_after_free_fix
branch
from
e3e140c to
2fe4c21
Compare
carlescufi
previously approved these changes
Oct 23, 2025
Fix use-after-release in lll_scan/lll_scan_aux when using mayfly_enqueue to defer execution of the offset calculation using ull_sched_mfy_after_cen_offset_get(). Apply suggestion from @Copilot Signed-off-by: Vinayak Kariappa Chettimada <[email protected]>
cvinayak
force-pushed
the
github_use_after_free_fix
branch
from
2fe4c21 to
f0a222a
Compare
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix use-after-release in lll_scan/lll_scan_aux when using mayfly_enqueue to defer execution of the offset calculation using ull_sched_mfy_after_cen_offset_get().
Fixes #97967.