Skip to content

[PW_SID:1094909] Bluetooth: btintel: Fix insufficient skb length check in btintel_print_fseq_info()#191

Open
BluezTestBot wants to merge 6 commits into
workflowfrom
1094909
Open

[PW_SID:1094909] Bluetooth: btintel: Fix insufficient skb length check in btintel_print_fseq_info()#191
BluezTestBot wants to merge 6 commits into
workflowfrom
1094909

Conversation

@BluezTestBot
Copy link
Copy Markdown

@BluezTestBot BluezTestBot commented May 14, 2026

The length check at the top of btintel_print_fseq_info() verifies
that the skb has at least 66 bytes (sizeof(u32) * 16 + 2), but the
function actually consumes 74 bytes:

2 calls to skb_pull_data(skb, 1) = 2 bytes
18 calls to skb_pull_data(skb, 4) = 72 bytes

When the firmware returns a packet of exactly 66 bytes, the last two
skb_pull_data(skb, 4) calls return NULL, which is then passed directly
to get_unaligned_le32(), resulting in a NULL pointer dereference.

Fix the length check to account for all 74 bytes actually consumed:
sizeof(u32) * 16 + 2 -> sizeof(u32) * 18 + 2

Fixes: a7ba218 ("Bluetooth: btintel: Print Firmware Sequencer information")
Signed-off-by: Quan Sun 2022090917019@std.uestc.edu.cn

drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

tedd-an and others added 6 commits May 13, 2026 17:39
@tedd-an @Vudentz
workflow: Add workflow files for ci
233c3f2 
This patch adds workflow files for ci:

[sync.yml]
 - The workflow file for scheduled work
 - Sync the repo with upstream repo and rebase the workflow branch
 - Review the patches in the patchwork and creates the PR if needed

[ci.yml]
 - The workflow file for CI tasks
 - Run CI tests when PR is created

Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
@Vudentz
workflows: Make use bluez/action-ci action
e8329bd 
This replaces the bzcafe action with bluez/action-ci so we can maintain
everything in the github bluez organization

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/sync: Attempt to sync every 5 minutes
21607fe 
This attempts to sync every 5 minutes instead of 30.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/sync: Set workflow to use worflow branch
cc49aee 
bluez/action-ci uses master as default branch for workflow which is
incorrect for kernel

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@Vudentz
workflow/ci: Add checks:write permission and explicit reopened trigger
b227437 
The CI action now creates individual GitHub Check Runs per test, which
requires 'checks: write' permission on the GITHUB_TOKEN. Also make the
pull_request trigger types explicit to include 'reopened', allowing CI
to be retriggered by closing and reopening a PR.
@enlist12 @Vudentz
Bluetooth: btintel: Fix insufficient skb length check in btintel_prin…
1e3420a 
…t_fseq_info()

The length check at the top of btintel_print_fseq_info() verifies
that the skb has at least 66 bytes (sizeof(u32) * 16 + 2), but the
function actually consumes 74 bytes:

  2 calls to skb_pull_data(skb, 1)  =  2 bytes
  18 calls to skb_pull_data(skb, 4) = 72 bytes

When the firmware returns a packet of exactly 66 bytes, the last two
skb_pull_data(skb, 4) calls return NULL, which is then passed directly
to get_unaligned_le32(), resulting in a NULL pointer dereference.

Fix the length check to account for all 74 bytes actually consumed:
  sizeof(u32) * 16 + 2  ->  sizeof(u32) * 18 + 2

Fixes: a7ba218 ("Bluetooth: btintel: Print Firmware Sequencer information")
Signed-off-by: Quan Sun <2022090917019@std.uestc.edu.cn>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.53 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

GitLint
Desc: Run gitlint
Duration: 0.23 seconds
Result: FAIL
Output:

Bluetooth: btintel: Fix insufficient skb length check in btintel_print_fseq_info()

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
1: T1 Title exceeds max length (82>80): "Bluetooth: btintel: Fix insufficient skb length check in btintel_print_fseq_info()"

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.07 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 24.46 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 27.38 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 26.10 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 24.20 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 539.18 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 23.25 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area:drivers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BluezTestBot @tedd-an @Vudentz @enlist12