From 233c3f2ce017fb4a6ea0a4a243c0b984e45ffa1e Mon Sep 17 00:00:00 2001 From: Tedd Ho-Jeong An Date: Wed, 4 Nov 2020 21:09:48 -0800 Subject: [PATCH 1/6] workflow: Add workflow files for ci This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An --- .github/workflows/ci.yml | 25 ++++++++++++++++++++++ .github/workflows/sync.yml | 43 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/sync.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000000..3a2c45c37553c --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,25 @@ +name: CI + +on: [pull_request] + +jobs: + ci: + runs-on: ubuntu-latest + name: CI for Pull Request + steps: + - name: Checkout the source code + uses: actions/checkout@v3 + with: + path: src/src + + - name: CI + uses: tedd-an/bzcafe@main + with: + task: ci + base_folder: src + space: kernel + github_token: ${{ secrets.GITHUB_TOKEN }} + email_token: ${{ secrets.EMAIL_TOKEN }} + patchwork_token: ${{ secrets.PATCHWORK_TOKEN }} + patchwork_user: ${{ secrets.PATCHWORK_USER }} + diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml new file mode 100644 index 0000000000000..3883d55a23267 --- /dev/null +++ b/.github/workflows/sync.yml @@ -0,0 +1,43 @@ +name: Sync + +on: + schedule: + - cron: "*/30 * * * *" + +jobs: + sync_repo: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: master + + - name: Sync Repo + uses: tedd-an/bzcafe@main + with: + task: sync + upstream_repo: 'https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git' + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: Cleanup PR + uses: tedd-an/bzcafe@main + with: + task: cleanup + github_token: ${{ secrets.ACTION_TOKEN }} + + sync_patchwork: + needs: sync_repo + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Sync Patchwork + uses: tedd-an/bzcafe@main + with: + task: patchwork + space: kernel + github_token: ${{ secrets.ACTION_TOKEN }} + email_token: ${{ secrets.EMAIL_TOKEN }} + patchwork_token: ${{ secrets.PATCHWORK_TOKEN }} + patchwork_user: ${{ secrets.PATCHWORK_USER }} + From e8329bdf76f9a99c012ff40a4fa246f2801e25a6 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 9 Apr 2026 12:57:28 -0400 Subject: [PATCH 2/6] workflows: Make use bluez/action-ci action This replaces the bzcafe action with bluez/action-ci so we can maintain everything in the github bluez organization Signed-off-by: Luiz Augusto von Dentz --- .github/workflows/ci.yml | 2 +- .github/workflows/sync.yml | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3a2c45c37553c..58bd27096c3cf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: path: src/src - name: CI - uses: tedd-an/bzcafe@main + uses: bluez/action-ci@main with: task: ci base_folder: src diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index 3883d55a23267..6fb956309caa0 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -13,14 +13,14 @@ jobs: ref: master - name: Sync Repo - uses: tedd-an/bzcafe@main + uses: bluez/action-ci@main with: task: sync upstream_repo: 'https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git' github_token: ${{ secrets.GITHUB_TOKEN }} - name: Cleanup PR - uses: tedd-an/bzcafe@main + uses: bluez/action-ci@main with: task: cleanup github_token: ${{ secrets.ACTION_TOKEN }} @@ -32,7 +32,7 @@ jobs: - uses: actions/checkout@v3 - name: Sync Patchwork - uses: tedd-an/bzcafe@main + uses: bluez/action-ci@main with: task: patchwork space: kernel @@ -40,4 +40,3 @@ jobs: email_token: ${{ secrets.EMAIL_TOKEN }} patchwork_token: ${{ secrets.PATCHWORK_TOKEN }} patchwork_user: ${{ secrets.PATCHWORK_USER }} - From 21607feeca15674ffe82e26e09d885719eac6449 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 9 Apr 2026 13:18:58 -0400 Subject: [PATCH 3/6] workflow/sync: Attempt to sync every 5 minutes This attempts to sync every 5 minutes instead of 30. Signed-off-by: Luiz Augusto von Dentz --- .github/workflows/sync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index 6fb956309caa0..92164bde28cef 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -2,7 +2,7 @@ name: Sync on: schedule: - - cron: "*/30 * * * *" + - cron: "*/5 * * * *" jobs: sync_repo: From cc49aeea99315dc27e2ec23331084d3dfcf529f3 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 9 Apr 2026 15:21:22 -0400 Subject: [PATCH 4/6] workflow/sync: Set workflow to use worflow branch bluez/action-ci uses master as default branch for workflow which is incorrect for kernel Signed-off-by: Luiz Augusto von Dentz --- .github/workflows/sync.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index 92164bde28cef..5e95af92ab1ab 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -16,6 +16,7 @@ jobs: uses: bluez/action-ci@main with: task: sync + workflow: workflow upstream_repo: 'https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git' github_token: ${{ secrets.GITHUB_TOKEN }} @@ -35,6 +36,7 @@ jobs: uses: bluez/action-ci@main with: task: patchwork + workflow: workflow space: kernel github_token: ${{ secrets.ACTION_TOKEN }} email_token: ${{ secrets.EMAIL_TOKEN }} From b22743727efce194435bb91a3a45cc67cca238bf Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 13 Apr 2026 16:41:33 -0400 Subject: [PATCH 5/6] workflow/ci: Add checks:write permission and explicit reopened trigger The CI action now creates individual GitHub Check Runs per test, which requires 'checks: write' permission on the GITHUB_TOKEN. Also make the pull_request trigger types explicit to include 'reopened', allowing CI to be retriggered by closing and reopening a PR. --- .github/workflows/ci.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58bd27096c3cf..60d318f805ff1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,12 @@ name: CI -on: [pull_request] +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + checks: write + pull-requests: write jobs: ci: From 57dcd067dddbba57f2fb615727bc5d1646c60b78 Mon Sep 17 00:00:00 2001 From: Muhammad Bilal Date: Tue, 19 May 2026 14:48:21 -0400 Subject: [PATCH 6/6] Bluetooth: RFCOMM: add minimum length check in rfcomm_recv_frame rfcomm_recv_frame() casts skb->data to struct rfcomm_hdr * and immediately dereferences hdr->addr and hdr->ctrl without first validating that skb->len is large enough to hold the header. A remote device can send a crafted short RFCOMM frame over L2CAP to trigger an out-of-bounds read before any session state is checked. The FCS trimming code that follows compounds the problem: skb->len--; skb->tail--; If skb->len is already zero the decrement wraps to UINT_MAX, causing skb_tail_pointer() to return a pointer far outside the skb and producing a second out-of-bounds read when the FCS byte is consumed. Replace the open-coded cast with skb_pull_data() which validates skb->len against sizeof(*hdr) and advances skb->data atomically. Save the original skb->data as frame_start before the pull so that __check_fcs() receives the header bytes as required by the RFCOMM FCS specification. Guard against a missing FCS byte with an explicit skb->len < 1 check. Replace the unsafe skb->tail decrement and skb_tail_pointer() call with a direct end-of-data index and skb_trim(). Note: SeungJu Cheon posted a related patch that adds equivalent length checks inside the individual MCC sub-handlers (rfcomm_recv_pn, rfcomm_recv_rpn, rfcomm_recv_rls, rfcomm_recv_msc, rfcomm_recv_mcc). That fix and this one are complementary and independent; neither subsumes the other. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- net/bluetooth/rfcomm/core.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index d11bd5337d573..e78ce11fa23f7 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -1741,7 +1741,8 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) { - struct rfcomm_hdr *hdr = (void *) skb->data; + struct rfcomm_hdr *hdr; + u8 *frame_start; u8 type, dlci, fcs; if (!s) { @@ -1750,14 +1751,21 @@ static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, return s; } + frame_start = skb->data; + hdr = skb_pull_data(skb, sizeof(*hdr)); + if (!hdr || skb->len < 1) { + kfree_skb(skb); + return s; + } + dlci = __get_dlci(hdr->addr); type = __get_type(hdr->ctrl); /* Trim FCS */ - skb->len--; skb->tail--; - fcs = *(u8 *)skb_tail_pointer(skb); + fcs = skb->data[skb->len - 1]; + skb_trim(skb, skb->len - 1); - if (__check_fcs(skb->data, type, fcs)) { + if (__check_fcs(frame_start, type, fcs)) { BT_ERR("bad checksum in packet"); kfree_skb(skb); return s;