[PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition
@ 2026-02-08  8:15 Maiquel Paiva
  2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Maiquel Paiva @ 2026-02-08  8:15 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva

This series fixes two vulnerabilities found in net/bluetooth/mgmt_util.c related to mesh handling.

Patch 1 addresses a heap buffer overflow in mgmt_mesh_add by validating the user-provided length.
Patch 2 resolves race conditions in mgmt_mesh_add and mgmt_mesh_find by protecting the list operations.

Changes in v4:
- Replaced guard(mutex) with guard(spinlock) using hdev->lock in Patch 2.
- This fixes the "sleeping function called from invalid context" and circular locking warnings reported by the CI robot in v3.

Changes in v3:
- Added Fixes and Cc: stable tags as requested by maintainers.
- No code changes from v2.

Maiquel Paiva (2):
  Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
  Bluetooth: mgmt: Fix race conditions in mesh handling

 net/bluetooth/mgmt_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.43.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
  2026-02-08  8:15 [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition Maiquel Paiva
@ 2026-02-08  8:15 ` Maiquel Paiva
  2026-02-08  8:43   ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
  2026-02-09 20:00 ` [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition patchwork-bot+bluetooth
  2 siblings, 1 reply; 8+ messages in thread
From: Maiquel Paiva @ 2026-02-08  8:15 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Add a check for the user-provided length in mgmt_mesh_add() against
the size of the param buffer. This prevents a heap buffer overflow
if the user provides a length larger than the destination buffer.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..bdce52363332 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -413,6 +413,9 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
+	if (len > sizeof(mesh_tx->param))
+			return NULL;
+
 	mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
 	if (!mesh_tx)
 		return NULL;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* RE: Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
@ 2026-02-08  8:43   ` bluez.test.bot
  0 siblings, 0 replies; 8+ messages in thread
From: bluez.test.bot @ 2026-02-08  8:43 UTC (permalink / raw)
  To: linux-bluetooth, maiquelpaiva

[-- Attachment #1: Type: text/plain, Size: 40968 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1051967

---Test result---

Test Summary:
CheckPatch                    PENDING   0.50 seconds
GitLint                       PENDING   0.29 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   FAIL      22.82 seconds
CheckAllWarning               FAIL      25.31 seconds
CheckSparse                   FAIL      27.49 seconds
BuildKernel32                 FAIL      22.06 seconds
TestRunnerSetup               FAIL      531.86 seconds
TestRunner_l2cap-tester       FAIL      0.08 seconds
TestRunner_iso-tester         FAIL      0.08 seconds
TestRunner_bnep-tester        FAIL      0.08 seconds
TestRunner_mgmt-tester        FAIL      0.08 seconds
TestRunner_rfcomm-tester      FAIL      0.08 seconds
TestRunner_sco-tester         FAIL      0.08 seconds
TestRunner_ioctl-tester       FAIL      0.08 seconds
TestRunner_mesh-tester        FAIL      0.08 seconds
TestRunner_smp-tester         FAIL      0.08 seconds
TestRunner_userchan-tester    FAIL      0.08 seconds
IncrementalBuild              PENDING   0.64 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: BuildKernel - FAIL
Desc: Build Kernel for Bluetooth
Output:

net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: CheckAllWarning - FAIL
Desc: Run linux kernel with all warning enabled
Output:

net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: CheckSparse - FAIL
Desc: Run sparse tool with linux kernel
Output:

drivers/bluetooth/hci_vhci.c:717:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:718:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:720:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:721:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:722:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:723:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:723:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:724:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:725:1: error: bad constant expression
net/bluetooth/bnep/core.c:759:1: error: bad constant expression
net/bluetooth/bnep/core.c:760:1: error: bad constant expression
net/bluetooth/bnep/core.c:762:1: error: bad constant expression
net/bluetooth/bnep/core.c:763:1: error: bad constant expression
net/bluetooth/bnep/core.c:765:1: error: bad constant expression
net/bluetooth/bnep/core.c:766:1: error: bad constant expression
net/bluetooth/bnep/core.c:767:1: error: bad constant expression
net/bluetooth/bnep/core.c:768:1: error: bad constant expression
net/bluetooth/bnep/core.c:768:1: error: bad constant expression
net/bluetooth/bnep/core.c:769:1: error: bad constant expression
net/bluetooth/hidp/core.c:1474:1: error: bad constant expression
net/bluetooth/hidp/core.c:1475:1: error: bad constant expression
net/bluetooth/hidp/core.c:1476:1: error: bad constant expression
net/bluetooth/hidp/core.c:1477:1: error: bad constant expression
net/bluetooth/hidp/core.c:1478:1: error: bad constant expression
net/bluetooth/hidp/core.c:1478:1: error: bad constant expression
net/bluetooth/hidp/core.c:1479:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2273:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2274:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2276:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2277:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2279:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2280:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2282:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2283:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2284:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2285:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2285:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2286:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:932:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:933:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:934:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:935:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:935:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:936:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:972:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:973:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:974:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:975:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:975:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:976:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:783:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:784:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:786:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:787:1: error: bad constant expression
net/bluetooth/hci_core.c:85:9: warning: context imbalance in '__hci_dev_get' - different lock contexts for basic block
net/bluetooth/hci_core.c: note: in included file (through include/linux/notifier.h, include/linux/memory_hotplug.h, include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, include/linux/radix-tree.h, ...):
./include/linux/srcu.h:463:9: warning: context imbalance in 'hci_dev_put_srcu' - unexpected unlock
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
./include/net/bluetooth/hci.h:2922:47: warning: array of flexible structures
./include/net/bluetooth/hci.h:3008:43: warning: array of flexible structures
drivers/bluetooth/hci_bcm.c:167:1: error: bad constant expression
drivers/bluetooth/hci_bcm.c:168:1: error: bad constant expression
drivers/bluetooth/hci_ag6xx.c:257:24: warning: restricted __le32 degrades to integer
drivers/bluetooth/hci_mrvl.c:170:23: warning: restricted __le16 degrades to integer
drivers/bluetooth/hci_mrvl.c:203:23: warning: restricted __le16 degrades to integer
net/bluetooth/l2cap_core.c:7735:1: error: bad constant expression
net/bluetooth/l2cap_core.c:7736:1: error: bad constant expression
net/bluetooth/l2cap_core.c:7738:1: error: bad constant expression
net/bluetooth/l2cap_core.c:7739:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:261:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:262:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:263:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:264:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:264:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:265:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:266:1: error: bad constant expression
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
drivers/bluetooth/bpa10x.c:444:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:445:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:446:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:447:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:447:1: error: bad constant expression
drivers/bluetooth/bfusb.c:720:1: error: bad constant expression
drivers/bluetooth/bfusb.c:721:1: error: bad constant expression
drivers/bluetooth/bfusb.c:722:1: error: bad constant expression
drivers/bluetooth/bfusb.c:723:1: error: bad constant expression
drivers/bluetooth/bfusb.c:723:1: error: bad constant expression
drivers/bluetooth/bfusb.c:724:1: error: bad constant expression
drivers/bluetooth/btsdio.c:372:1: error: bad constant expression
drivers/bluetooth/btsdio.c:373:1: error: bad constant expression
drivers/bluetooth/btsdio.c:374:1: error: bad constant expression
drivers/bluetooth/btsdio.c:375:1: error: bad constant expression
drivers/bluetooth/btsdio.c:375:1: error: bad constant expression
drivers/bluetooth/ath3k.c:533:1: error: bad constant expression
drivers/bluetooth/ath3k.c:534:1: error: bad constant expression
drivers/bluetooth/ath3k.c:535:1: error: bad constant expression
drivers/bluetooth/ath3k.c:536:1: error: bad constant expression
drivers/bluetooth/ath3k.c:536:1: error: bad constant expression
drivers/bluetooth/ath3k.c:537:1: error: bad constant expression
drivers/bluetooth/btusb.c:4659:1: error: bad constant expression
drivers/bluetooth/btusb.c:4660:1: error: bad constant expression
drivers/bluetooth/btusb.c:4662:1: error: bad constant expression
drivers/bluetooth/btusb.c:4663:1: error: bad constant expression
drivers/bluetooth/btusb.c:4665:1: error: bad constant expression
drivers/bluetooth/btusb.c:4666:1: error: bad constant expression
drivers/bluetooth/btusb.c:4668:1: error: bad constant expression
drivers/bluetooth/btusb.c:4669:1: error: bad constant expression
drivers/bluetooth/btusb.c:4671:1: error: bad constant expression
drivers/bluetooth/btusb.c:4672:1: error: bad constant expression
drivers/bluetooth/btusb.c:4673:1: error: bad constant expression
drivers/bluetooth/btusb.c:4674:1: error: bad constant expression
drivers/bluetooth/btusb.c:4674:1: error: bad constant expression
drivers/bluetooth/btintel.c:3792:1: error: bad constant expression
drivers/bluetooth/btintel.c:3793:1: error: bad constant expression
drivers/bluetooth/btintel.c:3794:1: error: bad constant expression
drivers/bluetooth/btintel.c:3795:1: error: bad constant expression
drivers/bluetooth/btintel.c:3795:1: error: bad constant expression
drivers/bluetooth/btintel.c:3796:1: error: bad constant expression
drivers/bluetooth/btintel.c:3797:1: error: bad constant expression
drivers/bluetooth/btintel.c:3798:1: error: bad constant expression
drivers/bluetooth/btintel.c:3799:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:782:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:783:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:784:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:785:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:785:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1769:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1770:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1771:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1772:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1772:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1773:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1774:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1775:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1776:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1777:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1778:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1779:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1780:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1781:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1556:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1557:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1559:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1560:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1561:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1562:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1562:1: error: bad constant expression
drivers/bluetooth/btbcm.c:780:1: error: bad constant expression
drivers/bluetooth/btbcm.c:781:1: error: bad constant expression
drivers/bluetooth/btbcm.c:782:1: error: bad constant expression
drivers/bluetooth/btbcm.c:783:1: error: bad constant expression
drivers/bluetooth/btbcm.c:783:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:994:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:995:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:996:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:997:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:997:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1514:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1515:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1516:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1517:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1517:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1518:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1519:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1520:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1521:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1522:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1523:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1524:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1525:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1526:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1527:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1528:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1529:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1530:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1531:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1532:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1533:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1534:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1535:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1536:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1537:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1538:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1539:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1540:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1541:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1542:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1543:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1544:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1545:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1546:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1547:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1548:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1549:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1550:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1551:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1552:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1553:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1554:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1555:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1556:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1557:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1558:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1559:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1560:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1561:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1562:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1563:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1564:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1565:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1566:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1567:1: error: bad constant expression
drivers/bluetooth/btqca.c:1042:1: error: bad constant expression
drivers/bluetooth/btqca.c:1043:1: error: bad constant expression
drivers/bluetooth/btqca.c:1044:1: error: bad constant expression
drivers/bluetooth/btqca.c:1044:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:803:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:804:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:805:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:806:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:806:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1489:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1490:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1491:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1492:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1493:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1493:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1494:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1495:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1496:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1497:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1498:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1499:1: error: bad constant expression
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: BuildKernel32 - FAIL
Desc: Build 32bit Kernel for Bluetooth
Output:

net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/string.h:7,
                 from ./arch/x86/include/asm/page_32.h:18,
                 from ./arch/x86/include/asm/page.h:14,
                 from ./arch/x86/include/asm/processor.h:20,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/string.h:7,
                 from ./arch/x86/include/asm/page_32.h:18,
                 from ./arch/x86/include/asm/page.h:14,
                 from ./arch/x86/include/asm/processor.h:20,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: TestRunnerSetup - FAIL
Desc: Setup kernel and bluez for test-runner
Output:
Kernel: 
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_bnep-tester - FAIL
Desc: Run bnep-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_rfcomm-tester - FAIL
Desc: Run rfcomm-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_ioctl-tester - FAIL
Desc: Run ioctl-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_smp-tester - FAIL
Desc: Run smp-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_userchan-tester - FAIL
Desc: Run userchan-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition Maiquel Paiva
  2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
@ 2026-02-08  8:15 ` Maiquel Paiva
  2026-02-08 12:57   ` kernel test robot
                     ` (2 more replies)
  2026-02-09 20:00 ` [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition patchwork-bot+bluetooth
  2 siblings, 3 replies; 8+ messages in thread
From: Maiquel Paiva @ 2026-02-08  8:15 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

The functions mgmt_mesh_add and mgmt_mesh_find modify or traverse the
mesh_pending list without locking, leading to potential race conditions
and list corruption.

Use guard(spinlock) with hdev->lock to protect the critical sections.
This ensures atomic access to the list and reference counter, preventing
race conditions and avoiding sleeping in atomic context (which fixes CI
failures).

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index bdce52363332..af9194e44943 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
-	if (list_empty(&hdev->mesh_pending))
-		return NULL;
+	guard(spinlock)(&hdev->lock);
 
 	list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
 		if (mesh_tx->handle == handle)
@@ -420,6 +419,8 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 	if (!mesh_tx)
 		return NULL;
 
+	guard(spinlock)(&hdev->lock);
+
 	hdev->mesh_send_ref++;
 	if (!hdev->mesh_send_ref)
 		hdev->mesh_send_ref++;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
@ 2026-02-08 12:57   ` kernel test robot
  2026-02-08 12:57   ` kernel test robot
  2026-02-09 19:44   ` Luiz Augusto von Dentz
  2 siblings, 0 replies; 8+ messages in thread
From: kernel test robot @ 2026-02-08 12:57 UTC (permalink / raw)
  To: Maiquel Paiva, linux-bluetooth
  Cc: oe-kbuild-all, luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Hi Maiquel,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Maiquel-Paiva/Bluetooth-mgmt-Fix-heap-overflow-in-mgmt_mesh_add/20260208-161842
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link:    https://lore.kernel.org/r/20260208081559.44983-3-maiquelpaiva%40gmail.com
patch subject: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
config: sparc-randconfig-002-20260208 (https://download.01.org/0day-ci/archive/20260208/202602082014.LJf0O75Y-lkp@intel.com/config)
compiler: sparc-linux-gcc (GCC) 11.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260208/202602082014.LJf0O75Y-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602082014.LJf0O75Y-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/bluetooth/mgmt_util.c: In function 'mgmt_mesh_find':
>> net/bluetooth/mgmt_util.c:400:25: error: passing argument 1 of 'class_spinlock_constructor' from incompatible pointer type [-Werror=incompatible-pointer-types]
     400 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
         |                         |
         |                         struct mutex *
   In file included from include/linux/irqflags.h:17,
                    from include/asm-generic/cmpxchg-local.h:6,
                    from arch/sparc/include/asm/cmpxchg_32.h:67,
                    from arch/sparc/include/asm/cmpxchg.h:7,
                    from arch/sparc/include/asm/atomic_32.h:17,
                    from arch/sparc/include/asm/atomic.h:7,
                    from include/linux/atomic.h:7,
                    from include/asm-generic/bitops/lock.h:5,
                    from arch/sparc/include/asm/bitops_32.h:102,
                    from arch/sparc/include/asm/bitops.h:7,
                    from include/linux/bitops.h:67,
                    from include/linux/log2.h:12,
                    from include/asm-generic/div64.h:55,
                    from ./arch/sparc/include/generated/asm/div64.h:1,
                    from include/linux/math.h:6,
                    from include/linux/math64.h:6,
                    from include/linux/jiffies.h:7,
                    from include/linux/ktime.h:25,
                    from include/linux/poll.h:7,
                    from include/net/bluetooth/bluetooth.h:29,
                    from net/bluetooth/mgmt_util.c:26:
   include/linux/cleanup.h:490:77: note: expected 'spinlock_t *' {aka 'struct spinlock *'} but argument is of type 'struct mutex *'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
   include/linux/cleanup.h:509:1: note: in expansion of macro '__DEFINE_LOCK_GUARD_1'
     509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
         | ^~~~~~~~~~~~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: in expansion of macro 'DEFINE_LOCK_GUARD_1'
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^~~~~~~~~~~~~~~~~~~
   net/bluetooth/mgmt_util.c: In function 'mgmt_mesh_add':
   net/bluetooth/mgmt_util.c:422:25: error: passing argument 1 of 'class_spinlock_constructor' from incompatible pointer type [-Werror=incompatible-pointer-types]
     422 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
         |                         |
         |                         struct mutex *
   In file included from include/linux/irqflags.h:17,
                    from include/asm-generic/cmpxchg-local.h:6,
                    from arch/sparc/include/asm/cmpxchg_32.h:67,
                    from arch/sparc/include/asm/cmpxchg.h:7,
                    from arch/sparc/include/asm/atomic_32.h:17,
                    from arch/sparc/include/asm/atomic.h:7,
                    from include/linux/atomic.h:7,
                    from include/asm-generic/bitops/lock.h:5,
                    from arch/sparc/include/asm/bitops_32.h:102,
                    from arch/sparc/include/asm/bitops.h:7,
                    from include/linux/bitops.h:67,
                    from include/linux/log2.h:12,
                    from include/asm-generic/div64.h:55,
                    from ./arch/sparc/include/generated/asm/div64.h:1,
                    from include/linux/math.h:6,
                    from include/linux/math64.h:6,
                    from include/linux/jiffies.h:7,
                    from include/linux/ktime.h:25,
                    from include/linux/poll.h:7,
                    from include/net/bluetooth/bluetooth.h:29,
                    from net/bluetooth/mgmt_util.c:26:
   include/linux/cleanup.h:490:77: note: expected 'spinlock_t *' {aka 'struct spinlock *'} but argument is of type 'struct mutex *'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
   include/linux/cleanup.h:509:1: note: in expansion of macro '__DEFINE_LOCK_GUARD_1'
     509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
         | ^~~~~~~~~~~~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: in expansion of macro 'DEFINE_LOCK_GUARD_1'
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^~~~~~~~~~~~~~~~~~~
   cc1: some warnings being treated as errors


vim +/class_spinlock_constructor +400 net/bluetooth/mgmt_util.c

   395	
   396	struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
   397	{
   398		struct mgmt_mesh_tx *mesh_tx;
   399	
 > 400		guard(spinlock)(&hdev->lock);
   401	
   402		list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
   403			if (mesh_tx->handle == handle)
   404				return mesh_tx;
   405		}
   406	
   407		return NULL;
   408	}
   409	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
  2026-02-08 12:57   ` kernel test robot
@ 2026-02-08 12:57   ` kernel test robot
  2026-02-09 19:44   ` Luiz Augusto von Dentz
  2 siblings, 0 replies; 8+ messages in thread
From: kernel test robot @ 2026-02-08 12:57 UTC (permalink / raw)
  To: Maiquel Paiva, linux-bluetooth
  Cc: oe-kbuild-all, luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Hi Maiquel,

kernel test robot noticed the following build errors:

[auto build test ERROR on bluetooth/master]
[also build test ERROR on bluetooth-next/master linus/master v6.19-rc8 next-20260205]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Maiquel-Paiva/Bluetooth-mgmt-Fix-heap-overflow-in-mgmt_mesh_add/20260208-161842
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link:    https://lore.kernel.org/r/20260208081559.44983-3-maiquelpaiva%40gmail.com
patch subject: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
config: i386-randconfig-r071-20260208 (https://download.01.org/0day-ci/archive/20260208/202602082055.pF9xO7lP-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch version: v0.5.0-8994-gd50c5a4c
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260208/202602082055.pF9xO7lP-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602082055.pF9xO7lP-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/bluetooth/mgmt_util.c:400:18: error: incompatible pointer types passing 'struct mutex *' to parameter of type 'spinlock_t *' (aka 'struct spinlock *') [-Werror,-Wincompatible-pointer-types]
     400 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: passing argument to parameter 'l' here
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^
   include/linux/cleanup.h:508:60: note: expanded from macro 'DEFINE_LOCK_GUARD_1'
     508 | __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__)               \
         |                                                                         ^
   include/linux/cleanup.h:490:77: note: expanded from macro '\
   __DEFINE_LOCK_GUARD_1'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
         |                                                                             ^
   net/bluetooth/mgmt_util.c:422:18: error: incompatible pointer types passing 'struct mutex *' to parameter of type 'spinlock_t *' (aka 'struct spinlock *') [-Werror,-Wincompatible-pointer-types]
     422 |         guard(spinlock)(&hdev->lock);
         |                         ^~~~~~~~~~~
   include/linux/spinlock.h:565:1: note: passing argument to parameter 'l' here
     565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
         | ^
   include/linux/cleanup.h:508:60: note: expanded from macro 'DEFINE_LOCK_GUARD_1'
     508 | __DEFINE_UNLOCK_GUARD(_name, _type, _unlock, __VA_ARGS__)               \
         |                                                                         ^
   include/linux/cleanup.h:490:77: note: expanded from macro '\
   __DEFINE_LOCK_GUARD_1'
     490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
         |                                                                             ^
   2 errors generated.


vim +400 net/bluetooth/mgmt_util.c

   395	
   396	struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
   397	{
   398		struct mgmt_mesh_tx *mesh_tx;
   399	
 > 400		guard(spinlock)(&hdev->lock);
   401	
   402		list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
   403			if (mesh_tx->handle == handle)
   404				return mesh_tx;
   405		}
   406	
   407		return NULL;
   408	}
   409	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
  2026-02-08 12:57   ` kernel test robot
  2026-02-08 12:57   ` kernel test robot
@ 2026-02-09 19:44   ` Luiz Augusto von Dentz
  2 siblings, 0 replies; 8+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-09 19:44 UTC (permalink / raw)
  To: Maiquel Paiva; +Cc: linux-bluetooth, gregkh, marcel, stable

Hi Maiquel,

On Sun, Feb 8, 2026 at 3:17 AM Maiquel Paiva <maiquelpaiva@gmail.com> wrote:
>
> The functions mgmt_mesh_add and mgmt_mesh_find modify or traverse the
> mesh_pending list without locking, leading to potential race conditions
> and list corruption.
>
> Use guard(spinlock) with hdev->lock to protect the critical sections.
> This ensures atomic access to the list and reference counter, preventing
> race conditions and avoiding sleeping in atomic context (which fixes CI
> failures).
>
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Cc: stable@vger.kernel.org
> Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
> ---
>  net/bluetooth/mgmt_util.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
> index bdce52363332..af9194e44943 100644
> --- a/net/bluetooth/mgmt_util.c
> +++ b/net/bluetooth/mgmt_util.c
> @@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
>  {
>         struct mgmt_mesh_tx *mesh_tx;
>
> -       if (list_empty(&hdev->mesh_pending))
> -               return NULL;
> +       guard(spinlock)(&hdev->lock);

Not sure why you switched to use hdev->lock and not mgmt_pending_lock?
And that is a mutex still, not a spinlock.

>
>         list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
>                 if (mesh_tx->handle == handle)
> @@ -420,6 +419,8 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
>         if (!mesh_tx)
>                 return NULL;
>
> +       guard(spinlock)(&hdev->lock);
> +
>         hdev->mesh_send_ref++;
>         if (!hdev->mesh_send_ref)
>                 hdev->mesh_send_ref++;
> --
> 2.43.0
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-08  8:15 [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition Maiquel Paiva
  2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
  2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
@ 2026-02-09 20:00 ` patchwork-bot+bluetooth
  2 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+bluetooth @ 2026-02-09 20:00 UTC (permalink / raw)
  To: Maiquel Paiva; +Cc: linux-bluetooth, luiz.dentz, gregkh, marcel

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun,  8 Feb 2026 08:15:57 +0000 you wrote:
> This series fixes two vulnerabilities found in net/bluetooth/mgmt_util.c related to mesh handling.
> 
> Patch 1 addresses a heap buffer overflow in mgmt_mesh_add by validating the user-provided length.
> Patch 2 resolves race conditions in mgmt_mesh_add and mgmt_mesh_find by protecting the list operations.
> 
> Changes in v4:
> - Replaced guard(mutex) with guard(spinlock) using hdev->lock in Patch 2.
> - This fixes the "sleeping function called from invalid context" and circular locking warnings reported by the CI robot in v3.
> 
> [...]

Here is the summary with links:
  - [v4,1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
    (no matching commit)
  - [v4,2/2] Bluetooth: mgmt: Fix race conditions in mesh handling
    https://git.kernel.org/bluetooth/bluetooth-next/c/567233b63ddb

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2026-02-09 20:00 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-08  8:15 [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition Maiquel Paiva
2026-02-08  8:15 ` [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
2026-02-08  8:43   ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
2026-02-08  8:15 ` [PATCH v4 2/2] Bluetooth: mgmt: Fix race conditions in mesh handling Maiquel Paiva
2026-02-08 12:57   ` kernel test robot
2026-02-08 12:57   ` kernel test robot
2026-02-09 19:44   ` Luiz Augusto von Dentz
2026-02-09 20:00 ` [PATCH v4 0/2] Bluetooth: mgmt: Fix heap overflow and race condition patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox