From: kernel test robot <lkp@intel.com>
To: Tristan Madani <tristmd@gmail.com>, linux-bluetooth@vger.kernel.org
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
luiz.dentz@gmail.com, marcel@holtmann.org, sven@svenpeter.dev,
marcan@marcan.st, asahi@lists.linux.dev, stable@vger.kernel.org
Subject: Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
Date: Tue, 21 Apr 2026 22:36:24 +0800 [thread overview]
Message-ID: <202604212248.Sek1Tdfg-lkp@intel.com> (raw)
In-Reply-To: <20260417104639.2608008-1-tristmd@gmail.com>
Hi Tristan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth/master]
[also build test WARNING on bluetooth-next/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tristan-Madani/Bluetooth-hci_bcm4377-validate-firmware-event-length-in-completion-ring/20260420-161359
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260417104639.2608008-1-tristmd%40gmail.com
patch subject: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
config: um-allmodconfig (https://download.01.org/0day-ci/archive/20260421/202604212248.Sek1Tdfg-lkp@intel.com/config)
compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260421/202604212248.Sek1Tdfg-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604212248.Sek1Tdfg-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/bluetooth/hci_bcm4377.c:11:
In file included from include/linux/dma-mapping.h:8:
In file included from include/linux/scatterlist.h:9:
In file included from arch/um/include/asm/io.h:24:
include/asm-generic/io.h:1209:55: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
1209 | return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port;
| ~~~~~~~~~~ ^
>> drivers/bluetooth/hci_bcm4377.c:761:15: warning: format specifies type 'size_t' (aka 'unsigned long') but the argument has type 'u16' (aka 'unsigned short') [-Wformat]
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ~~~
| %hu
761 | data_len, ring->payload_size, ring->ring_id);
| ^~~~~~~~~~~~~~~~~~
include/linux/dev_printk.h:156:70: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ~~~ ^~~~~~~~~~~
2 warnings generated.
vim +761 drivers/bluetooth/hci_bcm4377.c
734
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738 {
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if (data_len > ring->payload_size) {
759 dev_warn(&bcm4377->pdev->dev,
760 "event data len %zu exceeds payload size %zu for ring %d\n",
> 761 data_len, ring->payload_size, ring->ring_id);
762 return;
763 }
764
765 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
766 dev_warn(
767 &bcm4377->pdev->dev,
768 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
769 pos, transfer_ring, ring->ring_id);
770 return;
771 }
772
773 dev_dbg(&bcm4377->pdev->dev,
774 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
775 ring->ring_id, transfer_ring, msg_id);
776
777 switch (transfer_ring) {
778 case BCM4377_XFER_RING_CONTROL:
779 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
780 break;
781 case BCM4377_XFER_RING_HCI_H2D:
782 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
783 break;
784 case BCM4377_XFER_RING_SCO_H2D:
785 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
786 break;
787 case BCM4377_XFER_RING_ACL_H2D:
788 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
789 break;
790
791 case BCM4377_XFER_RING_HCI_D2H:
792 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
793 entry->flags, HCI_EVENT_PKT, data,
794 data_len);
795 break;
796 case BCM4377_XFER_RING_SCO_D2H:
797 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
798 entry->flags, HCI_SCODATA_PKT, data,
799 data_len);
800 break;
801 case BCM4377_XFER_RING_ACL_D2H:
802 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
803 entry->flags, HCI_ACLDATA_PKT, data,
804 data_len);
805 break;
806
807 default:
808 dev_warn(
809 &bcm4377->pdev->dev,
810 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
811 ring->ring_id, transfer_ring, msg_id);
812 }
813 }
814
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2026-04-21 14:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
2026-04-20 20:37 ` Luiz Augusto von Dentz
2026-04-21 14:36 ` kernel test robot [this message]
2026-04-21 15:50 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202604212248.Sek1Tdfg-lkp@intel.com \
--to=lkp@intel.com \
--cc=asahi@lists.linux.dev \
--cc=linux-bluetooth@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=luiz.dentz@gmail.com \
--cc=marcan@marcan.st \
--cc=marcel@holtmann.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=sven@svenpeter.dev \
--cc=tristmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox