* RE: [v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
@ 2026-04-17 12:08 ` bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-04-17 12:08 UTC (permalink / raw)
To: linux-bluetooth, tristmd
[-- Attachment #1: Type: text/plain, Size: 881 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1082469
---Test result---
Test Summary:
CheckPatch PASS 0.74 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 27.35 seconds
CheckAllWarning PASS 29.94 seconds
CheckSparse PASS 29.01 seconds
BuildKernel32 PASS 26.57 seconds
TestRunnerSetup PASS 588.93 seconds
IncrementalBuild PASS 26.60 seconds
https://github.com/bluez/bluetooth-next/pull/99
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
@ 2026-04-17 12:55 ` Neal Gompa
2026-04-20 20:37 ` Luiz Augusto von Dentz
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Neal Gompa @ 2026-04-17 12:55 UTC (permalink / raw)
To: Tristan Madani
Cc: linux-bluetooth, luiz.dentz, marcel, sven, marcan, asahi, stable
On Fri, Apr 17, 2026 at 6:49 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled entry->len is used as the memcpy size for inline
> payload data without bounds checking when the PAYLOAD_MAPPED flag is not
> set. This causes out-of-bounds reads from the completion ring DMA memory
> for the HCI_D2H and SCO_D2H transfer rings.
>
> Add a length validation against the completion ring payload_size.
>
> Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/bluetooth/hci_bcm4377.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
> index 925d0a635..5d2f594c2 100644
> --- a/drivers/bluetooth/hci_bcm4377.c
> +++ b/drivers/bluetooth/hci_bcm4377.c
> @@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
> msg_id = le16_to_cpu(entry->msg_id);
> transfer_ring = le16_to_cpu(entry->ring_id);
>
> + if (data_len > ring->payload_size) {
> + dev_warn(&bcm4377->pdev->dev,
> + "event data len %zu exceeds payload size %zu for ring %d\n",
> + data_len, ring->payload_size, ring->ring_id);
> + return;
> + }
> +
> if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
> dev_warn(
> &bcm4377->pdev->dev,
> --
> 2.47.3
>
>
Seems sensible enough.
Reviewed-by: Neal Gompa <neal@gompa.dev>
--
真実はいつも一つ!/ Always, there's only one truth!
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
@ 2026-04-20 20:37 ` Luiz Augusto von Dentz
2026-04-21 14:36 ` kernel test robot
2026-04-21 15:50 ` kernel test robot
4 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-04-20 20:37 UTC (permalink / raw)
To: Tristan Madani; +Cc: linux-bluetooth, marcel, sven, marcan, asahi, stable
Hi Tristan,
On Fri, Apr 17, 2026 at 6:46 AM Tristan Madani <tristmd@gmail.com> wrote:
>
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The firmware-controlled entry->len is used as the memcpy size for inline
> payload data without bounds checking when the PAYLOAD_MAPPED flag is not
> set. This causes out-of-bounds reads from the completion ring DMA memory
> for the HCI_D2H and SCO_D2H transfer rings.
>
> Add a length validation against the completion ring payload_size.
>
> Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
> Cc: stable@vger.kernel.org
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> drivers/bluetooth/hci_bcm4377.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
> index 925d0a635..5d2f594c2 100644
> --- a/drivers/bluetooth/hci_bcm4377.c
> +++ b/drivers/bluetooth/hci_bcm4377.c
> @@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
> msg_id = le16_to_cpu(entry->msg_id);
> transfer_ring = le16_to_cpu(entry->ring_id);
>
> + if (data_len > ring->payload_size) {
> + dev_warn(&bcm4377->pdev->dev,
> + "event data len %zu exceeds payload size %zu for ring %d\n",
> + data_len, ring->payload_size, ring->ring_id);
> + return;
> + }
> +
> if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
> dev_warn(
> &bcm4377->pdev->dev,
> --
> 2.47.3
https://sashiko.dev/#/patchset/20260417104639.2608008-1-tristmd%40gmail.com
Comments seem valid.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
` (2 preceding siblings ...)
2026-04-20 20:37 ` Luiz Augusto von Dentz
@ 2026-04-21 14:36 ` kernel test robot
2026-04-21 15:50 ` kernel test robot
4 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2026-04-21 14:36 UTC (permalink / raw)
To: Tristan Madani, linux-bluetooth
Cc: llvm, oe-kbuild-all, luiz.dentz, marcel, sven, marcan, asahi,
stable
Hi Tristan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth/master]
[also build test WARNING on bluetooth-next/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tristan-Madani/Bluetooth-hci_bcm4377-validate-firmware-event-length-in-completion-ring/20260420-161359
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260417104639.2608008-1-tristmd%40gmail.com
patch subject: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
config: um-allmodconfig (https://download.01.org/0day-ci/archive/20260421/202604212248.Sek1Tdfg-lkp@intel.com/config)
compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260421/202604212248.Sek1Tdfg-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604212248.Sek1Tdfg-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/bluetooth/hci_bcm4377.c:11:
In file included from include/linux/dma-mapping.h:8:
In file included from include/linux/scatterlist.h:9:
In file included from arch/um/include/asm/io.h:24:
include/asm-generic/io.h:1209:55: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
1209 | return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port;
| ~~~~~~~~~~ ^
>> drivers/bluetooth/hci_bcm4377.c:761:15: warning: format specifies type 'size_t' (aka 'unsigned long') but the argument has type 'u16' (aka 'unsigned short') [-Wformat]
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ~~~
| %hu
761 | data_len, ring->payload_size, ring->ring_id);
| ^~~~~~~~~~~~~~~~~~
include/linux/dev_printk.h:156:70: note: expanded from macro 'dev_warn'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ~~~ ^~~~~~~~~~~
2 warnings generated.
vim +761 drivers/bluetooth/hci_bcm4377.c
734
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738 {
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if (data_len > ring->payload_size) {
759 dev_warn(&bcm4377->pdev->dev,
760 "event data len %zu exceeds payload size %zu for ring %d\n",
> 761 data_len, ring->payload_size, ring->ring_id);
762 return;
763 }
764
765 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
766 dev_warn(
767 &bcm4377->pdev->dev,
768 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
769 pos, transfer_ring, ring->ring_id);
770 return;
771 }
772
773 dev_dbg(&bcm4377->pdev->dev,
774 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
775 ring->ring_id, transfer_ring, msg_id);
776
777 switch (transfer_ring) {
778 case BCM4377_XFER_RING_CONTROL:
779 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
780 break;
781 case BCM4377_XFER_RING_HCI_H2D:
782 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
783 break;
784 case BCM4377_XFER_RING_SCO_H2D:
785 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
786 break;
787 case BCM4377_XFER_RING_ACL_H2D:
788 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
789 break;
790
791 case BCM4377_XFER_RING_HCI_D2H:
792 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
793 entry->flags, HCI_EVENT_PKT, data,
794 data_len);
795 break;
796 case BCM4377_XFER_RING_SCO_D2H:
797 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
798 entry->flags, HCI_SCODATA_PKT, data,
799 data_len);
800 break;
801 case BCM4377_XFER_RING_ACL_D2H:
802 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
803 entry->flags, HCI_ACLDATA_PKT, data,
804 data_len);
805 break;
806
807 default:
808 dev_warn(
809 &bcm4377->pdev->dev,
810 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
811 ring->ring_id, transfer_ring, msg_id);
812 }
813 }
814
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
` (3 preceding siblings ...)
2026-04-21 14:36 ` kernel test robot
@ 2026-04-21 15:50 ` kernel test robot
4 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2026-04-21 15:50 UTC (permalink / raw)
To: Tristan Madani, linux-bluetooth
Cc: oe-kbuild-all, luiz.dentz, marcel, sven, marcan, asahi, stable
Hi Tristan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth/master]
[also build test WARNING on bluetooth-next/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tristan-Madani/Bluetooth-hci_bcm4377-validate-firmware-event-length-in-completion-ring/20260420-161359
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260417104639.2608008-1-tristmd%40gmail.com
patch subject: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
config: um-allyesconfig (https://download.01.org/0day-ci/archive/20260422/202604220005.gyhLDa7b-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260422/202604220005.gyhLDa7b-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604220005.gyhLDa7b-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/linux/device.h:15,
from include/linux/async.h:14,
from drivers/bluetooth/hci_bcm4377.c:8:
drivers/bluetooth/hci_bcm4377.c: In function 'bcm4377_handle_completion':
>> drivers/bluetooth/hci_bcm4377.c:760:26: warning: format '%zu' expects argument of type 'size_t', but argument 4 has type 'int' [-Wformat=]
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/dev_printk.h:110:30: note: in definition of macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ^~~
include/linux/dev_printk.h:156:61: note: in expansion of macro 'dev_fmt'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~
drivers/bluetooth/hci_bcm4377.c:759:17: note: in expansion of macro 'dev_warn'
759 | dev_warn(&bcm4377->pdev->dev,
| ^~~~~~~~
drivers/bluetooth/hci_bcm4377.c:760:69: note: format string is defined here
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ~~^
| |
| long unsigned int
| %u
vim +760 drivers/bluetooth/hci_bcm4377.c
734
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738 {
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if (data_len > ring->payload_size) {
759 dev_warn(&bcm4377->pdev->dev,
> 760 "event data len %zu exceeds payload size %zu for ring %d\n",
761 data_len, ring->payload_size, ring->ring_id);
762 return;
763 }
764
765 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
766 dev_warn(
767 &bcm4377->pdev->dev,
768 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
769 pos, transfer_ring, ring->ring_id);
770 return;
771 }
772
773 dev_dbg(&bcm4377->pdev->dev,
774 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
775 ring->ring_id, transfer_ring, msg_id);
776
777 switch (transfer_ring) {
778 case BCM4377_XFER_RING_CONTROL:
779 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
780 break;
781 case BCM4377_XFER_RING_HCI_H2D:
782 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
783 break;
784 case BCM4377_XFER_RING_SCO_H2D:
785 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
786 break;
787 case BCM4377_XFER_RING_ACL_H2D:
788 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
789 break;
790
791 case BCM4377_XFER_RING_HCI_D2H:
792 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
793 entry->flags, HCI_EVENT_PKT, data,
794 data_len);
795 break;
796 case BCM4377_XFER_RING_SCO_D2H:
797 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
798 entry->flags, HCI_SCODATA_PKT, data,
799 data_len);
800 break;
801 case BCM4377_XFER_RING_ACL_D2H:
802 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
803 entry->flags, HCI_ACLDATA_PKT, data,
804 data_len);
805 break;
806
807 default:
808 dev_warn(
809 &bcm4377->pdev->dev,
810 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
811 ring->ring_id, transfer_ring, msg_id);
812 }
813 }
814
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 6+ messages in thread