From: kernel test robot <lkp@intel.com>
To: Tristan Madani <tristmd@gmail.com>, linux-bluetooth@vger.kernel.org
Cc: oe-kbuild-all@lists.linux.dev, luiz.dentz@gmail.com,
marcel@holtmann.org, sven@svenpeter.dev, marcan@marcan.st,
asahi@lists.linux.dev, stable@vger.kernel.org
Subject: Re: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
Date: Tue, 21 Apr 2026 23:50:46 +0800 [thread overview]
Message-ID: <202604220005.gyhLDa7b-lkp@intel.com> (raw)
In-Reply-To: <20260417104639.2608008-1-tristmd@gmail.com>
Hi Tristan,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth/master]
[also build test WARNING on bluetooth-next/master linus/master v7.0 next-20260420]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tristan-Madani/Bluetooth-hci_bcm4377-validate-firmware-event-length-in-completion-ring/20260420-161359
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git master
patch link: https://lore.kernel.org/r/20260417104639.2608008-1-tristmd%40gmail.com
patch subject: [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
config: um-allyesconfig (https://download.01.org/0day-ci/archive/20260422/202604220005.gyhLDa7b-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260422/202604220005.gyhLDa7b-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604220005.gyhLDa7b-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/linux/device.h:15,
from include/linux/async.h:14,
from drivers/bluetooth/hci_bcm4377.c:8:
drivers/bluetooth/hci_bcm4377.c: In function 'bcm4377_handle_completion':
>> drivers/bluetooth/hci_bcm4377.c:760:26: warning: format '%zu' expects argument of type 'size_t', but argument 4 has type 'int' [-Wformat=]
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/dev_printk.h:110:30: note: in definition of macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ^~~
include/linux/dev_printk.h:156:61: note: in expansion of macro 'dev_fmt'
156 | dev_printk_index_wrap(_dev_warn, KERN_WARNING, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~
drivers/bluetooth/hci_bcm4377.c:759:17: note: in expansion of macro 'dev_warn'
759 | dev_warn(&bcm4377->pdev->dev,
| ^~~~~~~~
drivers/bluetooth/hci_bcm4377.c:760:69: note: format string is defined here
760 | "event data len %zu exceeds payload size %zu for ring %d\n",
| ~~^
| |
| long unsigned int
| %u
vim +760 drivers/bluetooth/hci_bcm4377.c
734
735 static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
736 struct bcm4377_completion_ring *ring,
737 u16 pos)
738 {
739 struct bcm4377_completion_ring_entry *entry;
740 u16 msg_id, transfer_ring;
741 size_t entry_size, data_len;
742 void *data;
743
744 if (pos >= ring->n_entries) {
745 dev_warn(&bcm4377->pdev->dev,
746 "invalid offset %d for completion ring %d\n", pos,
747 ring->ring_id);
748 return;
749 }
750
751 entry_size = sizeof(*entry) + ring->payload_size;
752 entry = ring->ring + pos * entry_size;
753 data = ring->ring + pos * entry_size + sizeof(*entry);
754 data_len = le32_to_cpu(entry->len);
755 msg_id = le16_to_cpu(entry->msg_id);
756 transfer_ring = le16_to_cpu(entry->ring_id);
757
758 if (data_len > ring->payload_size) {
759 dev_warn(&bcm4377->pdev->dev,
> 760 "event data len %zu exceeds payload size %zu for ring %d\n",
761 data_len, ring->payload_size, ring->ring_id);
762 return;
763 }
764
765 if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
766 dev_warn(
767 &bcm4377->pdev->dev,
768 "invalid entry at offset %d for transfer ring %d in completion ring %d\n",
769 pos, transfer_ring, ring->ring_id);
770 return;
771 }
772
773 dev_dbg(&bcm4377->pdev->dev,
774 "entry in completion ring %d for transfer ring %d with msg_id %d\n",
775 ring->ring_id, transfer_ring, msg_id);
776
777 switch (transfer_ring) {
778 case BCM4377_XFER_RING_CONTROL:
779 bcm4377_handle_ack(bcm4377, &bcm4377->control_h2d_ring, msg_id);
780 break;
781 case BCM4377_XFER_RING_HCI_H2D:
782 bcm4377_handle_ack(bcm4377, &bcm4377->hci_h2d_ring, msg_id);
783 break;
784 case BCM4377_XFER_RING_SCO_H2D:
785 bcm4377_handle_ack(bcm4377, &bcm4377->sco_h2d_ring, msg_id);
786 break;
787 case BCM4377_XFER_RING_ACL_H2D:
788 bcm4377_handle_ack(bcm4377, &bcm4377->acl_h2d_ring, msg_id);
789 break;
790
791 case BCM4377_XFER_RING_HCI_D2H:
792 bcm4377_handle_event(bcm4377, &bcm4377->hci_d2h_ring, msg_id,
793 entry->flags, HCI_EVENT_PKT, data,
794 data_len);
795 break;
796 case BCM4377_XFER_RING_SCO_D2H:
797 bcm4377_handle_event(bcm4377, &bcm4377->sco_d2h_ring, msg_id,
798 entry->flags, HCI_SCODATA_PKT, data,
799 data_len);
800 break;
801 case BCM4377_XFER_RING_ACL_D2H:
802 bcm4377_handle_event(bcm4377, &bcm4377->acl_d2h_ring, msg_id,
803 entry->flags, HCI_ACLDATA_PKT, data,
804 data_len);
805 break;
806
807 default:
808 dev_warn(
809 &bcm4377->pdev->dev,
810 "entry in completion ring %d for unknown transfer ring %d with msg_id %d\n",
811 ring->ring_id, transfer_ring, msg_id);
812 }
813 }
814
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2026-04-21 15:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 10:46 [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring Tristan Madani
2026-04-17 12:08 ` [v3] " bluez.test.bot
2026-04-17 12:55 ` [PATCH v3] " Neal Gompa
2026-04-20 20:37 ` Luiz Augusto von Dentz
2026-04-21 14:36 ` kernel test robot
2026-04-21 15:50 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202604220005.gyhLDa7b-lkp@intel.com \
--to=lkp@intel.com \
--cc=asahi@lists.linux.dev \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcan@marcan.st \
--cc=marcel@holtmann.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=sven@svenpeter.dev \
--cc=tristmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox