[PATCH v8 0/1] Bluetooth: mgmt: Fix heap overflow and race condition

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v8 0/1] Bluetooth: mgmt: Fix heap overflow and race condition
@ 2026-02-13  7:22 Maiquel Paiva
  2026-02-13  7:22 ` [PATCH v8 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling Maiquel Paiva
  0 siblings, 1 reply; 7+ messages in thread
From: Maiquel Paiva @ 2026-02-13  7:22 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, stable, Maiquel Paiva

This patch addresses two vulnerabilities in mesh handling within mgmt_util.c:
a heap buffer overflow and race conditions during list traversal.

The fixes have been consolidated into a single patch to ensure atomic
application and to follow maintainer feedback regarding the use of 
existing mutexes.

Changes in v8:
- Rebased against the latest bluetooth-fixes/master to resolve the 
  merge conflict at line 413 reported by bluez.test.bot.
- No functional changes since v7.

Changes in v5-v7:
- Combined heap overflow and race condition fixes into one patch.
- Switched to guard(mutex) using 'mgmt_pending_lock' instead of a 
  spinlock, as requested by maintainers.
- Resolved minor style and alignment issues.

Maiquel Paiva (1):
  Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling

 net/bluetooth/mgmt_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.43.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v8 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling
  2026-02-13  7:22 [PATCH v8 0/1] Bluetooth: mgmt: Fix heap overflow and race condition Maiquel Paiva
@ 2026-02-13  7:22 ` Maiquel Paiva
  2026-02-13  7:48   ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
  2026-02-20 15:56   ` bluez.test.bot
  0 siblings, 2 replies; 7+ messages in thread
From: Maiquel Paiva @ 2026-02-13  7:22 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, stable, Maiquel Paiva

This patch addresses two issues in mesh handling:

1. Heap buffer overflow in mgmt_mesh_add:
   The 'len' parameter wasn't being validated against the 'param' size,
   potentially leading to an overflow. Added a check to validate user
   input.

2. Race conditions in mgmt_mesh_add and mgmt_mesh_find:
   These functions modify or traverse the mesh_pending list without
   locking. Used guard(mutex) with the existing mgmt_pending_lock to
   protect the critical sections, as suggested by maintainers.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..eee4bc05f6e5 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
-	if (list_empty(&hdev->mesh_pending))
-		return NULL;
+	guard(mutex)(&hdev->mgmt_pending_lock);
 
 	list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
 		if (mesh_tx->handle == handle)
@@ -413,10 +412,15 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
+	if (len > sizeof(mesh_tx->param))
+		return NULL;
+
 	mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
 	if (!mesh_tx)
 		return NULL;
 
+	guard(mutex)(&hdev->mgmt_pending_lock);
+
 	hdev->mesh_send_ref++;
 	if (!hdev->mesh_send_ref)
 		hdev->mesh_send_ref++;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* RE: Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-13  7:22 ` [PATCH v8 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling Maiquel Paiva
@ 2026-02-13  7:48   ` bluez.test.bot
  2026-02-20 15:56   ` bluez.test.bot
  1 sibling, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-02-13  7:48 UTC (permalink / raw)
  To: linux-bluetooth, maiquelpaiva

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/mgmt_util.c:413
error: net/bluetooth/mgmt_util.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-13  7:22 ` [PATCH v8 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling Maiquel Paiva
  2026-02-13  7:48   ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
@ 2026-02-20 15:56   ` bluez.test.bot
  1 sibling, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-02-20 15:56 UTC (permalink / raw)
  To: linux-bluetooth, maiquelpaiva

[-- Attachment #1: Type: text/plain, Size: 2593 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1053815

---Test result---

Test Summary:
CheckPatch                    PENDING   0.35 seconds
GitLint                       PENDING   0.31 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      25.56 seconds
CheckAllWarning               PASS      28.22 seconds
CheckSparse                   PASS      31.74 seconds
BuildKernel32                 PASS      24.90 seconds
TestRunnerSetup               PASS      559.18 seconds
TestRunner_l2cap-tester       PASS      28.66 seconds
TestRunner_iso-tester         PASS      93.95 seconds
TestRunner_bnep-tester        PASS      6.40 seconds
TestRunner_mgmt-tester        FAIL      117.96 seconds
TestRunner_rfcomm-tester      PASS      9.62 seconds
TestRunner_sco-tester         FAIL      14.87 seconds
TestRunner_ioctl-tester       PASS      10.29 seconds
TestRunner_mesh-tester        FAIL      11.44 seconds
TestRunner_smp-tester         PASS      8.60 seconds
TestRunner_userchan-tester    PASS      6.64 seconds
IncrementalBuild              PENDING   0.56 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.107 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.785 seconds
Mesh - Send cancel - 2                               Timed out    1.994 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v5 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling
@ 2026-02-13  3:01 Maiquel Paiva
  2026-02-13  4:17 ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
  0 siblings, 1 reply; 7+ messages in thread
From: Maiquel Paiva @ 2026-02-13  3:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

This patch addresses two issues in mesh handling:

1. Heap buffer overflow in mgmt_mesh_add:
   The 'len' parameter wasn't being validated against the 'param' size,
   potentially leading to an overflow. Added a check to validate user
   input.

2. Race conditions in mgmt_mesh_add and mgmt_mesh_find:
   These functions modify or traverse the mesh_pending list without
   locking. Used guard(mutex) with the existing mgmt_pending_lock to
   protect the critical sections, as suggested by maintainers.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..eee4bc05f6e5 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -397,8 +397,7 @@ struct mgmt_mesh_tx *mgmt_mesh_find(struct hci_dev *hdev, u8 handle)
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
-	if (list_empty(&hdev->mesh_pending))
-		return NULL;
+	guard(mutex)(&hdev->mgmt_pending_lock);
 
 	list_for_each_entry(mesh_tx, &hdev->mesh_pending, list) {
 		if (mesh_tx->handle == handle)
@@ -413,10 +412,15 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
+	if (len > sizeof(mesh_tx->param))
+		return NULL;
+
 	mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
 	if (!mesh_tx)
 		return NULL;
 
+	guard(mutex)(&hdev->mgmt_pending_lock);
+
 	hdev->mesh_send_ref++;
 	if (!hdev->mesh_send_ref)
 		hdev->mesh_send_ref++;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* RE: Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-13  3:01 [PATCH v5 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling Maiquel Paiva
@ 2026-02-13  4:17 ` bluez.test.bot
  0 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-02-13  4:17 UTC (permalink / raw)
  To: linux-bluetooth, maiquelpaiva

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/mgmt_util.c:413
error: net/bluetooth/mgmt_util.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
@ 2026-02-08  8:15 Maiquel Paiva
  2026-02-08  8:43 ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
  0 siblings, 1 reply; 7+ messages in thread
From: Maiquel Paiva @ 2026-02-08  8:15 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Add a check for the user-provided length in mgmt_mesh_add() against
the size of the param buffer. This prevents a heap buffer overflow
if the user provides a length larger than the destination buffer.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..bdce52363332 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -413,6 +413,9 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
+	if (len > sizeof(mesh_tx->param))
+			return NULL;
+
 	mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
 	if (!mesh_tx)
 		return NULL;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* RE: Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-08  8:15 [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
@ 2026-02-08  8:43 ` bluez.test.bot
  0 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-02-08  8:43 UTC (permalink / raw)
  To: linux-bluetooth, maiquelpaiva

[-- Attachment #1: Type: text/plain, Size: 40968 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1051967

---Test result---

Test Summary:
CheckPatch                    PENDING   0.50 seconds
GitLint                       PENDING   0.29 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   FAIL      22.82 seconds
CheckAllWarning               FAIL      25.31 seconds
CheckSparse                   FAIL      27.49 seconds
BuildKernel32                 FAIL      22.06 seconds
TestRunnerSetup               FAIL      531.86 seconds
TestRunner_l2cap-tester       FAIL      0.08 seconds
TestRunner_iso-tester         FAIL      0.08 seconds
TestRunner_bnep-tester        FAIL      0.08 seconds
TestRunner_mgmt-tester        FAIL      0.08 seconds
TestRunner_rfcomm-tester      FAIL      0.08 seconds
TestRunner_sco-tester         FAIL      0.08 seconds
TestRunner_ioctl-tester       FAIL      0.08 seconds
TestRunner_mesh-tester        FAIL      0.08 seconds
TestRunner_smp-tester         FAIL      0.08 seconds
TestRunner_userchan-tester    FAIL      0.08 seconds
IncrementalBuild              PENDING   0.64 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: BuildKernel - FAIL
Desc: Build Kernel for Bluetooth
Output:

net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: CheckAllWarning - FAIL
Desc: Run linux kernel with all warning enabled
Output:

net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: CheckSparse - FAIL
Desc: Run sparse tool with linux kernel
Output:

drivers/bluetooth/hci_vhci.c:717:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:718:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:720:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:721:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:722:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:723:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:723:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:724:1: error: bad constant expression
drivers/bluetooth/hci_vhci.c:725:1: error: bad constant expression
net/bluetooth/bnep/core.c:759:1: error: bad constant expression
net/bluetooth/bnep/core.c:760:1: error: bad constant expression
net/bluetooth/bnep/core.c:762:1: error: bad constant expression
net/bluetooth/bnep/core.c:763:1: error: bad constant expression
net/bluetooth/bnep/core.c:765:1: error: bad constant expression
net/bluetooth/bnep/core.c:766:1: error: bad constant expression
net/bluetooth/bnep/core.c:767:1: error: bad constant expression
net/bluetooth/bnep/core.c:768:1: error: bad constant expression
net/bluetooth/bnep/core.c:768:1: error: bad constant expression
net/bluetooth/bnep/core.c:769:1: error: bad constant expression
net/bluetooth/hidp/core.c:1474:1: error: bad constant expression
net/bluetooth/hidp/core.c:1475:1: error: bad constant expression
net/bluetooth/hidp/core.c:1476:1: error: bad constant expression
net/bluetooth/hidp/core.c:1477:1: error: bad constant expression
net/bluetooth/hidp/core.c:1478:1: error: bad constant expression
net/bluetooth/hidp/core.c:1478:1: error: bad constant expression
net/bluetooth/hidp/core.c:1479:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2273:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2274:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2276:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2277:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2279:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2280:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2282:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2283:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2284:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2285:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2285:1: error: bad constant expression
net/bluetooth/rfcomm/core.c:2286:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:932:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:933:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:934:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:935:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:935:1: error: bad constant expression
drivers/bluetooth/hci_ldisc.c:936:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:972:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:973:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:974:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:975:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:975:1: error: bad constant expression
net/bluetooth/af_bluetooth.c:976:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:783:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:784:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:786:1: error: bad constant expression
drivers/bluetooth/hci_bcsp.c:787:1: error: bad constant expression
net/bluetooth/hci_core.c:85:9: warning: context imbalance in '__hci_dev_get' - different lock contexts for basic block
net/bluetooth/hci_core.c: note: in included file (through include/linux/notifier.h, include/linux/memory_hotplug.h, include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, include/linux/radix-tree.h, ...):
./include/linux/srcu.h:463:9: warning: context imbalance in 'hci_dev_put_srcu' - unexpected unlock
net/bluetooth/hci_event.c: note: in included file (through include/net/bluetooth/hci_core.h):
./include/net/bluetooth/hci.h:2922:47: warning: array of flexible structures
./include/net/bluetooth/hci.h:3008:43: warning: array of flexible structures
drivers/bluetooth/hci_bcm.c:167:1: error: bad constant expression
drivers/bluetooth/hci_bcm.c:168:1: error: bad constant expression
drivers/bluetooth/hci_ag6xx.c:257:24: warning: restricted __le32 degrades to integer
drivers/bluetooth/hci_mrvl.c:170:23: warning: restricted __le16 degrades to integer
drivers/bluetooth/hci_mrvl.c:203:23: warning: restricted __le16 degrades to integer
net/bluetooth/l2cap_core.c:7735:1: error: bad constant expression
net/bluetooth/l2cap_core.c:7736:1: error: bad constant expression
net/bluetooth/l2cap_core.c:7738:1: error: bad constant expression
net/bluetooth/l2cap_core.c:7739:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:261:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:262:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:263:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:264:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:264:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:265:1: error: bad constant expression
drivers/bluetooth/bcm203x.c:266:1: error: bad constant expression
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
drivers/bluetooth/bpa10x.c:444:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:445:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:446:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:447:1: error: bad constant expression
drivers/bluetooth/bpa10x.c:447:1: error: bad constant expression
drivers/bluetooth/bfusb.c:720:1: error: bad constant expression
drivers/bluetooth/bfusb.c:721:1: error: bad constant expression
drivers/bluetooth/bfusb.c:722:1: error: bad constant expression
drivers/bluetooth/bfusb.c:723:1: error: bad constant expression
drivers/bluetooth/bfusb.c:723:1: error: bad constant expression
drivers/bluetooth/bfusb.c:724:1: error: bad constant expression
drivers/bluetooth/btsdio.c:372:1: error: bad constant expression
drivers/bluetooth/btsdio.c:373:1: error: bad constant expression
drivers/bluetooth/btsdio.c:374:1: error: bad constant expression
drivers/bluetooth/btsdio.c:375:1: error: bad constant expression
drivers/bluetooth/btsdio.c:375:1: error: bad constant expression
drivers/bluetooth/ath3k.c:533:1: error: bad constant expression
drivers/bluetooth/ath3k.c:534:1: error: bad constant expression
drivers/bluetooth/ath3k.c:535:1: error: bad constant expression
drivers/bluetooth/ath3k.c:536:1: error: bad constant expression
drivers/bluetooth/ath3k.c:536:1: error: bad constant expression
drivers/bluetooth/ath3k.c:537:1: error: bad constant expression
drivers/bluetooth/btusb.c:4659:1: error: bad constant expression
drivers/bluetooth/btusb.c:4660:1: error: bad constant expression
drivers/bluetooth/btusb.c:4662:1: error: bad constant expression
drivers/bluetooth/btusb.c:4663:1: error: bad constant expression
drivers/bluetooth/btusb.c:4665:1: error: bad constant expression
drivers/bluetooth/btusb.c:4666:1: error: bad constant expression
drivers/bluetooth/btusb.c:4668:1: error: bad constant expression
drivers/bluetooth/btusb.c:4669:1: error: bad constant expression
drivers/bluetooth/btusb.c:4671:1: error: bad constant expression
drivers/bluetooth/btusb.c:4672:1: error: bad constant expression
drivers/bluetooth/btusb.c:4673:1: error: bad constant expression
drivers/bluetooth/btusb.c:4674:1: error: bad constant expression
drivers/bluetooth/btusb.c:4674:1: error: bad constant expression
drivers/bluetooth/btintel.c:3792:1: error: bad constant expression
drivers/bluetooth/btintel.c:3793:1: error: bad constant expression
drivers/bluetooth/btintel.c:3794:1: error: bad constant expression
drivers/bluetooth/btintel.c:3795:1: error: bad constant expression
drivers/bluetooth/btintel.c:3795:1: error: bad constant expression
drivers/bluetooth/btintel.c:3796:1: error: bad constant expression
drivers/bluetooth/btintel.c:3797:1: error: bad constant expression
drivers/bluetooth/btintel.c:3798:1: error: bad constant expression
drivers/bluetooth/btintel.c:3799:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:782:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:783:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:784:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:785:1: error: bad constant expression
drivers/bluetooth/btmrvl_main.c:785:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1769:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1770:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1771:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1772:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1772:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1773:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1774:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1775:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1776:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1777:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1778:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1779:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1780:1: error: bad constant expression
drivers/bluetooth/btmrvl_sdio.c:1781:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1556:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1557:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1559:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1560:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1561:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1562:1: error: bad constant expression
drivers/bluetooth/btmtksdio.c:1562:1: error: bad constant expression
drivers/bluetooth/btbcm.c:780:1: error: bad constant expression
drivers/bluetooth/btbcm.c:781:1: error: bad constant expression
drivers/bluetooth/btbcm.c:782:1: error: bad constant expression
drivers/bluetooth/btbcm.c:783:1: error: bad constant expression
drivers/bluetooth/btbcm.c:783:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:994:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:995:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:996:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:997:1: error: bad constant expression
drivers/bluetooth/btmtkuart.c:997:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1514:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1515:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1516:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1517:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1517:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1518:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1519:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1520:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1521:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1522:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1523:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1524:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1525:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1526:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1527:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1528:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1529:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1530:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1531:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1532:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1533:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1534:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1535:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1536:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1537:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1538:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1539:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1540:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1541:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1542:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1543:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1544:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1545:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1546:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1547:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1548:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1549:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1550:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1551:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1552:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1553:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1554:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1555:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1556:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1557:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1558:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1559:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1560:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1561:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1562:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1563:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1564:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1565:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1566:1: error: bad constant expression
drivers/bluetooth/btrtl.c:1567:1: error: bad constant expression
drivers/bluetooth/btqca.c:1042:1: error: bad constant expression
drivers/bluetooth/btqca.c:1043:1: error: bad constant expression
drivers/bluetooth/btqca.c:1044:1: error: bad constant expression
drivers/bluetooth/btqca.c:1044:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:803:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:804:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:805:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:806:1: error: bad constant expression
drivers/bluetooth/hci_nokia.c:806:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1489:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1490:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1491:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1492:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1493:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1493:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1494:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1495:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1496:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1497:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1498:1: error: bad constant expression
drivers/bluetooth/btmtk.c:1499:1: error: bad constant expression
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: BuildKernel32 - FAIL
Desc: Build 32bit Kernel for Bluetooth
Output:

net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/string.h:7,
                 from ./arch/x86/include/asm/page_32.h:18,
                 from ./arch/x86/include/asm/page.h:14,
                 from ./arch/x86/include/asm/processor.h:20,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/string.h:7,
                 from ./arch/x86/include/asm/page_32.h:18,
                 from ./arch/x86/include/asm/page.h:14,
                 from ./arch/x86/include/asm/processor.h:20,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: TestRunnerSetup - FAIL
Desc: Setup kernel and bluez for test-runner
Output:
Kernel: 
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_find’:
net/bluetooth/mgmt_util.c:400:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  400 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt_util.c: In function ‘mgmt_mesh_add’:
net/bluetooth/mgmt_util.c:422:18: error: passing argument 1 of ‘class_spinlock_constructor’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  422 |  guard(spinlock)(&hdev->lock);
      |                  ^~~~~~~~~~~
      |                  |
      |                  struct mutex *
In file included from ./include/linux/jump_label.h:78,
                 from ./arch/x86/include/asm/string_64.h:6,
                 from ./arch/x86/include/asm/string.h:8,
                 from ./arch/x86/include/asm/cpuid/api.h:10,
                 from ./arch/x86/include/asm/processor.h:19,
                 from ./arch/x86/include/asm/timex.h:5,
                 from ./include/linux/timex.h:67,
                 from ./include/linux/time32.h:13,
                 from ./include/linux/time.h:60,
                 from ./include/linux/jiffies.h:10,
                 from ./include/linux/ktime.h:25,
                 from ./include/linux/poll.h:7,
                 from ./include/net/bluetooth/bluetooth.h:29,
                 from net/bluetooth/mgmt_util.c:26:
./include/linux/cleanup.h:490:77: note: expected ‘spinlock_t *’ {aka ‘struct spinlock *’} but argument is of type ‘struct mutex *’
  490 | static __always_inline class_##_name##_t class_##_name##_constructor(_type *l) \
./include/linux/cleanup.h:509:1: note: in expansion of macro ‘__DEFINE_LOCK_GUARD_1’
  509 | __DEFINE_LOCK_GUARD_1(_name, _type, _lock)
      | ^~~~~~~~~~~~~~~~~~~~~
./include/linux/spinlock.h:565:1: note: in expansion of macro ‘DEFINE_LOCK_GUARD_1’
  565 | DEFINE_LOCK_GUARD_1(spinlock, spinlock_t,
      | ^~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:287: net/bluetooth/mgmt_util.o] Error 1
make[3]: *** [scripts/Makefile.build:544: net/bluetooth] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:544: net] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/github/workspace/src/src/Makefile:2054: .] Error 2
make: *** [Makefile:248: __sub-make] Error 2
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_bnep-tester - FAIL
Desc: Run bnep-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_rfcomm-tester - FAIL
Desc: Run rfcomm-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_ioctl-tester - FAIL
Desc: Run ioctl-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_smp-tester - FAIL
Desc: Run smp-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: TestRunner_userchan-tester - FAIL
Desc: Run userchan-tester with test-runner
Output:

Could not access KVM kernel module: No such file or directory
qemu-system-x86_64: failed to initialize KVM: No such file or directory
qemu-system-x86_64: Back to tcg accelerator
qemu: could not open kernel file '/github/workspace/src/src/arch/x86/boot/bzImage': No such file or directory
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v3 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add
@ 2026-02-08  6:49 Maiquel Paiva
  2026-02-08  7:57 ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
  0 siblings, 1 reply; 7+ messages in thread
From: Maiquel Paiva @ 2026-02-08  6:49 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: luiz.dentz, gregkh, marcel, Maiquel Paiva, stable

Add a check for the user-provided length in mgmt_mesh_add() against
the size of the param buffer. This prevents a heap buffer overflow
if the user provides a length larger than the destination buffer.

Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Cc: stable@vger.kernel.org
Signed-off-by: Maiquel Paiva <maiquelpaiva@gmail.com>
---
 net/bluetooth/mgmt_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
index aa7b5585cb26..bdce52363332 100644
--- a/net/bluetooth/mgmt_util.c
+++ b/net/bluetooth/mgmt_util.c
@@ -413,6 +413,9 @@ struct mgmt_mesh_tx *mgmt_mesh_add(struct sock *sk, struct hci_dev *hdev,
 {
 	struct mgmt_mesh_tx *mesh_tx;
 
+	if (len > sizeof(mesh_tx->param))
+			return NULL;
+
 	mesh_tx = kzalloc(sizeof(*mesh_tx), GFP_KERNEL);
 	if (!mesh_tx)
 		return NULL;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* RE: Bluetooth: mgmt: Fix heap overflow and race condition
  2026-02-08  6:49 [PATCH v3 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
@ 2026-02-08  7:57 ` bluez.test.bot
  0 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-02-08  7:57 UTC (permalink / raw)
  To: linux-bluetooth, maiquelpaiva

[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1051963

---Test result---

Test Summary:
CheckPatch                    PENDING   0.36 seconds
GitLint                       PENDING   0.28 seconds
SubjectPrefix                 PASS      0.17 seconds
BuildKernel                   PASS      25.68 seconds
CheckAllWarning               PASS      27.92 seconds
CheckSparse                   PASS      31.37 seconds
BuildKernel32                 PASS      24.96 seconds
TestRunnerSetup               PASS      556.32 seconds
TestRunner_l2cap-tester       PASS      28.56 seconds
TestRunner_iso-tester         FAIL      56.63 seconds
TestRunner_bnep-tester        PASS      8.25 seconds
TestRunner_mgmt-tester        FAIL      116.21 seconds
TestRunner_rfcomm-tester      PASS      9.73 seconds
TestRunner_sco-tester         FAIL      14.53 seconds
TestRunner_ioctl-tester       PASS      10.34 seconds
TestRunner_mesh-tester        FAIL      12.61 seconds
TestRunner_smp-tester         PASS      8.77 seconds
TestRunner_userchan-tester    PASS      6.77 seconds
IncrementalBuild              PENDING   0.64 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.100 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.780 seconds
Mesh - Send cancel - 2                               Timed out    1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-02-20 15:56 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-13  7:22 [PATCH v8 0/1] Bluetooth: mgmt: Fix heap overflow and race condition Maiquel Paiva
2026-02-13  7:22 ` [PATCH v8 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling Maiquel Paiva
2026-02-13  7:48   ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
2026-02-20 15:56   ` bluez.test.bot
  -- strict thread matches above, loose matches on Subject: below --
2026-02-13  3:01 [PATCH v5 1/1] Bluetooth: mgmt: Fix heap overflow and race condition in mesh handling Maiquel Paiva
2026-02-13  4:17 ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
2026-02-08  8:15 [PATCH v4 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
2026-02-08  8:43 ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot
2026-02-08  6:49 [PATCH v3 1/2] Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add Maiquel Paiva
2026-02-08  7:57 ` Bluetooth: mgmt: Fix heap overflow and race condition bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox