* [bluez/bluez]
From: BluezTestBot @ 2026-05-04 20:42 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1089431
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* RE: Bluetooth: btusb: Add new VID/PID 0x0489/0xe156 for MT7902
From: bluez.test.bot @ 2026-05-04 20:25 UTC (permalink / raw)
To: linux-bluetooth, sean.wang
In-Reply-To: <20260504190353.9358-1-sean.wang@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089463
---Test result---
Test Summary:
CheckPatch PASS 0.66 seconds
GitLint PASS 0.23 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 20.23 seconds
CheckAllWarning PASS 21.71 seconds
CheckSparse PASS 22.09 seconds
BuildKernel32 PASS 21.81 seconds
TestRunnerSetup PASS 414.17 seconds
IncrementalBuild PASS 20.46 seconds
https://github.com/bluez/bluetooth-next/pull/146
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: [v3] sdp: fix overflow in sdp_extract_seqtype()
From: bluez.test.bot @ 2026-05-04 20:14 UTC (permalink / raw)
To: linux-bluetooth, admin
In-Reply-To: <6vsGD_2xyWDIrUZkN1idLdLKf9ChYJJOMyOm2FglmFna_5KyDCgLG6PIsHrMSN5YJv0hAN0APdkK0kZq_5k_qKP_wqILFVxMpmkhb58GyVU=@fluentlogic.org>
[-- Attachment #1: Type: text/plain, Size: 989 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089467
---Test result---
Test Summary:
CheckPatch PASS 0.35 seconds
GitLint PASS 0.24 seconds
BuildEll PASS 20.65 seconds
BluezMake PASS 677.29 seconds
MakeCheck PASS 0.92 seconds
MakeDistcheck PASS 250.32 seconds
CheckValgrind PASS 224.55 seconds
CheckSmatch PASS 355.79 seconds
bluezmakeextell PASS 184.80 seconds
IncrementalBuild PASS 669.95 seconds
ScanBuild PASS 1033.40 seconds
https://github.com/bluez/bluez/pull/2094
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [bluez/bluez] d11e06: sdp: fix overflow in sdp_extract_seqtype()
From: github-actions[bot] @ 2026-05-04 19:16 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1089467
Home: https://github.com/bluez/bluez
Commit: d11e061c25f5e7d5e75e0c03fcf1c819f2220f45
https://github.com/bluez/bluez/commit/d11e061c25f5e7d5e75e0c03fcf1c819f2220f45
Author: Martin Brodeur <admin@fluentlogic.org>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
M lib/bluetooth/sdp.c
Log Message:
-----------
sdp: fix overflow in sdp_extract_seqtype()
bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1498f4 ("monitor: Add decoding support
for HIDS 1.1 flags and attributes").
Reported-by: Martin Brodeur <admin@fluentlogic.org>
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* Re: [RFC PATCH] Bluetooth: fix Set Public Address on controller in HCI_AUTO_OFF grace period
From: Dan Klishch @ 2026-05-04 19:15 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: Marcel Holtmann, linux-bluetooth, linux-kernel
In-Reply-To: <CABBYNZKEqRW-7U7y0id8EmFB3LVxaU+FUO6g4AqkuDG_-T6bOg@mail.gmail.com>
Hi Luiz,
On 5/4/26 2:27 PM, Luiz Augusto von Dentz wrote:
> Hi Dan,
>
> On Thu, Apr 30, 2026 at 12:55 AM Dan Klishch <danilklishch@gmail.com> wrote:
>>
>> When mgmt's Set Public Address command (and Set External Configuration)
>> stages a configuration change, set_public_address() sets HCI_CONFIG and
>> HCI_AUTO_OFF on the device and queues hci_power_on. The intent is for
>> the queued power_on to run hci_dev_init_sync() -- which detects
>> HCI_CONFIG and calls hdev->set_bdaddr() to program the new address into
>> the firmware -- and then re-emit Index Added with the controller back in
>> the boot-init grace period (HCI_UP=1, HCI_AUTO_OFF=1) so userspace can
>> re-push pending config commands and drive a fresh Set Powered 1 cycle.
>>
>> The bug bites when the command is issued while the controller is in
>> that same grace period itself -- the normal post-boot state, before
>> bluetoothd has claimed the controller via Set Powered 1. In that state
>> HCI_UP=1 and HCI_AUTO_OFF=1, so hdev_is_powered() is false (the command
>> is accepted) but hci_power_on()'s "already up" early-return condition
>> HCI_UP && HCI_MGMT && HCI_AUTO_OFF is true. The early-return path runs
>> hci_powered_update_sync() -- which is the wrong thing for this case:
>> neither hci_dev_init_sync() nor mgmt_index_added() runs. The result:
>>
>> - hdev->public_addr is recorded but never reaches the firmware via
>> hdev->set_bdaddr(),
>> - userspace sees Index Removed (from set_public_address) but no
>> Index Added, leaving the controller invisible to mgmt clients;
>> it is not in the configured, unconfigured or extended index list
>> yet remains registered in the kernel.
>>
>> The other two starting states are fine: HCI_UP=0 falls through to the
>> full hci_dev_do_open() path (correct); HCI_UP=1 with HCI_AUTO_OFF=0
>> makes hdev_is_powered() true, so set_public_address() rejects with
>> MGMT_STATUS_REJECTED before queueing power_on at all.
>>
>> Fix: at the top of hci_power_on(), if HCI_CONFIG is pending and we are
>> in the affected grace-period state (HCI_UP, HCI_MGMT, !HCI_RFKILLED),
>> close the device first. The early-return condition then fails and we
>> fall through to hci_dev_do_open() -> hci_dev_init_sync(), which honors
>> HCI_CONFIG by invoking hdev->set_bdaddr(); the post-open block then
>> re-emits Index Added via the existing HCI_CONFIG branch.
>>
>> hci_dev_close_sync() clears HCI_AUTO_OFF as a side effect of going
>> through the regular power-down path, but set_public_address() had set
>> it deliberately so the post-reopen state matches the boot-init grace
>> period that mgmt clients expect ("treat as new one" per the protocol
>> contract). Several mgmt commands -- Set Privacy, Set Wideband Speech,
>> Set LE, Set BR/EDR, etc. -- gate on !hdev_is_powered(), and bluetoothd
>> expects to push them during this window before issuing Set Powered 1
>> itself. Restore HCI_AUTO_OFF after the close so hdev_is_powered() ==
>> false again.
>>
>> This matches the documented behavior for Set Public Address on a
>> fully-configured controller ("Once the address has been successfully
>> changed an Index Added event will be sent.")
>>
>> Assisted-by: Claude:claude-opus-4-7
>> Signed-off-by: Dan Klishch <danilklishch@gmail.com>
>> ---
>> net/bluetooth/hci_core.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> --- a/net/bluetooth/hci_core.c
>> +++ b/net/bluetooth/hci_core.c
>> @@ -948,6 +948,14 @@ static void hci_power_on(struct work_struct *work)
>>
>> BT_DBG("%s", hdev->name);
>>
>> + if (hci_dev_test_flag(hdev, HCI_CONFIG) &&
>> + hci_dev_test_flag(hdev, HCI_MGMT) &&
>> + !hci_dev_test_flag(hdev, HCI_RFKILLED) &&
>> + test_bit(HCI_UP, &hdev->flags)) {
>> + hci_dev_do_close(hdev);
>> + hci_dev_set_flag(hdev, HCI_AUTO_OFF);
>> + }
>> +
>> if (test_bit(HCI_UP, &hdev->flags) &&
>> hci_dev_test_flag(hdev, HCI_MGMT) &&
>> hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
>>
>> ---
>>
>> Claude was able to fully convince me that the patch and the explanation
>> are correct. Moreover, this indeed fixed a problem I had with a custom
>> patched bluetoothd that happened to override public-addr in the 2
>> second post-boot window. However, both the patch and commit description
>> are fully AI-generated.
>
> This doesn't inspire much confidence, though. Have you at least tried
> it yourself? Perhaps we need to ask Claude to first add a test to
> mgmt-tester to ensure it actually fixes something rather than just
> hallucinating. Most models are not actually very critical of their
> proposals if there is nothing to validate their claims with.
>
I did test this indeed. The bluez patch I mentioned:
https://gist.github.com/DanShaders/4d280096a5f0f2f45ce07028cbd36761
(this is yet another AI slop, sorry!; I just wanted something quick for
myself). Without the kernel patch, MGMT_OP_SET_PUBLIC_ADDRESS is just
silently swallowed, adapter is removed, and then the userspace never
sees it again.
Claude says it cannot easily add an in-tree test for the patch without
additional changes in vhci to support setting public address. Should I
tell it to do a 3 commit series (set public addr on vhci; this; a test)
and send as V2?
One more question: seems like CI is angry on me because I included the
`Assisted-by: Claude:claude-opus-4-7` tag as per
https://docs.kernel.org/process/coding-assistants.html . Should I remove
it?
(Resending since I accidentally chose "Reply" instead of "Reply All" the
first time, I'm not very used to mailing lists)
^ permalink raw reply
* [PATCH v3] sdp: fix overflow in sdp_extract_seqtype()
From: Martin Brodeur @ 2026-05-04 19:10 UTC (permalink / raw)
To: linux-bluetooth
>From 9eef1ada8e0ce68413c17223c673034365c641bd Mon Sep 17 00:00:00 2001
From: Martin Brodeur <admin@fluentlogic.org>
Date: Mon, 4 May 2026 13:34:09 -0400
Subject: [PATCH] sdp: fix overflow in sdp_extract_seqtype()
bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1498f4 ("monitor: Add decoding support
for HIDS 1.1 flags and attributes").
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
SDPERR("Unexpected end of packet");
return 0;
}
- *size = bt_get_be32(buf);
+ {
+ uint32_t val32 = bt_get_be32(buf);
+
+ if (val32 > INT_MAX) {
+ SDPERR("Sequence length overflow");
+ return 0;
+ }
+ *size = (int) val32;
+ }
scanned += sizeof(uint32_t);
break;
default:
--
2.39.5 (Apple Git-154)
^ permalink raw reply related
* [PATCH] Bluetooth: btusb: Add new VID/PID 0x0489/0xe156 for MT7902
From: Sean Wang @ 2026-05-04 19:03 UTC (permalink / raw)
To: marcel, luiz.dentz
Cc: linux-bluetooth, linux-mediatek, Sean Wang, Kirill Shubin
From: Sean Wang <sean.wang@mediatek.com>
Add VID 0489 & PID e156 for MediaTek MT7902 USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=05 Dev#= 6 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e156 Rev= 1.00
S: Manufacturer=MediaTek Inc.
S: Product=Wireless_Device
S: SerialNumber=000000000
C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA
A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
I: If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us
E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us
I:* If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us
E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us
Co-developed-by: Kirill Shubin <kirill.kz.902@gmail.com>
Signed-off-by: Kirill Shubin <kirill.kz.902@gmail.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 572091e601f9..f1a225fe94e4 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -676,6 +676,8 @@ static const struct usb_device_id quirks_table[] = {
{ USB_DEVICE(0x13d3, 0x3606), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
/* MediaTek MT7902 Bluetooth devices */
+ { USB_DEVICE(0x0489, 0xe156), .driver_info = BTUSB_MEDIATEK |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x0e8d, 0x1ede), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3579), .driver_info = BTUSB_MEDIATEK |
--
2.43.0
^ permalink raw reply related
* RE: sdp: fix overflow in sdp_extract_seqtype()
From: bluez.test.bot @ 2026-05-04 18:57 UTC (permalink / raw)
To: linux-bluetooth, admin
In-Reply-To: <20260504173622.37463-1-admin@fluentlogic.org>
[-- Attachment #1: Type: text/plain, Size: 2743 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089431
---Test result---
Test Summary:
CheckPatch FAIL 0.43 seconds
GitLint FAIL 0.30 seconds
BuildEll PASS 21.25 seconds
BluezMake PASS 669.07 seconds
MakeCheck PASS 0.96 seconds
MakeDistcheck PASS 255.38 seconds
CheckValgrind PASS 228.99 seconds
CheckSmatch PASS 360.28 seconds
bluezmakeextell PASS 188.30 seconds
IncrementalBuild PASS 663.48 seconds
ScanBuild PASS 1086.34 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
sdp: fix overflow in sdp_extract_seqtype()
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#68:
covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes").
WARNING:LINE_SPACING: Missing a blank line after declarations
#86: FILE: lib/bluetooth/sdp.c:1254:
+ uint32_t val32 = bt_get_be32(buf);
+ if (val32 > INT_MAX) {
/github/workspace/src/patch/14553405.patch total: 0 errors, 2 warnings, 15 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14553405.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
sdp: fix overflow in sdp_extract_seqtype()
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
10: B1 Line exceeds max length (99>80): "covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes")."
https://github.com/bluez/bluez/pull/2093
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [RFC PATCH] Bluetooth: fix Set Public Address on controller in HCI_AUTO_OFF grace period
From: Luiz Augusto von Dentz @ 2026-05-04 18:27 UTC (permalink / raw)
To: Dan Klishch; +Cc: Marcel Holtmann, linux-bluetooth, linux-kernel
In-Reply-To: <20260430045522.7881-1-danilklishch@gmail.com>
Hi Dan,
On Thu, Apr 30, 2026 at 12:55 AM Dan Klishch <danilklishch@gmail.com> wrote:
>
> When mgmt's Set Public Address command (and Set External Configuration)
> stages a configuration change, set_public_address() sets HCI_CONFIG and
> HCI_AUTO_OFF on the device and queues hci_power_on. The intent is for
> the queued power_on to run hci_dev_init_sync() -- which detects
> HCI_CONFIG and calls hdev->set_bdaddr() to program the new address into
> the firmware -- and then re-emit Index Added with the controller back in
> the boot-init grace period (HCI_UP=1, HCI_AUTO_OFF=1) so userspace can
> re-push pending config commands and drive a fresh Set Powered 1 cycle.
>
> The bug bites when the command is issued while the controller is in
> that same grace period itself -- the normal post-boot state, before
> bluetoothd has claimed the controller via Set Powered 1. In that state
> HCI_UP=1 and HCI_AUTO_OFF=1, so hdev_is_powered() is false (the command
> is accepted) but hci_power_on()'s "already up" early-return condition
> HCI_UP && HCI_MGMT && HCI_AUTO_OFF is true. The early-return path runs
> hci_powered_update_sync() -- which is the wrong thing for this case:
> neither hci_dev_init_sync() nor mgmt_index_added() runs. The result:
>
> - hdev->public_addr is recorded but never reaches the firmware via
> hdev->set_bdaddr(),
> - userspace sees Index Removed (from set_public_address) but no
> Index Added, leaving the controller invisible to mgmt clients;
> it is not in the configured, unconfigured or extended index list
> yet remains registered in the kernel.
>
> The other two starting states are fine: HCI_UP=0 falls through to the
> full hci_dev_do_open() path (correct); HCI_UP=1 with HCI_AUTO_OFF=0
> makes hdev_is_powered() true, so set_public_address() rejects with
> MGMT_STATUS_REJECTED before queueing power_on at all.
>
> Fix: at the top of hci_power_on(), if HCI_CONFIG is pending and we are
> in the affected grace-period state (HCI_UP, HCI_MGMT, !HCI_RFKILLED),
> close the device first. The early-return condition then fails and we
> fall through to hci_dev_do_open() -> hci_dev_init_sync(), which honors
> HCI_CONFIG by invoking hdev->set_bdaddr(); the post-open block then
> re-emits Index Added via the existing HCI_CONFIG branch.
>
> hci_dev_close_sync() clears HCI_AUTO_OFF as a side effect of going
> through the regular power-down path, but set_public_address() had set
> it deliberately so the post-reopen state matches the boot-init grace
> period that mgmt clients expect ("treat as new one" per the protocol
> contract). Several mgmt commands -- Set Privacy, Set Wideband Speech,
> Set LE, Set BR/EDR, etc. -- gate on !hdev_is_powered(), and bluetoothd
> expects to push them during this window before issuing Set Powered 1
> itself. Restore HCI_AUTO_OFF after the close so hdev_is_powered() ==
> false again.
>
> This matches the documented behavior for Set Public Address on a
> fully-configured controller ("Once the address has been successfully
> changed an Index Added event will be sent.")
>
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Dan Klishch <danilklishch@gmail.com>
> ---
> net/bluetooth/hci_core.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -948,6 +948,14 @@ static void hci_power_on(struct work_struct *work)
>
> BT_DBG("%s", hdev->name);
>
> + if (hci_dev_test_flag(hdev, HCI_CONFIG) &&
> + hci_dev_test_flag(hdev, HCI_MGMT) &&
> + !hci_dev_test_flag(hdev, HCI_RFKILLED) &&
> + test_bit(HCI_UP, &hdev->flags)) {
> + hci_dev_do_close(hdev);
> + hci_dev_set_flag(hdev, HCI_AUTO_OFF);
> + }
> +
> if (test_bit(HCI_UP, &hdev->flags) &&
> hci_dev_test_flag(hdev, HCI_MGMT) &&
> hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
>
> ---
>
> Claude was able to fully convince me that the patch and the explanation
> are correct. Moreover, this indeed fixed a problem I had with a custom
> patched bluetoothd that happened to override public-addr in the 2
> second post-boot window. However, both the patch and commit description
> are fully AI-generated.
This doesn't inspire much confidence, though. Have you at least tried
it yourself? Perhaps we need to ask Claude to first add a test to
mgmt-tester to ensure it actually fixes something rather than just
hallucinating. Most models are not actually very critical of their
proposals if there is nothing to validate their claims with.
--
Luiz Augusto von Dentz
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-05-04 17:58 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1089386
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] dd093e: sdp: fix overflow in sdp_extract_seqtype()
From: github-actions[bot] @ 2026-05-04 17:58 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1089431
Home: https://github.com/bluez/bluez
Commit: dd093e5cd4678eddd38db79325fe7cfb83084a7b
https://github.com/bluez/bluez/commit/dd093e5cd4678eddd38db79325fe7cfb83084a7b
Author: Martin Brodeur <admin@fluentlogic.org>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
M lib/bluetooth/sdp.c
Log Message:
-----------
sdp: fix overflow in sdp_extract_seqtype()
bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes").
Reported-by: Martin Brodeur <admin@fluentlogic.org>
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* RE: Bluetooth: hci_bcm4377: Use named initializers for pci_device_id array
From: bluez.test.bot @ 2026-05-04 17:43 UTC (permalink / raw)
To: linux-bluetooth, u.kleine-koenig
In-Reply-To: <20260504160940.2168650-2-u.kleine-koenig@baylibre.com>
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089397
---Test result---
Test Summary:
CheckPatch PASS 0.64 seconds
GitLint PASS 0.28 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 24.13 seconds
CheckAllWarning PASS 26.35 seconds
CheckSparse PASS 25.25 seconds
BuildKernel32 PASS 25.90 seconds
TestRunnerSetup PASS 514.33 seconds
IncrementalBuild PASS 22.82 seconds
https://github.com/bluez/bluetooth-next/pull/144
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: Bluetooth: ath3k: add missing blank line after declarations
From: bluez.test.bot @ 2026-05-04 17:41 UTC (permalink / raw)
To: linux-bluetooth, lucasp.linux
In-Reply-To: <20260504165956.35199-1-lucasp.linux@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089418
---Test result---
Test Summary:
CheckPatch PASS 0.51 seconds
GitLint PASS 0.23 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 20.75 seconds
CheckAllWarning PASS 23.21 seconds
CheckSparse PASS 22.35 seconds
BuildKernel32 PASS 20.58 seconds
TestRunnerSetup PASS 420.64 seconds
IncrementalBuild PASS 20.52 seconds
https://github.com/bluez/bluetooth-next/pull/145
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH] sdp: fix overflow in sdp_extract_seqtype()
From: Martin Brodeur @ 2026-05-04 17:36 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Martin Brodeur
bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes").
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..d0c681e 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,14 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
SDPERR("Unexpected end of packet");
return 0;
}
- *size = bt_get_be32(buf);
+ {
+ uint32_t val32 = bt_get_be32(buf);
+ if (val32 > INT_MAX) {
+ SDPERR("Sequence length overflow");
+ return 0;
+ }
+ *size = (int) val32;
+ }
scanned += sizeof(uint32_t);
break;
default:
--
2.39.5 (Apple Git-154)
^ permalink raw reply related
* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
From: bluez.test.bot @ 2026-05-04 17:26 UTC (permalink / raw)
To: linux-bluetooth, admin
In-Reply-To: <20260504160118.26675-1-admin@fluentlogic.org>
[-- Attachment #1: Type: text/plain, Size: 1986 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089386
---Test result---
Test Summary:
CheckPatch FAIL 0.34 seconds
GitLint PASS 0.23 seconds
BuildEll PASS 20.37 seconds
BluezMake PASS 669.02 seconds
MakeCheck PASS 0.90 seconds
MakeDistcheck PASS 247.28 seconds
CheckValgrind PASS 222.09 seconds
CheckSmatch PASS 354.69 seconds
bluezmakeextell PASS 189.55 seconds
IncrementalBuild PASS 643.57 seconds
ScanBuild PASS 1054.69 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ] sdp: fix overflow in sdp_extract_seqtype()
ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes")'
#68:
covered by commit 31e4fb1.
/github/workspace/src/patch/14553286.patch total: 1 errors, 0 warnings, 16 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14553286.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluez/pull/2092
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype()
From: admin @ 2026-05-04 17:12 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, luiz.von.dentz
In-Reply-To: <CABBYNZLQVVrxpcVqU4abyE5sodh6wq=a_z4NbPp+XN04RYz2nA@mail.gmail.com>
Luiz,
Sorry for the multiple submissions, couldn't figure out something on the emailing side of things.
Here's what my setup sees that you also must change since this is a more invasive fix:
v3 changes the parameter type to uint32_t * and updates all callers (sdp.c ×3, sdp-client.c, sdpd-request.c, sdpd-service.c, obexd/client/bluetooth.c).
Here are the details as needed:
bt_get_be32() returns uint32_t. Assigning the result directly
to the int *size parameter sign-extends values greater than
INT_MAX to negative, bypassing sequence-length sanity checks
in extract_seq() and sdp_extract_pdu() callers.
Change the type of the size parameter from int * to uint32_t *,
which correctly reflects the wire encoding and eliminates the
need for an intermediate overflow check. Update all callers.
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 11 +++++++----
lib/bluetooth/sdp_lib.h | 2 +-
obexd/client/bluetooth.c | 2 +-
src/sdp-client.c | 3 ++-
src/sdpd-request.c | 3 ++-
src/sdpd-service.c | 2 +-
6 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..fd443a7 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1210,7 +1210,7 @@ static sdp_data_t *extract_str(const void *p, int bufsize, int *len)
* Extract the sequence type and its length, and return offset into buf
* or 0 on failure.
*/
-int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *size)
+int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, uint32_t *size)
{
uint8_t dtd;
int scanned = sizeof(uint8_t);
@@ -1262,7 +1262,8 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
static sdp_data_t *extract_seq(const void *p, int bufsize, int *len,
sdp_record_t *rec)
{
- int seqlen, n = 0;
+ uint32_t seqlen;
+ int n = 0;
sdp_data_t *curr, *prev;
sdp_data_t *d = bt_malloc0(sizeof(sdp_data_t));
@@ -1391,7 +1392,8 @@ void sdp_print_service_attr(sdp_list_t *svcAttrList)
sdp_record_t *sdp_extract_pdu(const uint8_t *buf, int bufsize, int *scanned)
{
- int extracted = 0, seqlen = 0;
+ int extracted = 0;
+ uint32_t seqlen = 0;
uint8_t dtd;
uint16_t attr;
sdp_record_t *rec = sdp_record_alloc();
@@ -4422,7 +4424,8 @@ int sdp_service_search_attr_req(sdp_session_t *session, const sdp_list_t *search
int status = 0;
uint32_t reqsize = 0, _reqsize;
uint32_t rspsize = 0;
- int seqlen = 0, attr_list_len = 0;
+ uint32_t seqlen = 0;
+ int attr_list_len = 0;
int rsp_count = 0, cstate_len = 0;
unsigned int pdata_len;
uint8_t *pdata, *_pdata;
diff --git a/lib/bluetooth/sdp_lib.h b/lib/bluetooth/sdp_lib.h
index 7a48ad5..96048e6 100644
--- a/lib/bluetooth/sdp_lib.h
+++ b/lib/bluetooth/sdp_lib.h
@@ -610,7 +610,7 @@ void sdp_append_to_buf(sdp_buf_t *dst, uint8_t *data, uint32_t len);
int sdp_gen_pdu(sdp_buf_t *pdu, sdp_data_t *data);
int sdp_gen_record_pdu(const sdp_record_t *rec, sdp_buf_t *pdu);
-int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *size);
+int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, uint32_t *size);
sdp_data_t *sdp_extract_attr(const uint8_t *pdata, int bufsize, int *extractedLength, sdp_record_t *rec);
diff --git a/obexd/client/bluetooth.c b/obexd/client/bluetooth.c
index 96c69d8..4f1da37 100644
--- a/obexd/client/bluetooth.c
+++ b/obexd/client/bluetooth.c
@@ -135,7 +135,7 @@ static void search_callback(uint8_t type, uint16_t status,
{
struct bluetooth_session *session = user_data;
unsigned int scanned, bytesleft = size;
- int seqlen = 0;
+ uint32_t seqlen = 0;
uint8_t dataType;
uint16_t port = 0;
GError *gerr = NULL;
diff --git a/src/sdp-client.c b/src/sdp-client.c
index 4f35cf1..a3ac6de 100644
--- a/src/sdp-client.c
+++ b/src/sdp-client.c
@@ -151,7 +151,8 @@ static void search_completed_cb(uint8_t type, uint16_t status,
{
struct search_context *ctxt = user_data;
sdp_list_t *recs = NULL;
- int scanned, seqlen = 0, bytesleft = size;
+ int scanned, bytesleft = size;
+ uint32_t seqlen = 0;
uint8_t dataType;
int err = 0;
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index c78bfdf..6ce5a81 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -135,7 +135,8 @@ struct attrid {
static int extract_des(uint8_t *buf, int len, sdp_list_t **svcReqSeq, uint8_t *pDataType, uint8_t expectedType)
{
uint8_t seqType;
- int scanned, data_size = 0;
+ int scanned;
+ uint32_t data_size = 0;
short numberOfElements = 0;
int seqlen = 0;
sdp_list_t *pSeq = NULL;
diff --git a/src/sdpd-service.c b/src/sdpd-service.c
index 3f3b540..e0f5783 100644
--- a/src/sdpd-service.c
+++ b/src/sdpd-service.c
@@ -703,7 +703,7 @@ static sdp_record_t *extract_pdu_server(bdaddr_t *device, uint8_t *p,
{
int extractStatus = -1, localExtractedLength = 0;
uint8_t dtd;
- int seqlen = 0;
+ uint32_t seqlen = 0;
sdp_record_t *rec = NULL;
uint16_t attrId, lookAheadAttrId;
sdp_data_t *pAttr = NULL;
--
2.39.5 (Apple Git-154)
^ permalink raw reply
* Re: [PATCH] Bluetooth: hci_event: fix memset typo
From: patchwork-bot+bluetooth @ 2026-05-04 17:10 UTC (permalink / raw)
To: Jann Horn
Cc: marcel, luiz.dentz, iulia.tanasescu, linux-bluetooth,
linux-kernel
In-Reply-To: <20260429-bluetooth-memset-fix-v1-1-73507b81a903@google.com>
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 29 Apr 2026 15:40:46 +0200 you wrote:
> hci_le_big_sync_established_evt() currently does:
>
> conn->num_bis = 0;
> memset(conn->bis, 0, sizeof(conn->num_bis));
>
> sizeof(conn->num_bis) is wrong - it would make sense to either use
> conn->num_bis (before setting that to 0) or sizeof(conn->bis).
> Fix it by using sizeof(conn->bis), the least intrusive change.
>
> [...]
Here is the summary with links:
- Bluetooth: hci_event: fix memset typo
https://git.kernel.org/bluetooth/bluetooth-next/c/bed1ff8e28fc
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH v2] Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem
From: patchwork-bot+bluetooth @ 2026-05-04 17:10 UTC (permalink / raw)
To: Michael Bommarito; +Cc: marcel, luiz.dentz, pav, linux-bluetooth, linux-kernel
In-Reply-To: <20260502164303.2299816-1-michael.bommarito@gmail.com>
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sat, 2 May 2026 12:43:03 -0400 you wrote:
> Commit dbf666e4fc9b ("Bluetooth: HIDP: Fix possible UAF") made
> hidp_session_remove() drop the L2CAP reference and set
> session->conn = NULL once the session is considered removed, and
> added a bare if (session->conn) guard around the kthread-exit
> l2cap_unregister_user() call in hidp_session_thread(). The sibling
> ioctl site in hidp_connection_del() still reads session->conn
> unlocked and unguarded, and the kthread-exit guard itself is a
> lockless double-read.
>
> [...]
Here is the summary with links:
- [v2] Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem
https://git.kernel.org/bluetooth/bluetooth-next/c/fd572908d364
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH] Bluetooth: btrtl: fix RTL8761B/BU broken LE extended scan
From: patchwork-bot+bluetooth @ 2026-05-04 17:10 UTC (permalink / raw)
To: Alexej Sidorenko; +Cc: linux-bluetooth, marcel, luiz.dentz, linux-kernel
In-Reply-To: <20260429151343.28142-1-alexej@sidorenko.cz>
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 29 Apr 2026 17:13:43 +0200 you wrote:
> RTL8761B and RTL8761BU devices report HCI version 5.1 but do not
> support the LE Extended Scan commands. This causes repeated failures
> with Opcode 0x2042 (LE Set Extended Scan Parameters) returning -EBUSY
> when BlueZ attempts extended scanning while a connection is active.
>
> Set HCI_QUIRK_BROKEN_EXT_SCAN for CHIP_ID_8761B to make BlueZ fall
> back to legacy LE scan commands which the firmware supports correctly.
>
> [...]
Here is the summary with links:
- Bluetooth: btrtl: fix RTL8761B/BU broken LE extended scan
https://git.kernel.org/bluetooth/bluetooth-next/c/89edeb1e260b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH bluetooth-next v2] bluetooth: remove all PCMCIA drivers
From: patchwork-bot+bluetooth @ 2026-05-04 17:10 UTC (permalink / raw)
To: Ethan Nelson-Moore
Cc: linux-mips, linux-bluetooth, linux, chenhuacai, kernel, tsbogend,
maddy, mpe, npiggin, chleroy, marcel, luiz.dentz, ebiggers, ardb,
herbert, tytso, andre.draszik, geert, kuba, horms, johan.korsnes,
david
In-Reply-To: <20260503033201.19719-1-enelsonmoore@gmail.com>
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sat, 2 May 2026 20:31:21 -0700 you wrote:
> PCMCIA is almost completely obsolete (the last computers supporting it
> natively were from ~2009), and the general consensus [1] seems to be
> that support for it should be gradually removed from the kernel.
>
> In 2023, an initial step of removing all the PCMCIA char drivers was
> taken in commit 9b12f050c76f ("char: pcmcia: remove all the drivers"),
> and that has not been reverted, so it seems logical to continue this
> process by removing more low-hanging fruit.
>
> [...]
Here is the summary with links:
- [bluetooth-next,v2] bluetooth: remove all PCMCIA drivers
https://git.kernel.org/bluetooth/bluetooth-next/c/88cb3906d295
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* [PATCH] Bluetooth: ath3k: add missing blank line after declarations
From: Lucas Poupeau @ 2026-05-04 16:59 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, linux-kernel, Lucas Poupeau
Add a missing blank line after variable declarations in ath3k.c
to comply with the Linux kernel coding style and improve code
readability.
Reported by checkpatch.pl.
Signed-off-by: Lucas Poupeau <lucasp.linux@gmail.com>
---
drivers/bluetooth/ath3k.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index fc796f1dbda9..0f8260524ca1 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -218,6 +218,7 @@ static int ath3k_load_firmware(struct usb_device *udev,
err = usb_control_msg_send(udev, 0, USB_REQ_DFU_DNLOAD, USB_TYPE_VENDOR,
0, 0, firmware->data, FW_HDR_SIZE,
USB_CTRL_SET_TIMEOUT, GFP_KERNEL);
+
if (err) {
BT_ERR("Can't change to loading configuration err");
goto error;
--
2.54.0
^ permalink raw reply related
* Re: [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype()
From: Luiz Augusto von Dentz @ 2026-05-04 16:57 UTC (permalink / raw)
To: Martin Brodeur; +Cc: linux-bluetooth, luiz.von.dentz
In-Reply-To: <20260504164649.31170-1-admin@fluentlogic.org>
Hi Martin,
On Mon, May 4, 2026 at 12:47 PM Martin Brodeur <admin@fluentlogic.org> wrote:
>
> bt_get_be32() returns uint32_t. Assigning the result directly
> to the int *size parameter sign-extends values greater than
> INT_MAX to negative, bypassing sequence-length sanity checks
> in extract_seq() and sdp_extract_pdu() callers.
>
> Store the result in a uint32_t first and reject values that
> exceed INT_MAX before assigning to *size.
>
> Reported-by: Martin Brodeur <admin@fluentlogic.org>
> ---
> lib/bluetooth/sdp.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
> index 7210ce0..3295fc0 100644
> --- a/lib/bluetooth/sdp.c
> +++ b/lib/bluetooth/sdp.c
> @@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
> SDPERR("Unexpected end of packet");
> return 0;
> }
> - *size = bt_get_be32(buf);
> + {
> + uint32_t val32 = bt_get_be32(buf);
> +
> + if (val32 > INT_MAX) {
> + SDPERR("Sequence length overflow");
> + return 0;
> + }
> + *size = (int) val32;
How about we simply pass a uint32_t *size?
> + }
> scanned += sizeof(uint32_t);
> break;
> default:
> --
> 2.39.5 (Apple Git-154)
>
>
>
--
Luiz Augusto von Dentz
^ permalink raw reply
* [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype()
From: Martin Brodeur @ 2026-05-04 16:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.von.dentz, Martin Brodeur
bt_get_be32() returns uint32_t. Assigning the result directly
to the int *size parameter sign-extends values greater than
INT_MAX to negative, bypassing sequence-length sanity checks
in extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and reject values that
exceed INT_MAX before assigning to *size.
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
SDPERR("Unexpected end of packet");
return 0;
}
- *size = bt_get_be32(buf);
+ {
+ uint32_t val32 = bt_get_be32(buf);
+
+ if (val32 > INT_MAX) {
+ SDPERR("Sequence length overflow");
+ return 0;
+ }
+ *size = (int) val32;
+ }
scanned += sizeof(uint32_t);
break;
default:
--
2.39.5 (Apple Git-154)
^ permalink raw reply related
* [bluez/bluez] db9aa4: sdp: fix overflow in sdp_extract_seqtype()
From: github-actions[bot] @ 2026-05-04 16:28 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1089386
Home: https://github.com/bluez/bluez
Commit: db9aa42f19a13582e17c7e2b92f41fef63c1824f
https://github.com/bluez/bluez/commit/db9aa42f19a13582e17c7e2b92f41fef63c1824f
Author: Martin Brodeur <admin@fluentlogic.org>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
M lib/bluetooth/sdp.c
Log Message:
-----------
sdp: fix overflow in sdp_extract_seqtype()
bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1.
Reported-by: Martin Brodeur <admin@fluentlogic.org>
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
From: bluez.test.bot @ 2026-05-04 16:28 UTC (permalink / raw)
To: linux-bluetooth, admin
In-Reply-To: <0100019df38f8843-ca2935fc-b645-44cf-8018-c7e55f953065-000000@email.amazonses.com>
[-- Attachment #1: Type: text/plain, Size: 382 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox