Update typo #386
Closed
Update typo #386
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @colossus9! Thanks for your contribution to the Linux kernel! Linux kernel development happens on mailing lists, rather than on GitHub - this GitHub repository is a read-only mirror that isn't used for accepting contributions. So that your change can become part of Linux, please email it to us as a patch. Sending patches isn't quite as simple as sending a pull request, but fortunately it is a well documented process. Here's what to do:
How do I format my contribution?The Linux kernel community is notoriously picky about how contributions are formatted and sent. Fortunately, they have documented their expectations. Firstly, all contributions need to be formatted as patches. A patch is a plain text document showing the change you want to make to the code, and documenting why it is a good idea. You can create patches with Secondly, patches need 'commit messages', which is the human-friendly documentation explaining what the change is and why it's necessary. Thirdly, changes have some technical requirements. There is a Linux kernel coding style, and there are licensing requirements you need to comply with. Both of these are documented in the Submitting Patches documentation that is part of the kernel. Note that you will almost certainly have to modify your existing git commits to satisfy these requirements. Don't worry: there are many guides on the internet for doing this. Who do I send my contribution to?The Linux kernel is composed of a number of subsystems. These subsystems are maintained by different people, and have different mailing lists where they discuss proposed changes. If you don't already know what subsystem your change belongs to, the
Make sure that your list of recipients includes a mailing list. If you can't find a more specific mailing list, then LKML - the Linux Kernel Mailing List - is the place to send your patches. It's not usually necessary to subscribe to the mailing list before you send the patches, but if you're interested in kernel development, subscribing to a subsystem mailing list is a good idea. (At this point, you probably don't need to subscribe to LKML - it is a very high traffic list with about a thousand messages per day, which is often not useful for beginners.) How do I send my contribution?Use For more information about using How do I get help if I'm stuck?Firstly, don't get discouraged! There are an enormous number of resources on the internet, and many kernel developers who would like to see you succeed. Many issues - especially about how to use certain tools - can be resolved by using your favourite internet search engine. If you can't find an answer, there are a few places you can turn:
If you get really, really stuck, you could try the owners of this bot, @daxtens and @ajdlinux. Please be aware that we do have full-time jobs, so we are almost certainly the slowest way to get answers! I sent my patch - now what?You wait. You can check that your email has been received by checking the mailing list archives for the mailing list you sent your patch to. Messages may not be received instantly, so be patient. Kernel developers are generally very busy people, so it may take a few weeks before your patch is looked at. Then, you keep waiting. Three things may happen:
Further information
Happy hacking! This message was posted by a bot - if you have any questions or suggestions, please talk to my owners, @ajdlinux and @daxtens, or raise an issue at https://github.com/ajdlinux/KernelPRBot. |
Author
|
Thanks! |
|
This may be a question for the Trivial Patch Monkey (@jikos, I believe), but although the process to submit small patches is well documented, it makes little mention from what I can see about how Sphinx should be configured. Is this simply a |
Contributor
|
That's an excellent question, and I don't know the answer off the top of my
head - I'll find out and get back to you.
…On Fri, Feb 10, 2017 at 6:52 AM, Chris Finazzo ***@***.***> wrote:
This may be a question for the Trivial Patch Monkey ***@***.***
<https://github.com/jikos>, I believe), but although the process to
submit small patches is well documented, it makes little mention from what
I can see about how Sphinx should be configured.
Is this simply a brew install sphinx sphinx-build along with some flags
to support the various architectures?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#386 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADJ5BRlxhmP8R7LglDC6faEUsHWJs6OLks5ra26bgaJpZM4Lx_jw>
.
|
Contributor
|
So I don't have a macOS box handy to test brew, but it looks like
installing sphinx is a pretty good start.
I've been trying `make htmldocs` on my linux box, I found that I needed
graphviz and xmlto as well. I know graphviz can be installed with `brew
install graphviz`, not sure about xmlto.
Hope this helps, let us know how you go.
…On Fri, Feb 10, 2017 at 7:49 AM, Daniel Axtens ***@***.***> wrote:
That's an excellent question, and I don't know the answer off the top of
my head - I'll find out and get back to you.
On Fri, Feb 10, 2017 at 6:52 AM, Chris Finazzo ***@***.***>
wrote:
> This may be a question for the Trivial Patch Monkey ***@***.***
> <https://github.com/jikos>, I believe), but although the process to
> submit small patches is well documented, it makes little mention from what
> I can see about how Sphinx should be configured.
>
> Is this simply a brew install sphinx sphinx-build along with some flags
> to support the various architectures?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#386 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/ADJ5BRlxhmP8R7LglDC6faEUsHWJs6OLks5ra26bgaJpZM4Lx_jw>
> .
>
|
Mic92
pushed a commit
to Mic92/linux
that referenced
this pull request
Feb 4, 2019
lkl: Support multiple routing tables
ghost
approved these changes
Feb 15, 2020
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this pull request
Jun 16, 2021
The sub-programs prog->aux->poke_tab[] is populated in jit_subprogs() and
then used when emitting 'BPF_JMP|BPF_TAIL_CALL' insn->code from the
individual JITs. The poke_tab[] to use is stored in the insn->imm by
the code adding it to that array slot. The JIT then uses imm to find the
right entry for an individual instruction. In the x86 bpf_jit_comp.c
this is done by calling emit_bpf_tail_call_direct with the poke_tab[]
of the imm value.
However, we observed the below null-ptr-deref when mixing tail call
programs with subprog programs. For this to happen we just need to
mix bpf-2-bpf calls and tailcalls with some extra calls or instructions
that would be patched later by one of the fixup routines. So whats
happening?
Before the fixup_call_args() -- where the jit op is done -- various
code patching is done by do_misc_fixups(). This may increase the
insn count, for example when we patch map_lookup_up using map_gen_lookup
hook. This does two things. First, it means the instruction index,
insn_idx field, of a tail call instruction will move by a 'delta'.
In verifier code,
struct bpf_jit_poke_descriptor desc = {
.reason = BPF_POKE_REASON_TAIL_CALL,
.tail_call.map = BPF_MAP_PTR(aux->map_ptr_state),
.tail_call.key = bpf_map_key_immediate(aux),
.insn_idx = i + delta,
};
Then subprog start values subprog_info[i].start will be updated
with the delta and any poke descriptor index will also be updated
with the delta in adjust_poke_desc(). If we look at the adjust
subprog starts though we see its only adjusted when the delta
occurs before the new instructions,
/* NOTE: fake 'exit' subprog should be updated as well. */
for (i = 0; i <= env->subprog_cnt; i++) {
if (env->subprog_info[i].start <= off)
continue;
Earlier subprograms are not changed because their start values
are not moved. But, adjust_poke_desc() does the offset + delta
indiscriminately. The result is poke descriptors are potentially
corrupted.
Then in jit_subprogs() we only populate the poke_tab[]
when the above insn_idx is less than the next subprogram start. From
above we corrupted our insn_idx so we might incorrectly assume a
poke descriptor is not used in a subprogram omitting it from the
subprogram. And finally when the jit runs it does the deref of poke_tab
when emitting the instruction and crashes with below. Because earlier
step omitted the poke descriptor.
The fix is straight forward with above context. Simply move same logic
from adjust_subprog_starts() into adjust_poke_descs() and only adjust
insn_idx when needed.
[ 82.396354] bpf_testmod: version magic '5.12.0-rc2alu+ SMP preempt mod_unload ' should be '5.12.0+ SMP preempt mod_unload '
[ 82.623001] loop10: detected capacity change from 0 to 8
[ 88.487424] ==================================================================
[ 88.487438] BUG: KASAN: null-ptr-deref in do_jit+0x184a/0x3290
[ 88.487455] Write of size 8 at addr 0000000000000008 by task test_progs/5295
[ 88.487471] CPU: 7 PID: 5295 Comm: test_progs Tainted: G I 5.12.0+ torvalds#386
[ 88.487483] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019
[ 88.487490] Call Trace:
[ 88.487498] dump_stack+0x93/0xc2
[ 88.487515] kasan_report.cold+0x5f/0xd8
[ 88.487530] ? do_jit+0x184a/0x3290
[ 88.487542] do_jit+0x184a/0x3290
...
[ 88.487709] bpf_int_jit_compile+0x248/0x810
...
[ 88.487765] bpf_check+0x3718/0x5140
...
[ 88.487920] bpf_prog_load+0xa22/0xf10
Reported-by: Jussi Maki <joamaki@gmail.com>
CC: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Fixes: a748c69 ("bpf: propagate poke descriptors to subprograms")
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this pull request
Jun 23, 2021
The sub-programs prog->aux->poke_tab[] is populated in jit_subprogs() and
then used when emitting 'BPF_JMP|BPF_TAIL_CALL' insn->code from the
individual JITs. The poke_tab[] to use is stored in the insn->imm by
the code adding it to that array slot. The JIT then uses imm to find the
right entry for an individual instruction. In the x86 bpf_jit_comp.c
this is done by calling emit_bpf_tail_call_direct with the poke_tab[]
of the imm value.
However, we observed the below null-ptr-deref when mixing tail call
programs with subprog programs. For this to happen we just need to
mix bpf-2-bpf calls and tailcalls with some extra calls or instructions
that would be patched later by one of the fixup routines. So whats
happening?
Before the fixup_call_args() -- where the jit op is done -- various
code patching is done by do_misc_fixups(). This may increase the
insn count, for example when we patch map_lookup_up using map_gen_lookup
hook. This does two things. First, it means the instruction index,
insn_idx field, of a tail call instruction will move by a 'delta'.
In verifier code,
struct bpf_jit_poke_descriptor desc = {
.reason = BPF_POKE_REASON_TAIL_CALL,
.tail_call.map = BPF_MAP_PTR(aux->map_ptr_state),
.tail_call.key = bpf_map_key_immediate(aux),
.insn_idx = i + delta,
};
Then subprog start values subprog_info[i].start will be updated
with the delta and any poke descriptor index will also be updated
with the delta in adjust_poke_desc(). If we look at the adjust
subprog starts though we see its only adjusted when the delta
occurs before the new instructions,
/* NOTE: fake 'exit' subprog should be updated as well. */
for (i = 0; i <= env->subprog_cnt; i++) {
if (env->subprog_info[i].start <= off)
continue;
Earlier subprograms are not changed because their start values
are not moved. But, adjust_poke_desc() does the offset + delta
indiscriminately. The result is poke descriptors are potentially
corrupted.
Then in jit_subprogs() we only populate the poke_tab[]
when the above insn_idx is less than the next subprogram start. From
above we corrupted our insn_idx so we might incorrectly assume a
poke descriptor is not used in a subprogram omitting it from the
subprogram. And finally when the jit runs it does the deref of poke_tab
when emitting the instruction and crashes with below. Because earlier
step omitted the poke descriptor.
The fix is straight forward with above context. Simply move same logic
from adjust_subprog_starts() into adjust_poke_descs() and only adjust
insn_idx when needed.
[ 82.396354] bpf_testmod: version magic '5.12.0-rc2alu+ SMP preempt mod_unload ' should be '5.12.0+ SMP preempt mod_unload '
[ 82.623001] loop10: detected capacity change from 0 to 8
[ 88.487424] ==================================================================
[ 88.487438] BUG: KASAN: null-ptr-deref in do_jit+0x184a/0x3290
[ 88.487455] Write of size 8 at addr 0000000000000008 by task test_progs/5295
[ 88.487471] CPU: 7 PID: 5295 Comm: test_progs Tainted: G I 5.12.0+ torvalds#386
[ 88.487483] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019
[ 88.487490] Call Trace:
[ 88.487498] dump_stack+0x93/0xc2
[ 88.487515] kasan_report.cold+0x5f/0xd8
[ 88.487530] ? do_jit+0x184a/0x3290
[ 88.487542] do_jit+0x184a/0x3290
...
[ 88.487709] bpf_int_jit_compile+0x248/0x810
...
[ 88.487765] bpf_check+0x3718/0x5140
...
[ 88.487920] bpf_prog_load+0xa22/0xf10
Fixes: a748c69 ("bpf: propagate poke descriptors to subprograms")
Reported-by: Jussi Maki <joamaki@gmail.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
TheSven73
pushed a commit
to TheSven73/linux
that referenced
this pull request
Jun 23, 2021
rust: enhance `PointerWrapper`.
hjl-tools
pushed a commit
to hjl-tools/linux
that referenced
this pull request
Jul 14, 2021
[ Upstream commit 7506d21 ] The sub-programs prog->aux->poke_tab[] is populated in jit_subprogs() and then used when emitting 'BPF_JMP|BPF_TAIL_CALL' insn->code from the individual JITs. The poke_tab[] to use is stored in the insn->imm by the code adding it to that array slot. The JIT then uses imm to find the right entry for an individual instruction. In the x86 bpf_jit_comp.c this is done by calling emit_bpf_tail_call_direct with the poke_tab[] of the imm value. However, we observed the below null-ptr-deref when mixing tail call programs with subprog programs. For this to happen we just need to mix bpf-2-bpf calls and tailcalls with some extra calls or instructions that would be patched later by one of the fixup routines. So whats happening? Before the fixup_call_args() -- where the jit op is done -- various code patching is done by do_misc_fixups(). This may increase the insn count, for example when we patch map_lookup_up using map_gen_lookup hook. This does two things. First, it means the instruction index, insn_idx field, of a tail call instruction will move by a 'delta'. In verifier code, struct bpf_jit_poke_descriptor desc = { .reason = BPF_POKE_REASON_TAIL_CALL, .tail_call.map = BPF_MAP_PTR(aux->map_ptr_state), .tail_call.key = bpf_map_key_immediate(aux), .insn_idx = i + delta, }; Then subprog start values subprog_info[i].start will be updated with the delta and any poke descriptor index will also be updated with the delta in adjust_poke_desc(). If we look at the adjust subprog starts though we see its only adjusted when the delta occurs before the new instructions, /* NOTE: fake 'exit' subprog should be updated as well. */ for (i = 0; i <= env->subprog_cnt; i++) { if (env->subprog_info[i].start <= off) continue; Earlier subprograms are not changed because their start values are not moved. But, adjust_poke_desc() does the offset + delta indiscriminately. The result is poke descriptors are potentially corrupted. Then in jit_subprogs() we only populate the poke_tab[] when the above insn_idx is less than the next subprogram start. From above we corrupted our insn_idx so we might incorrectly assume a poke descriptor is not used in a subprogram omitting it from the subprogram. And finally when the jit runs it does the deref of poke_tab when emitting the instruction and crashes with below. Because earlier step omitted the poke descriptor. The fix is straight forward with above context. Simply move same logic from adjust_subprog_starts() into adjust_poke_descs() and only adjust insn_idx when needed. [ 82.396354] bpf_testmod: version magic '5.12.0-rc2alu+ SMP preempt mod_unload ' should be '5.12.0+ SMP preempt mod_unload ' [ 82.623001] loop10: detected capacity change from 0 to 8 [ 88.487424] ================================================================== [ 88.487438] BUG: KASAN: null-ptr-deref in do_jit+0x184a/0x3290 [ 88.487455] Write of size 8 at addr 0000000000000008 by task test_progs/5295 [ 88.487471] CPU: 7 PID: 5295 Comm: test_progs Tainted: G I 5.12.0+ torvalds#386 [ 88.487483] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 [ 88.487490] Call Trace: [ 88.487498] dump_stack+0x93/0xc2 [ 88.487515] kasan_report.cold+0x5f/0xd8 [ 88.487530] ? do_jit+0x184a/0x3290 [ 88.487542] do_jit+0x184a/0x3290 ... [ 88.487709] bpf_int_jit_compile+0x248/0x810 ... [ 88.487765] bpf_check+0x3718/0x5140 ... [ 88.487920] bpf_prog_load+0xa22/0xf10 Fixes: a748c69 ("bpf: propagate poke descriptors to subprograms") Reported-by: Jussi Maki <joamaki@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
esmil
pushed a commit
to esmil/linux
that referenced
this pull request
Jul 14, 2021
[ Upstream commit 7506d21 ] The sub-programs prog->aux->poke_tab[] is populated in jit_subprogs() and then used when emitting 'BPF_JMP|BPF_TAIL_CALL' insn->code from the individual JITs. The poke_tab[] to use is stored in the insn->imm by the code adding it to that array slot. The JIT then uses imm to find the right entry for an individual instruction. In the x86 bpf_jit_comp.c this is done by calling emit_bpf_tail_call_direct with the poke_tab[] of the imm value. However, we observed the below null-ptr-deref when mixing tail call programs with subprog programs. For this to happen we just need to mix bpf-2-bpf calls and tailcalls with some extra calls or instructions that would be patched later by one of the fixup routines. So whats happening? Before the fixup_call_args() -- where the jit op is done -- various code patching is done by do_misc_fixups(). This may increase the insn count, for example when we patch map_lookup_up using map_gen_lookup hook. This does two things. First, it means the instruction index, insn_idx field, of a tail call instruction will move by a 'delta'. In verifier code, struct bpf_jit_poke_descriptor desc = { .reason = BPF_POKE_REASON_TAIL_CALL, .tail_call.map = BPF_MAP_PTR(aux->map_ptr_state), .tail_call.key = bpf_map_key_immediate(aux), .insn_idx = i + delta, }; Then subprog start values subprog_info[i].start will be updated with the delta and any poke descriptor index will also be updated with the delta in adjust_poke_desc(). If we look at the adjust subprog starts though we see its only adjusted when the delta occurs before the new instructions, /* NOTE: fake 'exit' subprog should be updated as well. */ for (i = 0; i <= env->subprog_cnt; i++) { if (env->subprog_info[i].start <= off) continue; Earlier subprograms are not changed because their start values are not moved. But, adjust_poke_desc() does the offset + delta indiscriminately. The result is poke descriptors are potentially corrupted. Then in jit_subprogs() we only populate the poke_tab[] when the above insn_idx is less than the next subprogram start. From above we corrupted our insn_idx so we might incorrectly assume a poke descriptor is not used in a subprogram omitting it from the subprogram. And finally when the jit runs it does the deref of poke_tab when emitting the instruction and crashes with below. Because earlier step omitted the poke descriptor. The fix is straight forward with above context. Simply move same logic from adjust_subprog_starts() into adjust_poke_descs() and only adjust insn_idx when needed. [ 82.396354] bpf_testmod: version magic '5.12.0-rc2alu+ SMP preempt mod_unload ' should be '5.12.0+ SMP preempt mod_unload ' [ 82.623001] loop10: detected capacity change from 0 to 8 [ 88.487424] ================================================================== [ 88.487438] BUG: KASAN: null-ptr-deref in do_jit+0x184a/0x3290 [ 88.487455] Write of size 8 at addr 0000000000000008 by task test_progs/5295 [ 88.487471] CPU: 7 PID: 5295 Comm: test_progs Tainted: G I 5.12.0+ torvalds#386 [ 88.487483] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 [ 88.487490] Call Trace: [ 88.487498] dump_stack+0x93/0xc2 [ 88.487515] kasan_report.cold+0x5f/0xd8 [ 88.487530] ? do_jit+0x184a/0x3290 [ 88.487542] do_jit+0x184a/0x3290 ... [ 88.487709] bpf_int_jit_compile+0x248/0x810 ... [ 88.487765] bpf_check+0x3718/0x5140 ... [ 88.487920] bpf_prog_load+0xa22/0xf10 Fixes: a748c69 ("bpf: propagate poke descriptors to subprograms") Reported-by: Jussi Maki <joamaki@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Reviewed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Nov 17, 2025
During OBEX Abort command, iOS may return an incomplete SDU packet which ends with the reply to the Abort command. During OBEX Abort command, iOS may return the L2CAP_SAR_END packet before the normal end of the SAR packets: < ACL Data TX: Handle 21 [2/8] flags 0x00 dlen 11 torvalds#194 [hci0] 14.923741 Channel: 3080 len 7 ctrl 0x060a [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Unsegmented TxSeq 5 ReqSeq 6 0a 06 ff 00 03 47 84 .....G. ... > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#382 [hci0] 19.701854 Channel: 65 len 1006 ctrl 0x460e [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Start (len 32767) TxSeq 7 ReqSeq 6 0e 46 ff 7f 90 7f ff 48 7f fc 43 48 41 52 53 45 .F.....H..CHARSE ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#383 [hci0] 19.701854 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#384 [hci0] 19.755918 Channel: 65 len 1006 ctrl 0xc610 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 8 ReqSeq 6 10 c6 6e 6f 73 61 69 72 65 73 64 65 73 69 67 6e ..nosairesdesign ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#385 [hci0] 19.775016 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#386 [hci0] 19.775024 Channel: 65 len 1006 ctrl 0xc612 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 9 ReqSeq 6 12 c6 69 63 6f 20 43 69 74 79 20 54 65 63 68 20 ..ico City Tech ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#387 [hci0] 19.775024 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#388 [hci0] 19.821542 Channel: 65 len 1006 ctrl 0xc614 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 10 ReqSeq 6 14 c6 6c 74 69 6e 67 20 50 61 72 74 6e 65 72 0d ..lting Partner. ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#389 [hci0] 19.821610 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#390 [hci0] 19.821610 Channel: 65 len 1006 ctrl 0xc616 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 11 ReqSeq 6 16 c6 6c 74 69 6e 67 2e 63 6f 6d 0d 0a 55 49 44 ..lting.com..UID ... > ACL Data RX: Handle 21 flags 0x02 dlen 11 torvalds#391 [hci0] 19.821610 Channel: 65 len 7 ctrl 0x8618 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: End TxSeq 12 ReqSeq 6 18 86 a0 00 03 3e 5d .....>] < ACL Data TX: Handle 21 [1/8] flags 0x00 dlen 12 torvalds#392 [hci0] 19.822491 L2CAP: Disconnection Request (0x06) ident 10 len 4 Destination CID: 3080 Source CID: 65 In this case the re-assembled packet should be 32767 bytes as defined in Start packet (torvalds#382), i.e. 33 segmented packets, but the End packet is sent as the 6th packet. The l2cap_reassemble_sdu() function returns error -EINVAL if reassembled packet size != expected size, triggering the L2CAP disconnection, which disconnects the OBEX session, preventing further OBEX actions. Log this, discard previous segmented packet data and only send data from SAR End packet to upstream. Closes: bluez/bluetooth-next#17 Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Nov 17, 2025
During OBEX Abort command, iOS may return an incomplete SDU packet which ends with the reply to the Abort command. During OBEX Abort command, iOS may return the L2CAP_SAR_END packet before the normal end of the SAR packets: < ACL Data TX: Handle 21 [2/8] flags 0x00 dlen 11 torvalds#194 [hci0] 14.923741 Channel: 3080 len 7 ctrl 0x060a [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Unsegmented TxSeq 5 ReqSeq 6 0a 06 ff 00 03 47 84 .....G. ... > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#382 [hci0] 19.701854 Channel: 65 len 1006 ctrl 0x460e [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Start (len 32767) TxSeq 7 ReqSeq 6 0e 46 ff 7f 90 7f ff 48 7f fc 43 48 41 52 53 45 .F.....H..CHARSE ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#383 [hci0] 19.701854 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#384 [hci0] 19.755918 Channel: 65 len 1006 ctrl 0xc610 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 8 ReqSeq 6 10 c6 6e 6f 73 61 69 72 65 73 64 65 73 69 67 6e ..nosairesdesign ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#385 [hci0] 19.775016 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#386 [hci0] 19.775024 Channel: 65 len 1006 ctrl 0xc612 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 9 ReqSeq 6 12 c6 69 63 6f 20 43 69 74 79 20 54 65 63 68 20 ..ico City Tech ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#387 [hci0] 19.775024 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#388 [hci0] 19.821542 Channel: 65 len 1006 ctrl 0xc614 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 10 ReqSeq 6 14 c6 6c 74 69 6e 67 20 50 61 72 74 6e 65 72 0d ..lting Partner. ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#389 [hci0] 19.821610 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#390 [hci0] 19.821610 Channel: 65 len 1006 ctrl 0xc616 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 11 ReqSeq 6 16 c6 6c 74 69 6e 67 2e 63 6f 6d 0d 0a 55 49 44 ..lting.com..UID ... > ACL Data RX: Handle 21 flags 0x02 dlen 11 torvalds#391 [hci0] 19.821610 Channel: 65 len 7 ctrl 0x8618 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: End TxSeq 12 ReqSeq 6 18 86 a0 00 03 3e 5d .....>] < ACL Data TX: Handle 21 [1/8] flags 0x00 dlen 12 torvalds#392 [hci0] 19.822491 L2CAP: Disconnection Request (0x06) ident 10 len 4 Destination CID: 3080 Source CID: 65 In this case the re-assembled packet should be 32767 bytes as defined in Start packet (torvalds#382), i.e. 33 segmented packets, but the End packet is sent as the 6th packet. The l2cap_reassemble_sdu() function returns error -EINVAL if reassembled packet size != expected size, triggering the L2CAP disconnection, which disconnects the OBEX session, preventing further OBEX actions. Log this, discard previous segmented packet data and only send data from SAR End packet to upstream. Closes: bluez/bluetooth-next#17 Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating typo of help verbiage