From 0e9790efba504976f1cd5011c62fe9437f6a6ff7 Mon Sep 17 00:00:00 2001
From: Tedd Ho-Jeong An <tedd.an@intel.com>
Date: Wed, 4 Nov 2020 21:09:48 -0800
Subject: [PATCH 1/2] workflow: Add workflow files for ci

This patch adds workflow files for ci:

[sync.yml]
 - The workflow file for scheduled work
 - Sync the repo with upstream repo and rebase the workflow branch
 - Review the patches in the patchwork and creates the PR if needed

[ci.yml]
 - The workflow file for CI tasks
 - Run CI tests when PR is created

Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
---
 .github/workflows/ci.yml   | 25 ++++++++++++++++++++++
 .github/workflows/sync.yml | 43 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 .github/workflows/sync.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000000000..3a2c45c37553c
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,25 @@
+name: CI
+
+on: [pull_request]
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    name: CI for Pull Request
+    steps:
+    - name: Checkout the source code
+      uses: actions/checkout@v3
+      with:
+        path: src/src
+
+    - name: CI
+      uses: tedd-an/bzcafe@main
+      with:
+        task: ci
+        base_folder: src
+        space: kernel
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        email_token: ${{ secrets.EMAIL_TOKEN }}
+        patchwork_token: ${{ secrets.PATCHWORK_TOKEN }}
+        patchwork_user: ${{ secrets.PATCHWORK_USER }}
+
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
new file mode 100644
index 0000000000000..3883d55a23267
--- /dev/null
+++ b/.github/workflows/sync.yml
@@ -0,0 +1,43 @@
+name: Sync
+
+on:
+  schedule:
+  - cron: "*/30 * * * *"
+
+jobs:
+  sync_repo:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: master
+
+    - name: Sync Repo
+      uses: tedd-an/bzcafe@main
+      with:
+        task: sync
+        upstream_repo: 'https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git'
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Cleanup PR
+      uses: tedd-an/bzcafe@main
+      with:
+        task: cleanup
+        github_token: ${{ secrets.ACTION_TOKEN }}
+
+  sync_patchwork:
+    needs: sync_repo
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Sync Patchwork
+      uses: tedd-an/bzcafe@main
+      with:
+        task: patchwork
+        space: kernel
+        github_token: ${{ secrets.ACTION_TOKEN }}
+        email_token: ${{ secrets.EMAIL_TOKEN }}
+        patchwork_token: ${{ secrets.PATCHWORK_TOKEN }}
+        patchwork_user: ${{ secrets.PATCHWORK_USER }}
+

From 3f0d701e24dc0d5b0314622f7cecb64f35a8f6cd Mon Sep 17 00:00:00 2001
From: hkbinbin <hkbinbinbin@gmail.com>
Date: Tue, 31 Mar 2026 05:50:32 +0000
Subject: [PATCH 2/2] Bluetooth: hci_event: fix OOB read and infinite loop in
 hci_le_create_big_complete_evt

hci_le_create_big_complete_evt() iterates over BT_BOUND connections
for a BIG handle using a while loop, accessing ev->bis_handle[i++]
on each iteration.  However, there is no check that i < ev->num_bis
before the array access.

When a controller sends a LE_Create_BIG_Complete event with num_bis=0
while BT_BOUND connections exist for that BIG handle, the loop reads
beyond the valid bis_handle[] entries into adjacent heap memory.
Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX
(0x0EFF), hci_conn_set_handle() rejects them and the connection
remains in BT_BOUND state.  The same connection is then found again
by hci_conn_hash_lookup_big_state(), creating an infinite loop with
hci_dev_lock held that blocks all Bluetooth operations:

  Bluetooth: hci0: Invalid handle: 0x6b6b > 0x0eff
  Bluetooth: hci0: Invalid handle: 0x6b6b > 0x0eff
  ... (repeats ~177 times)
  Bluetooth: hci0: Opcode 0x2040 failed: -110
  Bluetooth: hci0: command 0x2040 tx timeout

The value 0x6b6b is the KASAN slab free poison byte (0x6b),
confirming reads of freed/uninitialized heap memory.

Fix this by adding a bounds check on i against ev->num_bis before
accessing the array.  Connections beyond the reported count are
cleaned up with HCI_ERROR_UNSPECIFIED to prevent the infinite loop.

Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
Cc: stable@vger.kernel.org
Signed-off-by: hkbinbin <hkbinbinbin@gmail.com>
---
 net/bluetooth/hci_event.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 81d2f9a3eec96..5174a6e1ddad2 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -7104,6 +7104,12 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
 			continue;
 		}
 
+		if (i >= ev->num_bis) {
+			hci_connect_cfm(conn, HCI_ERROR_UNSPECIFIED);
+			hci_conn_del(conn);
+			continue;
+		}
+
 		if (hci_conn_set_handle(conn,
 					__le16_to_cpu(ev->bis_handle[i++])))
 			continue;