- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 0/15] htmldocs: ./fs/eventpoll.c:2043: warning: Function parameter or member 'ep' not described in 'ep_get_upwards_depth_proc'
by kernel test robot 30 Dec '25

30 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: f148785f0bb856bba8ceca2b699a2f102f22174a commit: e26c080d818afd35143c9bcc49978bdf5068ee33 [0/15] eventpoll: Fix semi-unbounded recursion reproduce: (https://download.01.org/0day-ci/archive/20251229/202512291934.AIV7LiBp-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512291934.AIV7LiBp-lkp@intel.com/ All warnings (new ones prefixed by >>): Error: Cannot open file ./include/linux/wmi.h Error: Cannot open file ./include/linux/fs.h Error: Cannot open file ./include/linux/fs.h Error: Cannot open file ./include/linux/dcache.h Error: Cannot open file ./include/linux/dcache.h >> ./fs/eventpoll.c:2043: warning: Function parameter or member 'ep' not described in 'ep_get_upwards_depth_proc' >> ./fs/eventpoll.c:2043: warning: Function parameter or member 'depth' not described in 'ep_get_upwards_depth_proc' Error: Cannot open file ./include/linux/fscache-cache.h Error: Cannot open file ./include/linux/fscache.h Error: Cannot open file ./include/linux/jbd2.h Error: Cannot open file ./include/linux/jbd2.h Error: Cannot open file ./include/linux/netfs.h vim +2043 ./fs/eventpoll.c 2038 2039 /** 2040 * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards 2041 */ 2042 static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth) > 2043 { 2044 int result = 0; 2045 struct epitem *epi; 2046 2047 if (ep->gen == loop_check_gen) 2048 return ep->loop_check_depth; 2049 hlist_for_each_entry_rcu(epi, &ep->refs, fllink) 2050 result = max(result, ep_get_upwards_depth_proc(epi->ep, depth + 1) + 1); 2051 ep->gen = loop_check_gen; 2052 ep->loop_check_depth = result; 2053 return result; 2054 } 2055 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- include/linux/cpuhotplug.h | 1 + 2 files changed, 21 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH OLK-5.10] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
by Zhang Kunbo 29 Dec '25

29 Dec '25

From: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> stable inclusion from stable-v5.10.247 commit adb7577e23a431fc53aa1b6107733c0d751015fb category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12813 CVE: CVE-2025-68734 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index e8b37bd5e34a..a9565ebaab00 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1903,13 +1903,13 @@ setup_instance(struct hfcsusb *hw, struct device *parent) mISDN_freebchannel(&hw->bch[1]); mISDN_freebchannel(&hw->bch[0]); mISDN_freedchannel(&hw->dch); - kfree(hw); return err; } static int hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) { + int err; struct hfcsusb *hw; struct usb_device *dev = interface_to_usbdev(intf); struct usb_host_interface *iface = intf->cur_altsetting; @@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) if (!hw->ctrl_urb) { pr_warn("%s: No memory for control urb\n", driver_info->vend_name); - kfree(hw); - return -ENOMEM; + err = -ENOMEM; + goto err_free_hw; } pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", hw->name, __func__, driver_info->vend_name, conf_str[small_match], ifnum, alt_used); - if (setup_instance(hw, dev->dev.parent)) - return -EIO; + if (setup_instance(hw, dev->dev.parent)) { + err = -EIO; + goto err_free_urb; + } hw->intf = intf; usb_set_intfdata(hw->intf, hw); return 0; + +err_free_urb: + usb_free_urb(hw->ctrl_urb); +err_free_hw: + kfree(hw); + return err; } /* function called when an active device is removed */ -- 2.34.1

2 1

[PATCH OLK-6.6] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
by Zhang Kunbo 29 Dec '25

29 Dec '25

From: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> stable inclusion from stable-v6.6.117 commit 03695541b3349bc40bf5d6563d44d6147fb20260 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12813 CVE: CVE-2025-68734 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index b82b89888a5e..c55438e1f678 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1903,13 +1903,13 @@ setup_instance(struct hfcsusb *hw, struct device *parent) mISDN_freebchannel(&hw->bch[1]); mISDN_freebchannel(&hw->bch[0]); mISDN_freedchannel(&hw->dch); - kfree(hw); return err; } static int hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) { + int err; struct hfcsusb *hw; struct usb_device *dev = interface_to_usbdev(intf); struct usb_host_interface *iface = intf->cur_altsetting; @@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) if (!hw->ctrl_urb) { pr_warn("%s: No memory for control urb\n", driver_info->vend_name); - kfree(hw); - return -ENOMEM; + err = -ENOMEM; + goto err_free_hw; } pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", hw->name, __func__, driver_info->vend_name, conf_str[small_match], ifnum, alt_used); - if (setup_instance(hw, dev->dev.parent)) - return -EIO; + if (setup_instance(hw, dev->dev.parent)) { + err = -EIO; + goto err_free_urb; + } hw->intf = intf; usb_set_intfdata(hw->intf, hw); return 0; + +err_free_urb: + usb_free_urb(hw->ctrl_urb); +err_free_hw: + kfree(hw); + return err; } /* function called when an active device is removed */ -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH OLK-6.6] [Backport] futex: Don't leak robust_list pointer on exec race
by Zhang Hongtao 29 Dec '25

29 Dec '25

From: Pranav Tyagi <pranav.tyagi03(a)gmail.com> stable inclusion from stable-v6.6.117 commit 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11416 CVE: CVE-2025-40341 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 ] sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials. Suggested-by: Jann Horn <jann(a)thejh.net> Signed-off-by: Pranav Tyagi <pranav.tyagi03(a)gmail.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann… Link: https://github.com/KSPP/linux/issues/119 Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Hongtao <zhanghongtao35(a)huawei.com> --- kernel/futex/syscalls.c | 106 +++++++++++++++++++++------------------- 1 file changed, 56 insertions(+), 50 deletions(-) diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c index a8074079b09e..48feaa545b3c 100644 --- a/kernel/futex/syscalls.c +++ b/kernel/futex/syscalls.c @@ -40,6 +40,56 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head, return 0; } +static inline void __user *futex_task_robust_list(struct task_struct *p, bool compat) +{ +#ifdef CONFIG_COMPAT + if (compat) + return p->compat_robust_list; +#endif + return p->robust_list; +} + +static void __user *futex_get_robust_list_common(int pid, bool compat) +{ + struct task_struct *p = current; + void __user *head; + int ret; + + scoped_guard(rcu) { + if (pid) { + p = find_task_by_vpid(pid); + if (!p) + return (void __user *)ERR_PTR(-ESRCH); + } + get_task_struct(p); + } + + /* + * Hold exec_update_lock to serialize with concurrent exec() + * so ptrace_may_access() is checked against stable credentials + */ + ret = down_read_killable(&p->signal->exec_update_lock); + if (ret) + goto err_put; + + ret = -EPERM; + if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) + goto err_unlock; + + head = futex_task_robust_list(p, compat); + + up_read(&p->signal->exec_update_lock); + put_task_struct(p); + + return head; + +err_unlock: + up_read(&p->signal->exec_update_lock); +err_put: + put_task_struct(p); + return (void __user *)ERR_PTR(ret); +} + /** * sys_get_robust_list() - Get the robust-futex list head of a task * @pid: pid of the process [zero for current task] @@ -50,36 +100,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, struct robust_list_head __user * __user *, head_ptr, size_t __user *, len_ptr) { - struct robust_list_head __user *head; - unsigned long ret; - struct task_struct *p; - - rcu_read_lock(); - - ret = -ESRCH; - if (!pid) - p = current; - else { - p = find_task_by_vpid(pid); - if (!p) - goto err_unlock; - } - - ret = -EPERM; - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; + struct robust_list_head __user *head = futex_get_robust_list_common(pid, false); - head = p->robust_list; - rcu_read_unlock(); + if (IS_ERR(head)) + return PTR_ERR(head); if (put_user(sizeof(*head), len_ptr)) return -EFAULT; return put_user(head, head_ptr); - -err_unlock: - rcu_read_unlock(); - - return ret; } long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, @@ -322,36 +350,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, compat_uptr_t __user *, head_ptr, compat_size_t __user *, len_ptr) { - struct compat_robust_list_head __user *head; - unsigned long ret; - struct task_struct *p; - - rcu_read_lock(); - - ret = -ESRCH; - if (!pid) - p = current; - else { - p = find_task_by_vpid(pid); - if (!p) - goto err_unlock; - } - - ret = -EPERM; - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; + struct compat_robust_list_head __user *head = futex_get_robust_list_common(pid, true); - head = p->compat_robust_list; - rcu_read_unlock(); + if (IS_ERR(head)) + return PTR_ERR(head); if (put_user(sizeof(*head), len_ptr)) return -EFAULT; return put_user(ptr_to_compat(head), head_ptr); - -err_unlock: - rcu_read_unlock(); - - return ret; } #endif /* CONFIG_COMPAT */ -- 2.34.1

2 1

[PATCH OLK-6.6] [backport] Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
by Zhang Hongtao 29 Dec '25

29 Dec '25

From: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> stable inclusion from stable-v6.6.117 commit 5f7350ff2b179764a4f40ba4161b60b8aaef857b category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11333 CVE: CVE-2025-40294 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 8d59fba49362c65332395789fd82771f1028d87e upstream. In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: db08722fc7d4 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH") Cc: stable(a)vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Hongtao <zhanghongtao35(a)huawei.com> --- include/net/bluetooth/mgmt.h | 2 +- net/bluetooth/mgmt.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h index d382679efd2b..e083f0fa0113 100644 --- a/include/net/bluetooth/mgmt.h +++ b/include/net/bluetooth/mgmt.h @@ -774,7 +774,7 @@ struct mgmt_adv_pattern { __u8 ad_type; __u8 offset; __u8 length; - __u8 value[31]; + __u8 value[HCI_MAX_AD_LENGTH]; } __packed; #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052 diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 205aadf01513..226e266a2ec6 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -5335,9 +5335,9 @@ static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count, for (i = 0; i < pattern_count; i++) { offset = patterns[i].offset; length = patterns[i].length; - if (offset >= HCI_MAX_EXT_AD_LENGTH || - length > HCI_MAX_EXT_AD_LENGTH || - (offset + length) > HCI_MAX_EXT_AD_LENGTH) + if (offset >= HCI_MAX_AD_LENGTH || + length > HCI_MAX_AD_LENGTH || + (offset + length) > HCI_MAX_AD_LENGTH) return MGMT_STATUS_INVALID_PARAMS; p = kmalloc(sizeof(*p), GFP_KERNEL); -- 2.34.1

2 1

[PATCH OLK-6.6] [Backport] Bluetooth: hci_event: validate skb length for unknown CC opcode
by Zhang Hongtao 29 Dec '25

29 Dec '25

From: Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> stable inclusion from stable-v6.6.117 commit 779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11326 CVE: CVE-2025-40301 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 ] In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data. Reported-by: syzbot+a9a4bedfca6aa9d7fa24(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a9a4bedfca6aa9d7fa24 Tested-by: syzbot+a9a4bedfca6aa9d7fa24(a)syzkaller.appspotmail.com Fixes: afcb3369f46ed ("Bluetooth: hci_event: Fix vendor (unknown) opcode status handling") Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Hongtao <zhanghongtao35(a)huawei.com> --- net/bluetooth/hci_event.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index ee9cd3d34c2d..cc95c9236921 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4245,6 +4245,13 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, } if (i == ARRAY_SIZE(hci_cc_table)) { + if (!skb->len) { + bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", + *opcode); + *status = HCI_ERROR_UNSPECIFIED; + return; + } + /* Unknown opcode, assume byte 0 contains the status, so * that e.g. __hci_cmd_sync() properly returns errors * for vendor specific commands send by HCI drivers. -- 2.34.1

2 1