[PATCH BlueZ v2 1/5] btdev: Fix checking for PA on BT_HCI_CMD_LE_TERM_BIG

[PATCH BlueZ v2 1/5] btdev: Fix checking for PA on BT_HCI_CMD_LE_TERM_BIG

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

BT_HCI_CMD_LE_TERM_BIG does not require PA to be enabled.
---
 emulator/btdev.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 3747eaaef842..5dd7d099432c 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -6542,14 +6542,6 @@ static int cmd_term_big(struct btdev *dev, const void *data, uint8_t len)
 	struct le_big *big;
 	uint8_t status = BT_HCI_ERR_SUCCESS;
 
-	/* Check that PA advertising is enabled othewise it is not possible to
-	 * have a BIG.
-	 */
-	if (!dev->le_pa_enable) {
-		status = BT_HCI_ERR_UNKNOWN_ADVERTISING_ID;
-		goto done;
-	}
-
 	/* If the BIG_Handle does not identify a BIG, the Controller shall
 	 * return the error code Unknown Advertising Identifier (0x42).
 	 */
-- 
2.50.1

[PATCH BlueZ v2 2/5] bap: Fix crash when Broadcast endpoint exit

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The following crash can be observed when a Broadcast endpoint exit
when a bap_setup exists:

Invalid read of size 8
   at 0x4075B30: set_configuration_ready (bap.c:1120)
   by 0x40766C3: setup_ready (bap.c:748)
   by 0x407809C: setup_free (bap.c:998)
   by 0x4078301: bap_state_bcast_src (bap.c:3012)
   by 0x41319DF: bap_bcast_set_state (bap.c:2392)
   by 0x412CFFC: stream_set_state (bap.c:1537)
   by 0x4131AA3: bap_bcast_set_state (bap.c:2404)
   by 0x412CFFC: stream_set_state (bap.c:1537)
   by 0x412D0E6: bap_bcast_release (bap.c:2543)
   by 0x41314EF: bt_bap_stream_release (bap.c:6518)
   by 0x4131607: remove_lpac_streams (bap.c:4348)
   by 0x4108444: queue_foreach (queue.c:207)
 Address 0x56f7758 is 8 bytes inside a block of size 16 free'd
   at 0x4B85E43: free (vg_replace_malloc.c:989)
   by 0x407472D: setup_config (bap.c:1778)
   by 0x407A869: set_configuration (bap.c:1175)
   by 0x4102A8F: process_message (object.c:293)
---
 profiles/audio/bap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index f39a4045813d..d90d39bdc134 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -1783,6 +1783,10 @@ static int setup_config(struct bap_setup *setup, bap_setup_ready_func_t cb,
 		bt_bap_stream_metadata(setup->stream, setup->metadata, NULL,
 								NULL);
 
+	/* Don't set ready* field if there is no callback pending */
+	if (!setup->id)
+		return 0;
+
 	setup->readying = true;
 	setup->ready_cb = cb;
 	setup->ready_cb_data = user_data;
-- 
2.50.1

[PATCH BlueZ v2 3/5] iso-tester: Add Reconnect test for Broadcaster

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This adds the following test:

ISO Broadcaster Reconnect
---
 tools/iso-tester.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tools/iso-tester.c b/tools/iso-tester.c
index 40465a5f7cc5..7c0cfc408952 100644
--- a/tools/iso-tester.c
+++ b/tools/iso-tester.c
@@ -1420,6 +1420,15 @@ static const struct iso_client_data bcast_16_2_1_send_sid1 = {
 	.sid = 0x01,
 };
 
+static const struct iso_client_data bcast_16_2_1_reconnect = {
+	.qos = QOS_OUT_16_2_1,
+	.expect_err = 0,
+	.bcast = true,
+	.base = base_lc3_16_2_1,
+	.base_len = sizeof(base_lc3_16_2_1),
+	.disconnect = true,
+};
+
 static const struct iso_client_data bcast_16_2_1_recv = {
 	.qos = QOS_IN_16_2_1,
 	.expect_err = 0,
@@ -3477,6 +3486,14 @@ static void test_bcast(const void *test_data)
 	setup_connect(data, 0, iso_connect_cb);
 }
 
+static void test_bcast_reconnect(const void *test_data)
+{
+	struct test_data *data = tester_get_data();
+
+	data->reconnect = true;
+	setup_connect(data, 0, iso_connect_cb);
+}
+
 static void test_bcast2(const void *test_data)
 {
 	struct test_data *data = tester_get_data();
@@ -3942,6 +3959,9 @@ int main(int argc, char *argv[])
 	test_iso("ISO Broadcaster SID 0x01 - Success", &bcast_16_2_1_send_sid1,
 							setup_powered,
 							test_bcast);
+	test_iso("ISO Broadcaster Reconnect - Success", &bcast_16_2_1_reconnect,
+							setup_powered,
+							test_bcast_reconnect);
 
 	test_iso("ISO Broadcaster Receiver - Success", &bcast_16_2_1_recv,
 							setup_powered,
-- 
2.50.1

[PATCH BlueZ v2 4/5] bap: Fix possible crash with Broadcast Sink

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

If the remote terminates the BIG Sync the following crash is observed:

Process terminating with default action of signal 11 (SIGSEGV)
 Access not within mapped region at address 0x8
   at 0x40781C6: setup_free (bap.c:1024)
   by 0x4078EB8: bap_state_bcast_sink (bap.c:3118)
   by 0x41319DF: bap_bcast_set_state (bap.c:2392)
   by 0x412CFFC: stream_set_state (bap.c:1537)
   by 0x4131CBA: stream_io_disconnected (bap.c:6597)
   by 0x414A079: watch_callback (io-glib.c:173)
   by 0x4149EE9: io_err_watch_dispatch (io-glib.c:380)
   by 0x4C9587F: ??? (in /usr/lib64/libglib-2.0.so.0.8400.3)
   by 0x4C9E7C7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.3)
   by 0x4C9EA6E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.3)
   by 0x414ABED: mainloop_run (mainloop-glib.c:65)
   by 0x414B1C4: mainloop_run_with_signal (mainloop-notify.c:196)
---
 profiles/audio/bap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index d90d39bdc134..3dc4cd92e9ac 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -1021,7 +1021,8 @@ static void setup_free(void *data)
 
 	release_stream(setup->stream);
 
-	bap_update_cigs(setup->ep->data);
+	if (setup->ep)
+		bap_update_cigs(setup->ep->data);
 
 	free(setup);
 }
-- 
2.50.1

[PATCH BlueZ v2 5/5] btdev: Fix sending BT_HCI_EVT_LE_BIG_SYNC_LOST with wrong BIG handle

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

BT_HCI_EVT_LE_BIG_SYNC_LOST must be sent with the BIG handle used by the
remote peer which may be different than the one use with
BT_HCI_CMD_LE_TERM_BIG.
---
 emulator/btdev.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 5dd7d099432c..6833d4d51920 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -6561,6 +6561,14 @@ done:
 	return 0;
 }
 
+static bool match_bis(const void *data, const void *match_data)
+{
+	const struct le_big *big = data;
+	const struct btdev_conn *conn = match_data;
+
+	return queue_find(big->bis, NULL, conn);
+}
+
 static int cmd_term_big_complete(struct btdev *dev, const void *data,
 							uint8_t len)
 {
@@ -6593,13 +6601,17 @@ static int cmd_term_big_complete(struct btdev *dev, const void *data,
 		if (conn->link->dev != remote) {
 			struct bt_hci_evt_le_big_sync_lost evt;
 
-			memset(&evt, 0, sizeof(evt));
-			evt.big_handle = cmd->handle;
-			evt.reason = cmd->reason;
-
 			remote = conn->link->dev;
-			le_meta_event(remote, BT_HCI_EVT_LE_BIG_SYNC_LOST,
-				      &evt, sizeof(evt));
+
+			big = queue_find(remote->le_big, match_bis, conn->link);
+			if (big) {
+				memset(&evt, 0, sizeof(evt));
+				evt.big_handle = big->handle;
+				evt.reason = cmd->reason;
+				le_meta_event(remote,
+						BT_HCI_EVT_LE_BIG_SYNC_LOST,
+						&evt, sizeof(evt));
+			}
 		}
 
 		/* Unlink conn from remote BIS */
-- 
2.50.1

RE: [BlueZ,v2,1/5] btdev: Fix checking for PA on BT_HCI_CMD_LE_TERM_BIG

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1491 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=986829

---Test result---

Test Summary:
CheckPatch                    PENDING   0.30 seconds
GitLint                       PENDING   0.33 seconds
BuildEll                      PASS      20.19 seconds
BluezMake                     PASS      2666.12 seconds
MakeCheck                     PASS      20.27 seconds
MakeDistcheck                 PASS      184.76 seconds
CheckValgrind                 PASS      236.29 seconds
CheckSmatch                   WARNING   306.23 seconds
bluezmakeextell               PASS      128.25 seconds
IncrementalBuild              PENDING   0.29 seconds
ScanBuild                     PASS      920.63 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/btdev.c:456:29: warning: Variable length array is used.emulator/btdev.c:456:29: warning: Variable length array is used.
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ v2 1/5] btdev: Fix checking for PA on BT_HCI_CMD_LE_TERM_BIG

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 29 Jul 2025 15:22:02 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> BT_HCI_CMD_LE_TERM_BIG does not require PA to be enabled.
> ---
>  emulator/btdev.c | 8 --------
>  1 file changed, 8 deletions(-)

Here is the summary with links:
  - [BlueZ,v2,1/5] btdev: Fix checking for PA on BT_HCI_CMD_LE_TERM_BIG
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=280c9523a490
  - [BlueZ,v2,2/5] bap: Fix crash when Broadcast endpoint exit
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=165e57e744e6
  - [BlueZ,v2,3/5] iso-tester: Add Reconnect test for Broadcaster
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=13e0776cef76
  - [BlueZ,v2,4/5] bap: Fix possible crash with Broadcast Sink
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=077de3f8639f
  - [BlueZ,v2,5/5] btdev: Fix sending BT_HCI_EVT_LE_BIG_SYNC_LOST with wrong BIG handle
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=f086b3d27c41

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html