Linux bluetooth development
 help / color / mirror / Atom feed
* [Bug 221552] New: btmtk: MT7921 (USB 0e8d:e020 / PCI 14c3:7920) Bluetooth broken since 7.0.7 - fix for 0489:e0e2 does not cover this PID
From: bugzilla-daemon @ 2026-05-19 17:29 UTC (permalink / raw)
  To: linux-bluetooth

https://bugzilla.kernel.org/show_bug.cgi?id=221552

            Bug ID: 221552
           Summary: btmtk: MT7921 (USB 0e8d:e020 / PCI 14c3:7920)
                    Bluetooth broken since 7.0.7 - fix for 0489:e0e2 does
                    not cover this PID
           Product: Drivers
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: blocking
          Priority: P3
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: gagnieux.virgil@proton.me
        Regression: No

Created attachment 310159
  --> https://bugzilla.kernel.org/attachment.cgi?id=310159&action=edit
dmesg kernel (from 7.0.9-hardened1-1-hardened)

Regression: Bluetooth controller fails to initialise on a MediaTek MT7921
(Legion Pro 5 16ADR10, Realtek-branded module) since kernel 7.0.7.
Last known good: 7.0.6. Same dmesg symptom as the regression already
patched for USB ID 0489:e0e2, but the fix does NOT resolve it for this
device (USB 0e8d:e020), which suggests the patch missed a code path or
device-ID entry.

Hardware
--------
lspci -nnk:
  03:00.0 Network controller [0280]: MEDIATEK Corp. Device [14c3:7920]
        DeviceName: Realtek
        Subsystem: Lenovo Device [17aa:e020]
        Kernel driver in use: mt7921e

lsusb:
  Bus 003 Device 006: ID 0e8d:e020 MediaTek Inc. Wireless_Device

Kernels tested
--------------
7.0.6                    : Bluetooth works
7.0.8 / 7.0.9 (mainline) : broken
7.0.9-hardened1-1        : broken (linux-hardened — current)
  This build includes the backport
  https://github.com/anthraxx/linux-hardened/commit/<…81d80fcd09>
  which adds the fix for USB ID 0489:e0e2. It does NOT fix 0e8d:e020.

uname -r : 7.0.9-hardened1-1-hardened

dmesg (from kernel 7.0.9, relevant lines)
-----------------------------------------
[   23.898011] Bluetooth: Core ver 2.22
[   23.898032] NET: Registered PF_BLUETOOTH protocol family
[   23.898033] Bluetooth: HCI device and connection manager initialized
[   23.898041] Bluetooth: HCI socket layer initialized
[   23.898043] Bluetooth: L2CAP socket layer initialized
[   23.898045] Bluetooth: SCO socket layer initialized
[   24.800153] Bluetooth: hci0: HW/SW Version: 0x008a008a, Build Time:
20260224111231
[   24.922472] Bluetooth: hci0: Failed to send wmt func ctrl (-22)
[   24.922477] Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection
                command is advertised, but not supported.
[   25.517793] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[   25.517796] Bluetooth: BNEP filters: protocol multicast
[   25.517800] Bluetooth: BNEP socket layer initialized

Userspace state
---------------
bluetoothctl list  → (no output)
bluetoothctl show  → No default controller available

Module
------
modinfo btmtk:
  filename:
/lib/modules/7.0.9-hardened1-1-hardened/kernel/drivers/bluetooth/btmtk.ko.zst
  firmware: mediatek/mt7925/BT_RAM_CODE_MT7925_1_1_hdr.bin
  firmware: mediatek/BT_RAM_CODE_MT7961_1_2_hdr.bin
  firmware: mediatek/BT_RAM_CODE_MT7922_1_1_hdr.bin
  firmware: mediatek/mt7668pr2h.bin

Versions (Arch Linux)
---------------------
linux-firmware           : 20260410-1
linux-firmware-mediatek  : 20260410-1
bluez                    : 5.86-6

Steps to reproduce
------------------
1. Boot kernel >= 7.0.7 on a system with MediaTek 14c3:7920 / USB 0e8d:e020.
2. Bluetooth controller fails to initialise; -EINVAL (-22) on wmt func ctrl.

Expected
--------
Controller comes up, same as on 7.0.6.

Related
-------
- Arch forum thread: https://bbs.archlinux.org/viewtopic.php?id=313552
- Same symptom, different PID 0489:e0d8:
  https://bbs.archlinux.org/viewtopic.php?id=313561
- Existing fix that targets 0489:e0e2 only:
 
https://github.com/anthraxx/linux-hardened/commit/d019930b0049fc2648a6b279893d8ad330596e81
  (does not cover USB ID 0e8d:e020 — a second device-ID / code-path entry
  appears to be needed)

I can test patches.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* Re: [GIT PULL] bluetooth 2026-05-14
From: August Wikerfors @ 2026-05-19 17:37 UTC (permalink / raw)
  To: Luiz Augusto von Dentz, Greg KH
  Cc: Thorsten Leemhuis, stable@vger.kernel.org, Sasha Levin,
	linux-bluetooth, netdev, davem, kuba,
	Linux kernel regressions list, Linus Torvalds
In-Reply-To: <CABBYNZKzWgL3nmeA=CtN9s80LRyDiJ97aQXgvfSm9vYUBw_SpA@mail.gmail.com>

On 2026-05-19 17:49, Luiz Augusto von Dentz wrote:
> Hi Greg,
> 
> On Tue, May 19, 2026 at 11:19 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>>
>> On Tue, May 19, 2026 at 09:44:39AM -0400, Luiz Augusto von Dentz wrote:
>>> Hi Greg,
>>>
>>> On Tue, May 19, 2026 at 8:07 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>>>>
>>>> On Tue, May 19, 2026 at 12:53:49PM +0200, Thorsten Leemhuis wrote:
>>>>> On 5/19/26 12:30, Greg KH wrote:
>>>>>> On Tue, May 19, 2026 at 09:04:38AM +0200, Thorsten Leemhuis wrote:
>>>>>>> On 5/15/26 17:10, Thorsten Leemhuis wrote:
>>>>>>>> On 5/14/26 19:23, Luiz Augusto von Dentz wrote:
>>>>>>>>
>>>>>>>>> The following changes since commit c78bdba7b9666020c0832150a4fc4c0aebc7c6ac:
>>>>>>>>>    net: phy: DP83TC811: add reading of abilities (2026-05-14 15:17:12 +0200)
>>>>>>>>>
>>>>>>>>> are available in the Git repository at:
>>>>>>>>>
>>>>>>>>>    git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git tags/for-net-2026-05-14
>>>>>>>>>
>>>>>>>>> for you to fetch changes up to 375ba7484132662a4a8c7547d088fb6275c00282:
>>>>>>>>>
>>>>>>>>>    Bluetooth: hci_qca: Convert timeout from jiffies to ms (2026-05-14 09:58:08 -0400)
>>>>>>>>
>>>>>>>> It seems this PR sadly came too late for this week's net PR to mainline
>>>>>>>> that was merged yesterday.
>>>>>>>>
>>>>>>>> TWIMC, from my point of view, it would be great if we somehow could
>>>>>>>> still get the changes from this PR or at least the btmtk fix it
>>>>>>>> contains[1] to mainline this week before -rc4, as it is fixing a
>>>>>>>> regression known since 2026-04-24 that at least five people encountered
>>>>>>>> with mainline since -rc3 due to 634a4408c0615c ("Bluetooth: btmtk:
>>>>>>>> validate WMT event SKB length before struct access") [006b9943b982 in
>>>>>>>> -next].
>>>>>>>
>>>>>>> Greg, Sasha, that [1] fix I was talking about now reached -next as
>>>>>>> 162b1adeb057d2 ("Bluetooth: btmtk: accept too short WMT FUNC_CTRL
>>>>>>> events") and will likely hit mainline on Thursday or so with the weekly
>>>>>>> -net PR to -mainline. If that's good enough for you, I'd say it would be
>>>>>>> good to pick this up for the next round of stable kernels.
>>>>>>
>>>>>> That "Fixes:" tag is referring to something that is also not in any
>>>>>> tree, but that commit does have a cc: stable in it.  So do we need both
>>>>>> of these:
>>>>>
>>>>> Valid question, as yes, there is a slight mixup here:
>>>>>
>>>>>> 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
>>>>>
>>>>> That is already in v7.0.7, v6.18.30, v6.12.88, as 041e88fb0c08 is the
>>>>> -next commit-id for mainline commit-id 634a4408c0615c ("Bluetooth:
>>>>> btmtk: validate WMT event SKB length before struct access") -- the one
>>>>> that is causing the regression that I want to get fixed. So we now only
>>>>> need:
>>>>>
>>>>>> 162b1adeb057 ("Bluetooth: btmtk: accept too short WMT FUNC_CTRL events")
>>>>
>>>> Ok, but that "Fixes:" tag pointing to an invalid commit is going to be a
>>>> nightmare to track over time, ugh.
>>>
>>> Hmm, did we get the wrong hash or something? Usually, that would show
>>> up in the verify-fixes.sh, but perhaps it didn't capture it this time
>>> for some reason, perhaps I'm running an outdated version or something
>>> similar.
>>
>> Something went wrong if we ended up with a patch in the stable trees,
>> yet this fix is referring to it as a different git sha.  Don't know
>> where the disconnect happend :(
> 
> 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before
> struct access")
> 
> I don't have that in any of our tree either, this is actually
> 634a4408c061 on all trees in the chain:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git/commit/?id=634a4408c061
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=634a4408c061
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=634a4408c061
> 
> Or actually that was the hash before it got rebased on bluetooth-next tree:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=041e88fb0c08
> 
> But I didn't send the PR from that three so perhaps somebody else sent
> it to stable with the wrong fixes tag?
I believe the confusion comes from "Bluetooth: btmtk: accept too short 
WMT FUNC_CTRL events" itself currently having different commit hashes in 
bluetooth (e3ac0d9f1a20) and bluetooth-next (162b1adeb057). The former 
correctly refers to "Bluetooth: btmtk: validate WMT event SKB length 
before struct access" as 634a4408c061 in the Fixes tag and was merged 
into net yesterday heading for 7.1-rc5. The latter still refers to it as 
041e88fb0c08. Both are now in next-20260519 but only the latter was in 
next-20260518 which was the latest at the time of Thorsten's message.

Greg, this means picking e3ac0d9f1a20 instead of 162b1adeb057 should 
result in a valid Fixes tag.

Regards,
August Wikerfors

^ permalink raw reply

* [Bug 221547] MT7902 Bluetooth: Failed to send wmt func ctrl (-22) regression in 6.18.31 and 6.12.32
From: bugzilla-daemon @ 2026-05-19 17:39 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <bug-221547-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=221547

--- Comment #2 from ljotom (olle@vixit.nu) ---

Yes, the patch fixes the issue for me as well. Device: Foxconn/Hon Hai
0489:e0f5 (MT7902). Tested on Arch Linux with linux-lts 6.12.32, manually
applied the patch and rebuilt the kernel. Bluetooth works correctly, no "Failed
to send wmt func ctrl (-22)" in dmesg.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* RE: [RFC] Bluetooth: btusb: wait for rx_work before freeing data on disconnect
From: bluez.test.bot @ 2026-05-19 17:51 UTC (permalink / raw)
  To: linux-bluetooth, kernel
In-Reply-To: <20260519154431.13471-1-kernel@phwe.de>

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1097482

---Test result---

Test Summary:
CheckPatch                    PASS      0.83 seconds
GitLint                       PASS      0.33 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      25.52 seconds
CheckAllWarning               PASS      27.59 seconds
CheckSparse                   PASS      26.62 seconds
BuildKernel32                 PASS      24.53 seconds
TestRunnerSetup               PASS      529.44 seconds
IncrementalBuild              PASS      24.21 seconds



https://github.com/bluez/bluetooth-next/pull/217

---
Regards,
Linux Bluetooth


^ permalink raw reply

* Re: [PATCH BlueZ] media: use custom DBus timeouts only when remote side is waiting
From: Luiz Augusto von Dentz @ 2026-05-19 18:17 UTC (permalink / raw)
  To: Pauli Virtanen; +Cc: linux-bluetooth
In-Reply-To: <60b9da865b9beb482f914818c31866ebb00960f7.1779011736.git.pav@iki.fi>

Hi Pauli,

On Sun, May 17, 2026 at 5:59 AM Pauli Virtanen <pav@iki.fi> wrote:
>
> Under high system load (VM instance on boot) it's observed the 3 sec
> timeout BlueZ uses for BAP broadcast SetConfiguration may be missed by
> Wireplumber, as these are set up immediately on startup together with
> any other setup (eg ALSA) that may need time.
>
> There's no actual need for using a short custom timeout in BlueZ for
> this, as in this case there is no remote side that is waiting for a reply.
>
> Fix by limiting custom timeouts to cases where there is a waiting
> remote.  A2DP-specific timeout should be used only for A2DP
> SetConfiguration.  Similarly, using timeout for BAP only makes sense for
> unicast, and should derive from the ATT timeout.
> ---
>  profiles/audio/media.c | 25 +++++++++++++++++--------
>  1 file changed, 17 insertions(+), 8 deletions(-)
>
> diff --git a/profiles/audio/media.c b/profiles/audio/media.c
> index cdaafb04e..0297e4c79 100644
> --- a/profiles/audio/media.c
> +++ b/profiles/audio/media.c
> @@ -71,7 +71,11 @@
>  #define MEDIA_ENDPOINT_INTERFACE "org.bluez.MediaEndpoint1"
>  #define MEDIA_PLAYER_INTERFACE "org.mpris.MediaPlayer2.Player"
>
> -#define REQUEST_TIMEOUT (3 * 1000)             /* 3 seconds */
> +/* Timeout should be less than avdtp request timeout (4 seconds) */
> +#define A2DP_REQUEST_TIMEOUT_MSEC      (3 * 1000)
> +
> +/* Timeout should be less than ATT timeout (30 seconds) */
> +#define BAP_REQUEST_TIMEOUT_MSEC       (20 * 1000)

Is there any particular reason for this to be so long? We don't have
any custom timeout other than ATT, in the other hand, I'd rather not
wait 20 seconds for the endpoint to respond. 3 seconds might be too
short depending on the environment but in a real environment, even one
second to respond sounds plenty. Perhaps we should only use such a
high timeout if testing has been set which hints that the environment
may have been modified to allow the testing harness.

>
>  struct media_app {
>         struct media_adapter    *adapter;
> @@ -465,16 +469,16 @@ static gboolean media_endpoint_async_call(DBusMessage *msg,
>                                         struct media_transport *transport,
>                                         media_endpoint_cb_t cb,
>                                         void *user_data,
> -                                       GDestroyNotify destroy)
> +                                       GDestroyNotify destroy,
> +                                       int timeout_msec)
>  {
>         struct endpoint_request *request;
>
>         request = g_new0(struct endpoint_request, 1);
>
> -       /* Timeout should be less than avdtp request timeout (4 seconds) */
>         if (g_dbus_send_message_with_reply(btd_get_dbus_connection(),
>                                                 msg, &request->call,
> -                                               REQUEST_TIMEOUT) == FALSE) {
> +                                               timeout_msec) == FALSE) {
>                 error("D-Bus send failed");
>                 g_free(request);
>                 return FALSE;
> @@ -521,7 +525,7 @@ static gboolean select_configuration(struct media_endpoint *endpoint,
>                                         DBUS_TYPE_INVALID);
>
>         return media_endpoint_async_call(msg, endpoint, NULL,
> -                                               cb, user_data, destroy);
> +                                               cb, user_data, destroy, -1);
>  }
>
>  static int transport_device_cmp(gconstpointer data, gconstpointer user_data)
> @@ -604,7 +608,8 @@ static gboolean set_configuration(struct media_endpoint *endpoint,
>         g_dbus_get_properties(conn, path, "org.bluez.MediaTransport1", &iter);
>
>         return media_endpoint_async_call(msg, endpoint, transport,
> -                                               cb, user_data, destroy);
> +                                               cb, user_data, destroy,
> +                                               A2DP_REQUEST_TIMEOUT_MSEC);
>  }
>  #endif
>
> @@ -1093,7 +1098,7 @@ static int pac_select(struct bt_bap_pac *lpac, struct bt_bap_pac *rpac,
>         dbus_message_iter_close_container(&iter, &dict);
>
>         if (!media_endpoint_async_call(msg, endpoint, NULL, pac_select_cb,
> -                                                               data, free))
> +                                                               data, free, -1))
>                 return -EIO;
>
>         return 0;
> @@ -1233,6 +1238,7 @@ static int pac_config(struct bt_bap_stream *stream, struct iovec *cfg,
>         DBusMessage *msg;
>         DBusMessageIter iter;
>         const char *path;
> +       int timeout_msec;
>
>         DBG("endpoint %p stream %p", endpoint, stream);
>
> @@ -1243,9 +1249,11 @@ static int pac_config(struct bt_bap_stream *stream, struct iovec *cfg,
>         switch (bt_bap_stream_get_type(stream)) {
>         case BT_BAP_STREAM_TYPE_UCAST:
>                 transport = pac_ucast_config(stream, cfg, endpoint);
> +               timeout_msec = BAP_REQUEST_TIMEOUT_MSEC;
>                 break;
>         case BT_BAP_STREAM_TYPE_BCAST:
>                 transport = pac_bcast_config(stream, cfg, endpoint);
> +               timeout_msec = -1;
>                 break;
>         default:
>                 transport = NULL;
> @@ -1279,7 +1287,8 @@ static int pac_config(struct bt_bap_stream *stream, struct iovec *cfg,
>         g_dbus_get_properties(conn, path, "org.bluez.MediaTransport1", &iter);
>
>         if (!media_endpoint_async_call(msg, endpoint, transport,
> -                                               pac_config_cb, data, free))
> +                                               pac_config_cb, data, free,
> +                                               timeout_msec))
>                 return -EIO;
>
>         return 0;
> --
> 2.54.0
>
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply

* [PATCH v3] Bluetooth: RFCOMM: add minimum length check in rfcomm_recv_frame
From: Muhammad Bilal @ 2026-05-19 18:17 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: netdev, linux-kernel, Marcel Holtmann, Luiz Augusto von Dentz,
	Kees Cook, Jakub Kicinski, stable, Muhammad Bilal
In-Reply-To: <20260519042017.29564-1-meatuni001@gmail.com>

rfcomm_recv_frame() casts skb->data to struct rfcomm_hdr * and
immediately dereferences hdr->addr and hdr->ctrl without first
validating that skb->len is large enough to hold the header. A
remote device can send a crafted short RFCOMM frame over L2CAP to
trigger an out-of-bounds read before any session state is checked.

The FCS trimming code that follows compounds the problem:

        skb->len--; skb->tail--;

If skb->len is already zero the decrement wraps to UINT_MAX, causing
skb_tail_pointer() to return a pointer far outside the skb and
producing a second out-of-bounds read when the FCS byte is consumed.

Replace the open-coded cast with skb_pull_data() which validates
skb->len against sizeof(*hdr) and advances skb->data atomically.
Save the original skb->data as frame_start before the pull so that
__check_fcs() receives the header bytes as required by the RFCOMM
FCS specification. Guard against a missing FCS byte with an explicit
skb->len < 1 check. Replace the unsafe skb->tail decrement and
skb_tail_pointer() call with a direct end-of-data index and skb_trim().

Note: SeungJu Cheon posted a related patch that adds equivalent
length checks inside the individual MCC sub-handlers
(rfcomm_recv_pn, rfcomm_recv_rpn, rfcomm_recv_rls, rfcomm_recv_msc,
rfcomm_recv_mcc). That fix and this one are complementary and
independent; neither subsumes the other.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>

---
v3:
 - Replace open-coded cast with skb_pull_data() per Luiz's review
 - Save frame_start before skb_pull_data(); pass it to __check_fcs()
   to preserve correct FCS validation over the header bytes
 - Replace skb->tail decrement with skb_trim() per Luiz's review
v2:
 - Fix GitLint B3: replace tab with spaces in commit body
 - Add Cc: stable@vger.kernel.org
---
 net/bluetooth/rfcomm/core.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index d11bd5337..66eee8a86 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1741,23 +1741,29 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
 						struct sk_buff *skb)
 {
-	struct rfcomm_hdr *hdr = (void *) skb->data;
+	struct rfcomm_hdr *hdr;
+	u8 *frame_start;
 	u8 type, dlci, fcs;
 
 	if (!s) {
-		/* no session, so free socket data */
 		kfree_skb(skb);
 		return s;
 	}
 
+	frame_start = skb->data;
+	hdr = skb_pull_data(skb, sizeof(*hdr));
+	if (!hdr || skb->len < 1) {
+		kfree_skb(skb);
+		return s;
+	}
 	dlci = __get_dlci(hdr->addr);
 	type = __get_type(hdr->ctrl);
 
 	/* Trim FCS */
-	skb->len--; skb->tail--;
-	fcs = *(u8 *)skb_tail_pointer(skb);
+	fcs = skb->data[skb->len - 1];
+	skb_trim(skb, skb->len - 1);
 
-	if (__check_fcs(skb->data, type, fcs)) {
+	if (__check_fcs(frame_start, type, fcs)) {
 		BT_ERR("bad checksum in packet");
 		kfree_skb(skb);
 		return s;
-- 
2.54.0


^ permalink raw reply related

* Re: [PATCH v3] Bluetooth: RFCOMM: add minimum length check in rfcomm_recv_frame
From: Luiz Augusto von Dentz @ 2026-05-19 18:25 UTC (permalink / raw)
  To: Muhammad Bilal
  Cc: linux-bluetooth, netdev, linux-kernel, Marcel Holtmann, Kees Cook,
	Jakub Kicinski, stable
In-Reply-To: <20260519181749.15746-1-meatuni001@gmail.com>

Hi Muhammad,

On Tue, May 19, 2026 at 2:18 PM Muhammad Bilal <meatuni001@gmail.com> wrote:
>
> rfcomm_recv_frame() casts skb->data to struct rfcomm_hdr * and
> immediately dereferences hdr->addr and hdr->ctrl without first
> validating that skb->len is large enough to hold the header. A
> remote device can send a crafted short RFCOMM frame over L2CAP to
> trigger an out-of-bounds read before any session state is checked.
>
> The FCS trimming code that follows compounds the problem:
>
>         skb->len--; skb->tail--;
>
> If skb->len is already zero the decrement wraps to UINT_MAX, causing
> skb_tail_pointer() to return a pointer far outside the skb and
> producing a second out-of-bounds read when the FCS byte is consumed.
>
> Replace the open-coded cast with skb_pull_data() which validates
> skb->len against sizeof(*hdr) and advances skb->data atomically.
> Save the original skb->data as frame_start before the pull so that
> __check_fcs() receives the header bytes as required by the RFCOMM
> FCS specification. Guard against a missing FCS byte with an explicit
> skb->len < 1 check. Replace the unsafe skb->tail decrement and
> skb_tail_pointer() call with a direct end-of-data index and skb_trim().
>
> Note: SeungJu Cheon posted a related patch that adds equivalent
> length checks inside the individual MCC sub-handlers
> (rfcomm_recv_pn, rfcomm_recv_rpn, rfcomm_recv_rls, rfcomm_recv_msc,
> rfcomm_recv_mcc). That fix and this one are complementary and
> independent; neither subsumes the other.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
>
> ---
> v3:
>  - Replace open-coded cast with skb_pull_data() per Luiz's review
>  - Save frame_start before skb_pull_data(); pass it to __check_fcs()
>    to preserve correct FCS validation over the header bytes
>  - Replace skb->tail decrement with skb_trim() per Luiz's review
> v2:
>  - Fix GitLint B3: replace tab with spaces in commit body
>  - Add Cc: stable@vger.kernel.org
> ---
>  net/bluetooth/rfcomm/core.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index d11bd5337..66eee8a86 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1741,23 +1741,29 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
>  static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
>                                                 struct sk_buff *skb)
>  {
> -       struct rfcomm_hdr *hdr = (void *) skb->data;
> +       struct rfcomm_hdr *hdr;
> +       u8 *frame_start;
>         u8 type, dlci, fcs;
>
>         if (!s) {
> -               /* no session, so free socket data */

Doesn't seem relevant to remove this comment.

>                 kfree_skb(skb);
>                 return s;
>         }
>
> +       frame_start = skb->data;
> +       hdr = skb_pull_data(skb, sizeof(*hdr));
> +       if (!hdr || skb->len < 1) {
> +               kfree_skb(skb);
> +               return s;
> +       }

Add a empty line after if blocks.

>         dlci = __get_dlci(hdr->addr);
>         type = __get_type(hdr->ctrl);
>
>         /* Trim FCS */
> -       skb->len--; skb->tail--;
> -       fcs = *(u8 *)skb_tail_pointer(skb);
> +       fcs = skb->data[skb->len - 1];
> +       skb_trim(skb, skb->len - 1);
>
> -       if (__check_fcs(skb->data, type, fcs)) {
> +       if (__check_fcs(frame_start, type, fcs)) {
>                 BT_ERR("bad checksum in packet");
>                 kfree_skb(skb);
>                 return s;
> --
> 2.54.0

Other than that looks good.


-- 
Luiz Augusto von Dentz

^ permalink raw reply

* [PATCH v4] Bluetooth: RFCOMM: add minimum length check in rfcomm_recv_frame
From: Muhammad Bilal @ 2026-05-19 18:48 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: netdev, linux-kernel, Marcel Holtmann, Luiz Augusto von Dentz,
	Kees Cook, Jakub Kicinski, stable, Muhammad Bilal
In-Reply-To: <20260519042017.29564-1-meatuni001@gmail.com>

rfcomm_recv_frame() casts skb->data to struct rfcomm_hdr * and
immediately dereferences hdr->addr and hdr->ctrl without first
validating that skb->len is large enough to hold the header. A
remote device can send a crafted short RFCOMM frame over L2CAP to
trigger an out-of-bounds read before any session state is checked.

The FCS trimming code that follows compounds the problem:

        skb->len--; skb->tail--;

If skb->len is already zero the decrement wraps to UINT_MAX, causing
skb_tail_pointer() to return a pointer far outside the skb and
producing a second out-of-bounds read when the FCS byte is consumed.

Replace the open-coded cast with skb_pull_data() which validates
skb->len against sizeof(*hdr) and advances skb->data atomically.
Save the original skb->data as frame_start before the pull so that
__check_fcs() receives the header bytes as required by the RFCOMM
FCS specification. Guard against a missing FCS byte with an explicit
skb->len < 1 check. Replace the unsafe skb->tail decrement and
skb_tail_pointer() call with a direct end-of-data index and skb_trim().

Note: SeungJu Cheon posted a related patch that adds equivalent
length checks inside the individual MCC sub-handlers
(rfcomm_recv_pn, rfcomm_recv_rpn, rfcomm_recv_rls, rfcomm_recv_msc,
rfcomm_recv_mcc). That fix and this one are complementary and
independent; neither subsumes the other.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>

---
v4:
 - Keep no-session comment and add blank line after header/len guard
v3:
 - Replace open-coded cast with skb_pull_data() per Luiz's review
 - Save frame_start before skb_pull_data(); pass it to __check_fcs()
   to preserve correct FCS validation over the header bytes
 - Replace skb->tail decrement with skb_trim() per Luiz's review
v2:
 - Fix GitLint B3: replace tab with spaces in commit body
 - Add Cc: stable@vger.kernel.org
---
 net/bluetooth/rfcomm/core.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index d11bd5337..e78ce11fa 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1741,7 +1741,8 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
 						struct sk_buff *skb)
 {
-	struct rfcomm_hdr *hdr = (void *) skb->data;
+	struct rfcomm_hdr *hdr;
+	u8 *frame_start;
 	u8 type, dlci, fcs;
 
 	if (!s) {
@@ -1750,14 +1751,21 @@ static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
 		return s;
 	}
 
+	frame_start = skb->data;
+	hdr = skb_pull_data(skb, sizeof(*hdr));
+	if (!hdr || skb->len < 1) {
+		kfree_skb(skb);
+		return s;
+	}
+
 	dlci = __get_dlci(hdr->addr);
 	type = __get_type(hdr->ctrl);
 
 	/* Trim FCS */
-	skb->len--; skb->tail--;
-	fcs = *(u8 *)skb_tail_pointer(skb);
+	fcs = skb->data[skb->len - 1];
+	skb_trim(skb, skb->len - 1);
 
-	if (__check_fcs(skb->data, type, fcs)) {
+	if (__check_fcs(frame_start, type, fcs)) {
 		BT_ERR("bad checksum in packet");
 		kfree_skb(skb);
 		return s;
-- 
2.54.0


^ permalink raw reply related

* RE: [v4] Bluetooth: RFCOMM: add minimum length check in rfcomm_recv_frame
From: bluez.test.bot @ 2026-05-19 19:50 UTC (permalink / raw)
  To: linux-bluetooth, meatuni001
In-Reply-To: <20260519184821.18925-1-meatuni001@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 936 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1097567

---Test result---

Test Summary:
CheckPatch                    PASS      0.73 seconds
GitLint                       PASS      0.55 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      25.91 seconds
CheckAllWarning               PASS      29.40 seconds
CheckSparse                   PASS      26.90 seconds
BuildKernel32                 PASS      24.98 seconds
TestRunnerSetup               PASS      526.66 seconds
TestRunner_rfcomm-tester      PASS      63.53 seconds
IncrementalBuild              PASS      24.66 seconds



https://github.com/bluez/bluetooth-next/pull/218

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH] Bluetooth: btmtk: remove extra copy in cmd array init
From: Jiajia Liu @ 2026-05-20  2:15 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz, Matthias Brugger,
	AngeloGioacchino Del Regno
  Cc: linux-bluetooth, linux-kernel, linux-arm-kernel, linux-mediatek,
	Jiajia Liu

In btmtk_setup_firmware_79xx, the data length indicated by wmt_params.dlen
in the cmd buffer is MTK_SEC_MAP_NEED_SEND_SIZE + 1. Except for the first
byte, the remaining length is MTK_SEC_MAP_NEED_SEND_SIZE. memcpy copied one
more byte to cmd + 1 than the remaining length. Align the length passed to
memcpy to avoid exceeding current section map.

Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
---
 drivers/bluetooth/btmtk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index ea7a031000cd..53cba71cb07f 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -188,7 +188,7 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
 				       MTK_FW_ROM_PATCH_GD_SIZE +
 				       MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i +
 				       MTK_SEC_MAP_COMMON_SIZE,
-				       MTK_SEC_MAP_NEED_SEND_SIZE + 1);
+				       MTK_SEC_MAP_NEED_SEND_SIZE);
 
 				wmt_params.op = BTMTK_WMT_PATCH_DWNLD;
 				wmt_params.status = &status;
-- 
2.53.0


^ permalink raw reply related

* [bluetooth-next:master] BUILD SUCCESS 7db62a762f613961a9ed0582902abd0295a385e9
From: kernel test robot @ 2026-05-20  5:32 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
branch HEAD: 7db62a762f613961a9ed0582902abd0295a385e9  Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

elapsed time: 733m

configs tested: 177
configs skipped: 2

The following configs have been built successfully.
More configs may be tested in the coming days.

tested configs:
alpha                             allnoconfig    gcc-15.2.0
alpha                            allyesconfig    gcc-15.2.0
alpha                               defconfig    gcc-15.2.0
arc                              allmodconfig    clang-16
arc                               allnoconfig    gcc-15.2.0
arc                              allyesconfig    clang-23
arc                              allyesconfig    gcc-15.2.0
arc                                 defconfig    gcc-15.2.0
arc                   randconfig-001-20260520    gcc-8.5.0
arc                   randconfig-002-20260520    gcc-8.5.0
arm                               allnoconfig    gcc-15.2.0
arm                              allyesconfig    clang-16
arm                                 defconfig    gcc-15.2.0
arm                            dove_defconfig    gcc-15.2.0
arm                   randconfig-001-20260520    gcc-8.5.0
arm                   randconfig-002-20260520    gcc-8.5.0
arm                   randconfig-003-20260520    gcc-8.5.0
arm                   randconfig-004-20260520    gcc-8.5.0
arm                          sp7021_defconfig    gcc-15.2.0
arm64                            allmodconfig    clang-19
arm64                            allmodconfig    clang-23
arm64                             allnoconfig    gcc-15.2.0
arm64                               defconfig    gcc-15.2.0
arm64                 randconfig-001-20260520    gcc-10.5.0
arm64                 randconfig-002-20260520    gcc-10.5.0
arm64                 randconfig-003-20260520    gcc-10.5.0
arm64                 randconfig-004-20260520    gcc-10.5.0
csky                             allmodconfig    gcc-15.2.0
csky                              allnoconfig    gcc-15.2.0
csky                                defconfig    gcc-15.2.0
csky                  randconfig-001-20260520    gcc-10.5.0
csky                  randconfig-002-20260520    gcc-10.5.0
hexagon                          allmodconfig    clang-17
hexagon                          allmodconfig    gcc-15.2.0
hexagon                           allnoconfig    gcc-15.2.0
hexagon                             defconfig    gcc-15.2.0
hexagon               randconfig-001-20260520    gcc-11.5.0
hexagon               randconfig-002-20260520    gcc-11.5.0
i386                             allmodconfig    clang-20
i386                              allnoconfig    gcc-15.2.0
i386                             allyesconfig    clang-20
i386        buildonly-randconfig-001-20260520    clang-20
i386        buildonly-randconfig-002-20260520    clang-20
i386        buildonly-randconfig-003-20260520    clang-20
i386        buildonly-randconfig-004-20260520    clang-20
i386        buildonly-randconfig-005-20260520    clang-20
i386        buildonly-randconfig-006-20260520    clang-20
i386                                defconfig    gcc-15.2.0
i386                  randconfig-001-20260520    clang-20
i386                  randconfig-002-20260520    clang-20
i386                  randconfig-003-20260520    clang-20
i386                  randconfig-004-20260520    clang-20
i386                  randconfig-005-20260520    clang-20
i386                  randconfig-006-20260520    clang-20
i386                  randconfig-007-20260520    clang-20
i386                           randconfig-011    gcc-14
i386                  randconfig-011-20260520    gcc-14
i386                           randconfig-012    gcc-14
i386                  randconfig-012-20260520    gcc-14
i386                           randconfig-013    gcc-14
i386                  randconfig-013-20260520    gcc-14
i386                           randconfig-014    gcc-14
i386                  randconfig-014-20260520    gcc-14
i386                           randconfig-015    gcc-14
i386                  randconfig-015-20260520    gcc-14
i386                           randconfig-016    gcc-14
i386                  randconfig-016-20260520    gcc-14
i386                           randconfig-017    gcc-14
i386                  randconfig-017-20260520    gcc-14
loongarch                        allmodconfig    clang-19
loongarch                        allmodconfig    clang-23
loongarch                         allnoconfig    gcc-15.2.0
loongarch                           defconfig    clang-19
loongarch             randconfig-001-20260520    gcc-11.5.0
loongarch             randconfig-002-20260520    gcc-11.5.0
m68k                             allmodconfig    gcc-15.2.0
m68k                              allnoconfig    gcc-15.2.0
m68k                             allyesconfig    clang-16
m68k                                defconfig    clang-19
microblaze                        allnoconfig    gcc-15.2.0
microblaze                       allyesconfig    gcc-15.2.0
microblaze                          defconfig    clang-19
mips                             allmodconfig    gcc-15.2.0
mips                              allnoconfig    gcc-15.2.0
mips                             allyesconfig    gcc-15.2.0
mips                         rt305x_defconfig    clang-23
nios2                            allmodconfig    clang-23
nios2                             allnoconfig    clang-23
nios2                               defconfig    clang-19
nios2                 randconfig-001-20260520    gcc-11.5.0
nios2                 randconfig-002-20260520    gcc-11.5.0
openrisc                         allmodconfig    clang-23
openrisc                          allnoconfig    clang-23
openrisc                            defconfig    gcc-15.2.0
parisc                           allmodconfig    gcc-15.2.0
parisc                            allnoconfig    clang-23
parisc                           allyesconfig    clang-19
parisc                              defconfig    gcc-15.2.0
parisc                randconfig-001-20260520    clang-23
parisc                randconfig-002-20260520    clang-23
parisc64                            defconfig    clang-19
powerpc                          allmodconfig    gcc-15.2.0
powerpc                           allnoconfig    clang-23
powerpc               randconfig-001-20260520    clang-23
powerpc               randconfig-002-20260520    clang-23
powerpc64             randconfig-001-20260520    clang-23
powerpc64             randconfig-002-20260520    clang-23
riscv                            allmodconfig    clang-23
riscv                             allnoconfig    clang-23
riscv                            allyesconfig    clang-16
riscv                               defconfig    gcc-15.2.0
riscv             nommu_k210_sdcard_defconfig    gcc-15.2.0
s390                             allmodconfig    clang-19
s390                              allnoconfig    clang-23
s390                             allyesconfig    gcc-15.2.0
s390                                defconfig    gcc-15.2.0
sh                               allmodconfig    gcc-15.2.0
sh                                allnoconfig    clang-23
sh                               allyesconfig    clang-19
sh                                  defconfig    gcc-14
sparc                             allnoconfig    clang-23
sparc                               defconfig    gcc-15.2.0
sparc                 randconfig-001-20260520    gcc-8.5.0
sparc                 randconfig-002-20260520    gcc-8.5.0
sparc64                          allmodconfig    clang-23
sparc64                             defconfig    gcc-14
sparc64               randconfig-001-20260520    gcc-8.5.0
sparc64               randconfig-002-20260520    gcc-8.5.0
um                               allmodconfig    clang-19
um                                allnoconfig    clang-23
um                               allyesconfig    gcc-14
um                               allyesconfig    gcc-15.2.0
um                                  defconfig    gcc-14
um                             i386_defconfig    gcc-14
um                    randconfig-001-20260520    gcc-8.5.0
um                    randconfig-002-20260520    gcc-8.5.0
um                           x86_64_defconfig    gcc-14
x86_64                           allmodconfig    clang-20
x86_64                            allnoconfig    clang-23
x86_64                           allyesconfig    clang-20
x86_64      buildonly-randconfig-001-20260520    gcc-14
x86_64      buildonly-randconfig-002-20260520    gcc-14
x86_64      buildonly-randconfig-003-20260520    gcc-14
x86_64      buildonly-randconfig-004-20260520    gcc-14
x86_64      buildonly-randconfig-005-20260520    gcc-14
x86_64      buildonly-randconfig-006-20260520    gcc-14
x86_64                              defconfig    gcc-14
x86_64                                  kexec    clang-20
x86_64                randconfig-001-20260520    gcc-14
x86_64                randconfig-002-20260520    gcc-14
x86_64                randconfig-003-20260520    gcc-14
x86_64                randconfig-004-20260520    gcc-14
x86_64                randconfig-005-20260520    gcc-14
x86_64                randconfig-006-20260520    gcc-14
x86_64                randconfig-011-20260520    gcc-14
x86_64                randconfig-012-20260520    gcc-14
x86_64                randconfig-013-20260520    gcc-14
x86_64                randconfig-014-20260520    gcc-14
x86_64                randconfig-015-20260520    gcc-14
x86_64                randconfig-016-20260520    gcc-14
x86_64                randconfig-071-20260520    gcc-14
x86_64                randconfig-072-20260520    gcc-14
x86_64                randconfig-073-20260520    gcc-14
x86_64                randconfig-074-20260520    gcc-14
x86_64                randconfig-075-20260520    gcc-14
x86_64                randconfig-076-20260520    gcc-14
x86_64                               rhel-9.4    clang-20
x86_64                           rhel-9.4-bpf    gcc-14
x86_64                          rhel-9.4-func    clang-20
x86_64                    rhel-9.4-kselftests    clang-20
x86_64                         rhel-9.4-kunit    gcc-14
x86_64                           rhel-9.4-ltp    gcc-14
x86_64                          rhel-9.4-rust    clang-20
xtensa                            allnoconfig    clang-23
xtensa                           allyesconfig    clang-23
xtensa                randconfig-001-20260520    gcc-8.5.0
xtensa                randconfig-002-20260520    gcc-8.5.0

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply

* RE: Bluetooth: btmtk: remove extra copy in cmd array init
From: bluez.test.bot @ 2026-05-20  6:15 UTC (permalink / raw)
  To: linux-bluetooth, liujiajia
In-Reply-To: <20260520021500.13504-1-liujiajia@kylinos.cn>

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1097683

---Test result---

Test Summary:
CheckPatch                    PASS      0.63 seconds
GitLint                       PASS      0.28 seconds
SubjectPrefix                 PASS      0.10 seconds
BuildKernel                   PASS      26.60 seconds
CheckAllWarning               PASS      29.08 seconds
CheckSparse                   PASS      28.09 seconds
BuildKernel32                 PASS      26.71 seconds
TestRunnerSetup               PASS      534.54 seconds
IncrementalBuild              PASS      24.40 seconds



https://github.com/bluez/bluetooth-next/pull/219

---
Regards,
Linux Bluetooth


^ permalink raw reply

* Re: [PATCH v2] Bluetooth: btusb: Allow firmware re-download when version matches
From: Shuai Zhang @ 2026-05-20  6:26 UTC (permalink / raw)
  To: Luiz Augusto von Dentz
  Cc: Marcel Holtmann, linux-bluetooth, linux-kernel, linux-arm-msm,
	cheng.jiang, quic_chezhou, wei.deng, jinwang.li, mengshi.wu
In-Reply-To: <CABBYNZLP+rBrjhdKJLE7N47Bg-g4-6E3vS3yZXvMKwYQ2rMcUA@mail.gmail.com>

Hi Luiz

On 4/29/2026 11:17 PM, Luiz Augusto von Dentz wrote:
> Hi Shuai,
>
> On Wed, Apr 29, 2026 at 8:12 AM Shuai Zhang
> <shuai.zhang@oss.qualcomm.com> wrote:
>> The Bluetooth host decides whether to download firmware by reading the
>> controller firmware download completion flag and firmware version
>> information.
>>
>> If a USB error occurs during the firmware download process (for example
>> due to a USB disconnect), the download is aborted immediately. An
>> incomplete firmware transfer does not cause the controller to set the
>> download completion flag, but the firmware version information may be
>> updated at an early stage of the download process.
> Hold on, if the download has been aborted then the version should be
> reverted, or rather just update once the firmware loading is complete,
> so this indicates there is a bug somewhere that needs fixing, not
> worked around.
>
>> In this case, after USB reconnection, the host attempts to re-download
>> the firmware because the download completion flag is not set. However,
>> since the controller reports the same firmware version as the target
>> firmware, the download is skipped. This ultimately results in the
>> firmware not being properly updated on the controller.
>>
>> This change removes the restriction that skips firmware download when
>> the versions are equal. It covers scenarios where the USB connection
>> can be disconnected at any time and ensures that firmware download can
>> be retriggered after USB reconnection, allowing the Bluetooth firmware
>> to be correctly and completely updated.
>>
>> Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
>> ---
>> Changes v2:
>> - Update code comments and commit message to reflect the correct logic.
>> - Align the commit title with upstream conventions.
>> - Link v1
>>    https://lore.kernel.org/all/20260108074353.1027877-1-shuai.zhang@oss.qualcomm.com/
>> ---
>>   drivers/bluetooth/btusb.c | 8 +++++++-
>>   1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
>> index 572091e60..70abbabea 100644
>> --- a/drivers/bluetooth/btusb.c
>> +++ b/drivers/bluetooth/btusb.c
>> @@ -3550,7 +3550,13 @@ static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev,
>>                      "firmware rome 0x%x build 0x%x",
>>                      rver_rom, rver_patch, ver_rom, ver_patch);
>>
>> -       if (rver_rom != ver_rom || rver_patch <= ver_patch) {
>> +       /* Allow rampatch when the patch version equals the firmware version.
>> +        * A firmware download may be aborted by a transient USB error (e.g.
>> +        * disconnect) after the controller updates version info but before
>> +        * completion.
>> +        * Allowing equal versions enables re-flashing during recovery.
>> +        */
>> +       if (rver_rom != ver_rom || rver_patch < ver_patch) {
> As I said above, this sounds more like a workaround. That said, I
> wonder why it would print an error if the version matches, it sounds
> to be that if the version matches it should just skip and consider it
> has been loaded already in case the actual problem is fixed by setting
> the new version only when loading has been completed.
>
>>                  bt_dev_err(hdev, "rampatch file version did not match with firmware");
>>                  err = -EINVAL;
>>                  goto done;
>> --
>> 2.34.1

Just checking if there are any updates on this


Thanks,

Shuai

>

^ permalink raw reply

* Re: 转发: 回复: About Kernel limitation HCI_MAX_FRAME_SIZE (1024 + 4)
From: Chris Lu (陸稚泓) @ 2026-05-20  7:38 UTC (permalink / raw)
  To: luiz.dentz@gmail.com, yjg0107@163.com; +Cc: linux-bluetooth@vger.kernel.org
In-Reply-To: <h8u6o3dq4p0sir056l06sja8.1779260604813@email.vivo.com>

On Wed, 2026-05-20 at 15:03 +0800, yjg0107 wrote:

Hi Luiz,

I received a question about the restrictions of HCI_CHANNEL_USER and
HCI_MAX_FRAME_SIZE. Since this involves changes related to Kernel HCI
layer, what's your view on relaxing HCI_MAX_FRAME_SIZE limit?

I saw that there was some discussion about this on bluez github, but it
seems there hasn't been any activity for a while. Would you suggest
they directly upload a patch they want and continue the discussion with
you?

> 
> ---------- 转发的邮件 ----------
> 发件人:yjg0107 <yjg0107@163.com>
> 日期:2026年5月7日 17:55
> 主题:回复: About Kernel limitation HCI_MAX_FRAME_SIZE (1024 + 4)
> 收件人:"luiz.dentz" <luiz.dentz@gmail.com>
> 抄送:linux-bluetooth <linux-bluetooth@vger.kernel.org>
> 
> 
> 
> 
> 
> 
> 
> 
> Hi Vudentz,
> 
> In the future, BT SIG will introduce the High Data Throughput (HDT),
> which may require transmit larger data size, not just 1024.
> So what's your opinions? Could kernel remove the limitation that
> HCI_CHANNEL_USER can not change MTU?
> Looking forward to your reply, thank you very much.
> 
> B.R.
> Jigong Yin(殷吉功)
> ---------- 回复的原邮件 ----------
> 发件人:yjg0107 <yjg0107@163.com>
> 日期:2026年4月27日 14:40
> 主题:About Kernel limitation HCI_MAX_FRAME_SIZE (1024 + 4)
> 收件人:"luiz.dentz" <luiz.dentz@gmail.com>
> 抄送:linux-bluetooth <linux-bluetooth@vger.kernel.org>
> 
> 
> 
> 
> 
> 
> 
> 
> Hi Luiz,
> 
> Question is same as https://github.com/bluez/bluez/issues/2073.
> About Kernel limitation HCI_MAX_FRAME_SIZE (1024 + 4), you said that
> this will be fixed to enable user space changed, from #201 (comment).
> The patch commit is torvalds/linux@09572fc, right?
> 
> However, why HCI_CHANNEL_USER type can not change MTU value? Google
> bluetooth aidl uses HCI_CHANNEL_USER type
> fromhttps://cs.android.com/android/platform/superproject/+/android-la
> test-
> release:hardware/interfaces/bluetooth/aidl/default/net_bluetooth_mgmt
> .cpp line 282.
> 
> Could kernel remove the limitation that HCI_CHANNEL_USER can not
> change MTU?
> 
> Thanks.
> B.R.
> Jigong Yin
> 
> 
> 
> 发自vivo电子邮件
> 
> 

Best Regards,
Chris Lu


^ permalink raw reply

* [Bug 221547] MT7902 Bluetooth: Failed to send wmt func ctrl (-22) regression in 6.18.31 and 6.12.32
From: bugzilla-daemon @ 2026-05-20  7:52 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <bug-221547-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=221547

Artem S. Tashkinov (aros@gmx.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #3 from Artem S. Tashkinov (aros@gmx.com) ---
It's been queued in stable, either apply it immediately or wait for the next
stable release.

*** This bug has been marked as a duplicate of bug 221521 ***

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* [Bug 221521] Bluetooth: btusb/mt7921 - Failed to send wmt func ctrl (-22) on MediaTek MT7921 combo adapter
From: bugzilla-daemon @ 2026-05-20  7:52 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <bug-221521-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=221521

Artem S. Tashkinov (aros@gmx.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |olle@vixit.nu

--- Comment #13 from Artem S. Tashkinov (aros@gmx.com) ---
*** Bug 221547 has been marked as a duplicate of this bug. ***

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* [Bug 221552] btmtk: MT7921 (USB 0e8d:e020 / PCI 14c3:7920) Bluetooth broken since 7.0.7 - fix for 0489:e0e2 does not cover this PID
From: bugzilla-daemon @ 2026-05-20  7:58 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <bug-221552-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=221552

Artem S. Tashkinov (aros@gmx.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Artem S. Tashkinov (aros@gmx.com) ---
Are you sure this patch doesn't fix it for you?

https://lore.kernel.org/all/770d36b07311bf88210c187923f243fb9f126f04.1777058551.git.pav@iki.fi/

Upcoming Linux 7.0.10 includes it.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* [PATCH v6 0/2] Add Synaptics BCM4384 Bluetooth support
From: kaihsin Chung @ 2026-05-20  9:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: marcel, luiz.von.dentz, linux-kernel, kaihsin Chung
In-Reply-To: <20260408083217.1915419-1-kaihsin.chung@synaptics.com>

This series adds support for the Synaptics BCM4384 Bluetooth
controller.

Patch 1 adds the DT compatible string.
Patch 2 adds Bluetooth driver support.


kaihsin Chung (2):
  dt-bindings: net: bluetooth: Add brcm,bcm4384-bt
  Bluetooth: btbcm: Add Synaptics 4384 chip support

 .../bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml      | 2 +-
 drivers/bluetooth/btbcm.c                                   | 6 +++++-
 drivers/bluetooth/hci_bcm.c                                 | 1 +
 3 files changed, 7 insertions(+), 2 deletions(-)

-- 
2.43.0


^ permalink raw reply

* [PATCH v6 1/2] dt-bindings: net: bluetooth: Add brcm,bcm4384-bt
From: kaihsin Chung @ 2026-05-20  9:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: marcel, luiz.von.dentz, linux-kernel, Kaihsin Chung
In-Reply-To: <20260520090131.3505676-1-kaihsin.chung@synaptics.com>

From: Kaihsin Chung <kaihsin.chung@synaptics.com>

Add the compatible string for the Broadcom BCM4384
Bluetooth controller.

Signed-off-by: Kaihsin Chung <kaihsin.chung@synaptics.com>
---
 .../bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml b/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml
index 37cb39a3a62e..139d9b47329c 100644
--- a/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml
+++ b/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml
@@ -23,7 +23,7 @@ properties:
       - pci14e4,5fa0 # BCM4377
       - pci14e4,5f69 # BCM4378
       - pci14e4,5f71 # BCM4387
-
+      - brcm,bcm4384-bt
   reg:
     maxItems: 1
 
-- 
2.43.0


^ permalink raw reply related

* [PATCH v6 2/2] Bluetooth: btbcm: Add Synaptics 4384 chip support
From: kaihsin Chung @ 2026-05-20  9:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: marcel, luiz.von.dentz, linux-kernel, Kaihsin Chung
In-Reply-To: <20260520090131.3505676-1-kaihsin.chung@synaptics.com>

From: Kaihsin Chung <kaihsin.chung@synaptics.com>

Add support for the Synaptics 4384 Bluetooth controller
by adding the corresponding chip IDs and device tree
matching support

Signed-off-by: Kaihsin Chung <kaihsin.chung@synaptics.com>
---
 drivers/bluetooth/btbcm.c   | 6 +++++-
 drivers/bluetooth/hci_bcm.c | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
index f9a7c790d7e2..1164cca40324 100644
--- a/drivers/bluetooth/btbcm.c
+++ b/drivers/bluetooth/btbcm.c
@@ -31,6 +31,7 @@
 #define BDADDR_BCM4334B0 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb0, 0x34, 0x43}})
 #define BDADDR_BCM4345C5 (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0xc5, 0x45, 0x43}})
 #define BDADDR_BCM43341B (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0x1b, 0x34, 0x43}})
+#define BDADDR_BCM4384B0 (&(bdaddr_t) {{0x93, 0x76, 0x00, 0xb0, 0x84, 0x43}})
 
 #define BCM_FW_NAME_LEN			64
 #define BCM_FW_NAME_COUNT_MAX		4
@@ -130,7 +131,8 @@ int btbcm_check_bdaddr(struct hci_dev *hdev)
 	    !bacmp(&bda->bdaddr, BDADDR_BCM4345C5) ||
 	    !bacmp(&bda->bdaddr, BDADDR_BCM43430A0) ||
 	    !bacmp(&bda->bdaddr, BDADDR_BCM43430A1) ||
-	    !bacmp(&bda->bdaddr, BDADDR_BCM43341B)) {
+	    !bacmp(&bda->bdaddr, BDADDR_BCM43341B) ||
+	    !bacmp(&bda->bdaddr, BDADDR_BCM4384B0)) {
 		/* Try falling back to BDADDR EFI variable */
 		if (btbcm_set_bdaddr_from_efi(hdev) != 0) {
 			bt_dev_info(hdev, "BCM: Using default device address (%pMR)",
@@ -515,6 +517,8 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
 	{ 0x4106, "BCM4335A0"	},	/* 002.001.006 */
 	{ 0x410c, "BCM43430B0"	},	/* 002.001.012 */
 	{ 0x2119, "BCM4373A0"	},	/* 001.001.025 */
+	{ 0x2128, "BCM4384A0" },/* 001.001.040 */
+	{ 0x4119, "BCM4384B0"},/* 002.001.025 */
 	{ }
 };
 
diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
index 874d23089b39..783346a4a59b 100644
--- a/drivers/bluetooth/hci_bcm.c
+++ b/drivers/bluetooth/hci_bcm.c
@@ -1609,6 +1609,7 @@ static const struct of_device_id bcm_bluetooth_of_match[] = {
 	{ .compatible = "brcm,bcm4335a0" },
 	{ .compatible = "cypress,cyw4373a0-bt", .data = &cyw4373a0_device_data },
 	{ .compatible = "infineon,cyw55572-bt", .data = &cyw55572_device_data },
+	{ .compatible = "brcm,bcm4384-bt" },
 	{ },
 };
 MODULE_DEVICE_TABLE(of, bcm_bluetooth_of_match);
-- 
2.43.0


^ permalink raw reply related

* [PATCH 0/3] arm64: dts: monaco-arduino-monza: Add support for LGA WiFi/BT module
From: Loic Poulain @ 2026-05-20 11:01 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz, Bjorn Andersson, Konrad Dybcio,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley
  Cc: linux-pci, linux-pm, linux-kernel, linux-arm-msm, linux-bluetooth,
	devicetree, Loic Poulain

This series describes support for the onboard WiFi/Bluetooth module
present on the Arduino VENTUNO Q (monaco) platform.

The board provides LGA pads for a wireless module. On the VENTUNO Q
these pads are populated with an NFA725B module featuring the
QCA2066 WiFi/BT combo chip. While implemented as an LGA footprint,
the design is functionally compatible with the M.2 Key E.

The NFA725B exposes WiFi over PCIe and Bluetooth over a UART.
Both interfaces are gated through the W_DISABLE1# and W_DISABLE2#
signals, as defined by the M.2 specification and handled here via
the pcie-m2 power sequencer.

This series models the hardware using the existing pwrseq framework
and connector bindings, allowing coordinated PCIe and UART bring-up.

Patch 1 registers the QCA2066 PCI device ID (17cb:1103) in the
pwrseq-pcie-m2 serdev ID table so the Bluetooth device is created
automatically when the PCIe function is enumerated.

Patch 2 updates hci_qca to retrieve the "uart" power sequencer
target via the OF graph and use it for Bluetooth power control
instead of a dedicated GPIO.

Patch 3 adds the required Device Tree description for the board.

This series depends on:
https://lore.kernel.org/linux-pci/20260507-pwrseq-m2-bt-v2-0-1740bd478539@oss.qualcomm.com

Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
Loic Poulain (3):
      power: sequencing: pcie-m2: Add QCA2066 (QCNFA765) BT serdev ID
      Bluetooth: hci_qca: Support QCA2066 on M.2 connector via pwrseq
      arm64: dts: qcom: monaco-arduino-monza: Add QCA2066 M.2 WiFi/BT support

 arch/arm64/boot/dts/qcom/monaco-arduino-monza.dts | 65 +++++++++++++++++++++++
 drivers/bluetooth/hci_qca.c                       | 33 +++++-------
 drivers/power/sequencing/pwrseq-pcie-m2.c         |  2 +
 3 files changed, 80 insertions(+), 20 deletions(-)
---
base-commit: aa61612ab641d7d62b0b6889f2c7c9251489f6e3
change-id: 20260520-monza-wireless-e6ce7f013f38
prerequisite-message-id: <20260507-pwrseq-m2-bt-v2-0-1740bd478539@oss.qualcomm.com>
prerequisite-patch-id: f4a7d1957c1776051608bf3d808b2786606c1ae2
prerequisite-patch-id: 6cd3c33583a9af16b3f6f71517b16b32d8155b7c
prerequisite-patch-id: 0550c57d69cf112fd4830e62f4388db6f8bf397c
prerequisite-patch-id: cc10d8079e37ef0ba0c33d0984c95d76361df9dd
prerequisite-patch-id: d7f4bb2bb4498ac619e67a94f8b59119a5caaf26
prerequisite-patch-id: c00ce9095b2d3a412229796194828b55642d3d96
prerequisite-patch-id: 09600595c2e80b12eda3aae39af192847d0f03d0
prerequisite-patch-id: a6118ed2894c176780ba933750e1068f2819fa4c
prerequisite-patch-id: 1dee41a33e032094e8dda74ac4e0bada928573d7

Best regards,
-- 
Loic Poulain <loic.poulain@oss.qualcomm.com>


^ permalink raw reply

* [PATCH 1/3] power: sequencing: pcie-m2: Add QCA2066 (QCNFA765) BT serdev ID
From: Loic Poulain @ 2026-05-20 11:01 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz, Bjorn Andersson, Konrad Dybcio,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley
  Cc: linux-pci, linux-pm, linux-kernel, linux-arm-msm, linux-bluetooth,
	devicetree, Loic Poulain
In-Reply-To: <20260520-monza-wireless-v1-0-9f6942310653@oss.qualcomm.com>

Add PCI device ID 17cb:1103 (Qualcomm QCA2066/QCNFA765) to the M.2
serdev ID table, mapping it to the qcom,qca2066-bt compatible string.

This allows the pwrseq-pcie-m2 driver to automatically create the
Bluetooth serdev device when a QCA2066-based M.2 card is enumerated.

Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
 drivers/power/sequencing/pwrseq-pcie-m2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/power/sequencing/pwrseq-pcie-m2.c b/drivers/power/sequencing/pwrseq-pcie-m2.c
index efeb25ba9c79e20fc8bc8354def8ae423d0f2f2e..f90df88c663985c7702c19911f0c147e3b68984b 100644
--- a/drivers/power/sequencing/pwrseq-pcie-m2.c
+++ b/drivers/power/sequencing/pwrseq-pcie-m2.c
@@ -188,6 +188,8 @@ static int pwrseq_pcie_m2_match(struct pwrseq_device *pwrseq,
 static const struct pci_device_id pwrseq_m2_pci_ids[] = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x1107),
 	  .driver_data = (kernel_ulong_t)"qcom,wcn7850-bt" },
+	{ PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x1103),
+	  .driver_data = (kernel_ulong_t)"qcom,qca2066-bt" },
 	{ } /* Sentinel */
 };
 

-- 
2.34.1


^ permalink raw reply related

* [PATCH 2/3] Bluetooth: hci_qca: Support QCA2066 on M.2 connector via pwrseq
From: Loic Poulain @ 2026-05-20 11:01 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz, Bjorn Andersson, Konrad Dybcio,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley
  Cc: linux-pci, linux-pm, linux-kernel, linux-arm-msm, linux-bluetooth,
	devicetree, Loic Poulain
In-Reply-To: <20260520-monza-wireless-v1-0-9f6942310653@oss.qualcomm.com>

For QCA2066 (and other QCA chips) on M.2 connectors, the UART enable
is controlled by the W_DISABLE2# signal managed by the pcie-m2 power
sequencer rather than a dedicated BT enable GPIO.

When the serdev controller has an OF graph (indicating it is connected
to an M.2 connector), acquire the 'uart' pwrseq target from the
connector's power sequencer and use it to control BT power instead of
the bt-enable GPIO.

Also allocate bt_power unconditionally for all SOC types since the
pwrseq path is independent of the SOC type switch.

Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
 drivers/bluetooth/hci_qca.c | 33 +++++++++++++--------------------
 1 file changed, 13 insertions(+), 20 deletions(-)

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index b5439b9956cfb0497e6ba6ccd9ed61224d23a9dd..de5cba7b7f44e280a48dad5d670fa2758d3268d0 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1873,6 +1873,9 @@ static int qca_power_on(struct hci_dev *hdev)
 			/* Controller needs time to bootup. */
 			msleep(150);
 		}
+
+		if (qcadev->bt_power && qcadev->bt_power->pwrseq)
+			pwrseq_power_on(qcadev->bt_power->pwrseq);
 	}
 
 	clear_bit(QCA_BT_OFF, &qca->flags);
@@ -2415,25 +2418,9 @@ static int qca_serdev_probe(struct serdev_device *serdev)
 	else
 		qcadev->btsoc_type = QCA_ROME;
 
-	switch (qcadev->btsoc_type) {
-	case QCA_QCA6390:
-	case QCA_WCN3950:
-	case QCA_WCN3988:
-	case QCA_WCN3990:
-	case QCA_WCN3991:
-	case QCA_WCN3998:
-	case QCA_WCN6750:
-	case QCA_WCN6855:
-	case QCA_WCN7850:
-		qcadev->bt_power = devm_kzalloc(&serdev->dev,
-						sizeof(struct qca_power),
-						GFP_KERNEL);
-		if (!qcadev->bt_power)
-			return -ENOMEM;
-		break;
-	default:
-		break;
-	}
+	qcadev->bt_power = devm_kzalloc(&serdev->dev, sizeof(struct qca_power), GFP_KERNEL);
+	if (!qcadev->bt_power)
+		return -ENOMEM;
 
 	switch (qcadev->btsoc_type) {
 	case QCA_WCN3950:
@@ -2543,7 +2530,13 @@ static int qca_serdev_probe(struct serdev_device *serdev)
 			return PTR_ERR(qcadev->bt_en);
 		}
 
-		if (!qcadev->bt_en)
+		if (of_graph_is_present(dev_of_node(&serdev->ctrl->dev))) {
+			qcadev->bt_power->pwrseq = devm_pwrseq_get(&serdev->ctrl->dev, "uart");
+			if (IS_ERR(qcadev->bt_power->pwrseq))
+				return PTR_ERR(qcadev->bt_power->pwrseq);
+		}
+
+		if (!qcadev->bt_en && !qcadev->bt_power->pwrseq)
 			bt_en_available = false;
 
 		qcadev->susclk = devm_clk_get_optional_enabled_with_rate(

-- 
2.34.1


^ permalink raw reply related

* [PATCH 3/3] arm64: dts: qcom: monaco-arduino-monza: Add QCA2066 M.2 WiFi/BT support
From: Loic Poulain @ 2026-05-20 11:01 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz, Bjorn Andersson, Konrad Dybcio,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley
  Cc: linux-pci, linux-pm, linux-kernel, linux-arm-msm, linux-bluetooth,
	devicetree, Loic Poulain
In-Reply-To: <20260520-monza-wireless-v1-0-9f6942310653@oss.qualcomm.com>

Add support for the QCA2066 (QCNFA765) WiFi/Bluetooth module on the
Arduino VENTUNO Q board. The module is interfaced via LGA and is
compatible with the M.2 Key E.

Add wireless-lga-connector node using pcie-m2-e-connector binding,
connecting PCIe port 0 to the WiFi interface and UART10 port 3 to
the Bluetooth interface.

Add pcie@1,0 downstream port node with pciclass,0604 compatible so
the pci-pwrctrl driver can acquire the power sequencer and enable
the M.2 slot before PCIe enumeration.

Add nfa725b_default_state pinctrl for the W_DISABLE1/2 GPIOs
(gpio56/gpio55) used by the power sequencer.

Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
 arch/arm64/boot/dts/qcom/monaco-arduino-monza.dts | 65 +++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/arch/arm64/boot/dts/qcom/monaco-arduino-monza.dts b/arch/arm64/boot/dts/qcom/monaco-arduino-monza.dts
index 93ed575817af1c5e903662c209ead629fe202ee2..6fcad77f320cb82eccb6f07244d185abfb1976d9 100644
--- a/arch/arm64/boot/dts/qcom/monaco-arduino-monza.dts
+++ b/arch/arm64/boot/dts/qcom/monaco-arduino-monza.dts
@@ -154,6 +154,39 @@ vreg_nvme: regulator-3p3-m2 {
 		enable-active-high;
 		startup-delay-us = <20000>;
 	};
+
+	wireless-lga-connector {
+		compatible = "pcie-m2-e-connector";
+		vpcie3v3-supply = <&vdc_3v3>;
+		vpcie1v8-supply = <&vdc_1v8>;
+		w-disable1-gpios = <&tlmm 56 GPIO_ACTIVE_LOW>;
+		w-disable2-gpios = <&tlmm 55 GPIO_ACTIVE_LOW>;
+		pinctrl-0 = <&nfa725b_default_state>;
+		pinctrl-names = "default";
+
+		ports {
+			#address-cells = <1>;
+			#size-cells = <0>;
+
+			/* WiFi/PCIe */
+			port@0 {
+				reg = <0>;
+
+				lga_pcie_ep: endpoint {
+					remote-endpoint = <&pcie_bridge_ep>;
+				};
+			};
+
+			/* Bluetooth/UART */
+			port@3 {
+				reg = <3>;
+
+				lga_uart_ep: endpoint {
+					remote-endpoint = <&uart10_ep>;
+				};
+			};
+		};
+	};
 };
 
 &cci1 {
@@ -408,6 +441,22 @@ pci@0,0 {
 		ranges;
 		reg = <0x010000 0x00 0x00 0x00 0x00>;
 
+		pcie@1,0 {
+			#address-cells = <3>;
+			#size-cells = <2>;
+			device_type = "pci";
+			compatible = "pciclass,0604";
+			bus-range = <0x00 0xff>;
+			ranges;
+			reg = <0x020800 0x00 0x00 0x00 0x00>;
+
+			port {
+				pcie_bridge_ep: endpoint {
+					remote-endpoint = <&lga_pcie_ep>;
+				};
+			};
+		};
+
 		pci@2,0 {
 			#address-cells = <3>;
 			#size-cells = <2>;
@@ -500,6 +549,12 @@ max98091_default: max98091-default-state {
 		bias-pull-up;
 	};
 
+	nfa725b_default_state: nfa725b-default-state {
+		pins = "gpio55", "gpio56";
+		function = "gpio";
+		bias-disable;
+	};
+
 	pcie1_default_state: pcie1-default-state {
 		wake-pins {
 			pins = "gpio21";
@@ -540,6 +595,16 @@ &uart7 {
 	status = "okay";
 };
 
+&uart10 {
+	status = "okay";
+
+	port {
+		uart10_ep: endpoint {
+			remote-endpoint = <&lga_uart_ep>;
+		};
+	};
+};
+
 &usb_1 {
 	status = "okay";
 };

-- 
2.34.1


^ permalink raw reply related

* Re: [PATCH v6 1/2] dt-bindings: net: bluetooth: Add brcm,bcm4384-bt
From: Krzysztof Kozlowski @ 2026-05-20 11:19 UTC (permalink / raw)
  To: kaihsin Chung, linux-bluetooth
  Cc: marcel, luiz.von.dentz, linux-kernel, Kaihsin Chung
In-Reply-To: <20260520090131.3505676-2-kaihsin.chung@synaptics.com>

On 20/05/2026 11:01, kaihsin Chung wrote:
> From: Kaihsin Chung <kaihsin.chung@synaptics.com>
> 
> Add the compatible string for the Broadcom BCM4384
> Bluetooth controller.

Please use scripts/get_maintainers.pl to get a list of necessary people
and lists to CC. It might happen, that command when run on an older
kernel, gives you outdated entries. Therefore please be sure you base
your patches on recent Linux kernel.

Tools like b4 or scripts/get_maintainer.pl provide you proper list of
people, so fix your workflow. Tools might also fail if you work on some
ancient tree (don't, instead use mainline) or work on fork of kernel
(don't, instead use mainline). Just use b4 and everything should be
fine, although remember about `b4 prep --auto-to-cc` if you added new
patches to the patchset.

You missed at least devicetree list (maybe more), so this won't be
tested by automated tooling. Performing review on untested code might be
a waste of time.

Please kindly resend and include all necessary To/Cc entries.

Please wrap commit message according to Linux coding style / submission
process (neither too early nor over the limit):
https://elixir.bootlin.com/linux/v6.4-rc1/source/Documentation/process/submitting-patches.rst#L597

Do not attach (thread) your patchsets to some other threads (unrelated
or older versions). This buries them deep in the mailbox and might
interfere with applying entire sets. See also:
https://elixir.bootlin.com/linux/v6.16-rc2/source/Documentation/process/submitting-patches.rst#L830

> 
> Signed-off-by: Kaihsin Chung <kaihsin.chung@synaptics.com>
> ---
>  .../bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml          | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml b/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml
> index 37cb39a3a62e..139d9b47329c 100644
> --- a/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml
> +++ b/Documentation/devicetree/bindings/net/bluetooth/brcm,bcm4377-bluetooth.yaml
> @@ -23,7 +23,7 @@ properties:
>        - pci14e4,5fa0 # BCM4377
>        - pci14e4,5f69 # BCM4378
>        - pci14e4,5f71 # BCM4387
> -

Why?

> +      - brcm,bcm4384-bt
>    reg:
>      maxItems: 1
>  

I really doubt you tested it. What sort of bus is used for your device?


Best regards,
Krzysztof

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox