* [PATCH v2 1/3] Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
From: Heitor Alves de Siqueira @ 2026-05-26 13:50 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz, Gustavo Padovan,
Schspa Shi
Cc: linux-bluetooth, linux-kernel, kernel-dev,
Heitor Alves de Siqueira, Luiz Augusto von Dentz
In-Reply-To: <20260526-hci_send-v2-0-596977a9a814@igalia.com>
The current HCI reset function in hci_core.c duplicates most of the work
done by hci_dev_close_sync(), and doesn't handle LE, advertising or
discovery.
Instead of porting these to hci_dev_do_reset(), directly call the
close/open functions from hci_sync to reset the hdev. MGMT now notifies
when a user performs a reset.
Suggested-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
net/bluetooth/hci_core.c | 43 +++----------------------------------------
1 file changed, 3 insertions(+), 40 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..28d7929dc593 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -539,46 +539,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev)
hci_req_sync_lock(hdev);
- /* Drop queues */
- skb_queue_purge(&hdev->rx_q);
- skb_queue_purge(&hdev->cmd_q);
-
- /* Cancel these to avoid queueing non-chained pending work */
- hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
- /* Wait for
- *
- * if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
- * queue_delayed_work(&hdev->{cmd,ncmd}_timer)
- *
- * inside RCU section to see the flag or complete scheduling.
- */
- synchronize_rcu();
- /* Explicitly cancel works in case scheduled after setting the flag. */
- cancel_delayed_work(&hdev->cmd_timer);
- cancel_delayed_work(&hdev->ncmd_timer);
-
- /* Avoid potential lockdep warnings from the *_flush() calls by
- * ensuring the workqueue is empty up front.
- */
- drain_workqueue(hdev->workqueue);
-
- hci_dev_lock(hdev);
- hci_inquiry_cache_flush(hdev);
- hci_conn_hash_flush(hdev);
- hci_dev_unlock(hdev);
-
- if (hdev->flush)
- hdev->flush(hdev);
-
- hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
-
- atomic_set(&hdev->cmd_cnt, 1);
- hdev->acl_cnt = 0;
- hdev->sco_cnt = 0;
- hdev->le_cnt = 0;
- hdev->iso_cnt = 0;
-
- ret = hci_reset_sync(hdev);
+ ret = hci_dev_close_sync(hdev);
+ if (!ret)
+ ret = hci_dev_open_sync(hdev);
hci_req_sync_unlock(hdev);
return ret;
--
2.54.0
^ permalink raw reply related
* [PATCH v2 0/3] Bluetooth: hci_core: Refactor HCI reset functions
From: Heitor Alves de Siqueira @ 2026-05-26 13:50 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz, Gustavo Padovan,
Schspa Shi
Cc: linux-bluetooth, linux-kernel, kernel-dev,
Heitor Alves de Siqueira, Luiz Augusto von Dentz
Dear maintainers,
While investigating some warnings reported by syzbot on the hdev
workqueue, Luiz kindly mentioned the possibility of reworking the reset
functions in hci_core. A lot of the work done "manually" in
hci_dev_do_reset() is already handled by the close/open functions in
hci_sync, and those also handle missing functionality related to LE,
discovery and advertising.
This series removes most of the code in hci_dev_do_reset() in favor of
calling hci_dev_close_sync() and hci_dev_open_sync(). The two follow-up
patches are minor fixes porting over a device flag for indicating when
the workqueue is being drained, and another for zeroing device counters.
Although I've left them as individual commits, they could probably be
squashed together if that's preferrable.
I've tested this using the Bluez HCI emulator and corresponding tester
tools, as well as on a generic USB Bluetooth dongle. No regressions were
reported by l2cap-tester, mgmt-tester and hci-tester.
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
---
Changes in v2:
- Removed most reset code from hci_dev_do_reset(), in favor of
hci_dev_close_sync() and hci_dev_open_sync()
- Added HCI_CMD_DRAIN_WORKQUEUE to hci_dev_close_sync(), as it's now
used in the reset path
- Included a minor fix for zeroing protocol counters
- Link to v1: https://patch.msgid.link/20260513-hci_send-v1-1-ae3eef758280@igalia.com
To: Marcel Holtmann <marcel@holtmann.org>
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: Schspa Shi <schspa@gmail.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
Heitor Alves de Siqueira (3):
Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
net/bluetooth/hci_core.c | 43 +++----------------------------------------
net/bluetooth/hci_sync.c | 12 ++++++++++++
2 files changed, 15 insertions(+), 40 deletions(-)
---
base-commit: 8bc67e4db64aa72732c474b44ea8622062c903f0
change-id: 20260513-hci_send-640290de7acc
Best regards,
--
Heitor Alves de Siqueira <halves@igalia.com>
^ permalink raw reply
* [PATCH bluetooth] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
From: Zhenghang Xiao @ 2026-05-26 10:51 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, Zhenghang Xiao
l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.
A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).
Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
---
net/bluetooth/l2cap_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7701528f1167..08c70caf24d4 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5458,14 +5458,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
- if (!result)
+ if (!result) {
+ list_for_each_entry(chan, &conn->chan_l, list) {
+ if (chan->ident == cmd->ident)
+ chan->ident = 0;
+ }
return 0;
+ }
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;
- l2cap_chan_hold(chan);
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
--
2.50.1 (Apple Git-155)
^ permalink raw reply related
* [PATCH bluetooth-next] Bluetooth: L2CAP: fix list corruption in l2cap_ecred_conn_rsp
From: Zhenghang Xiao @ 2026-05-26 10:34 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, Zhenghang Xiao
The duplicate DCID handling in l2cap_ecred_conn_rsp() calls
l2cap_chan_del() on the channel found by __l2cap_get_chan_by_dcid(),
which may be the 'tmp' pointer of the enclosing
list_for_each_entry_safe loop. list_del() poisons tmp->list.next with
LIST_POISON1, and the next iteration dereferences it:
KASAN: wild-memory-access in range [0xdead000000000100-0xdead000000000107]
pc : l2cap_recv_frame+0x3b7c/0x7360
Break out of the loop after the duplicate handling to avoid iterating
with the corrupted pointer. Remaining pending channels for the same
ident are not processed; they will time out via the standard L2CAP
channel timeout since the response indicates a misbehaving peer. Add a
NULL check on the second __l2cap_get_chan_by_dcid() call for robustness.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
---
net/bluetooth/l2cap_core.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7701528f1167..3456d741fb1c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5292,10 +5292,12 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
chan = __l2cap_get_chan_by_dcid(conn, dcid);
- l2cap_chan_lock(chan);
- l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
- continue;
+ if (chan) {
+ l2cap_chan_lock(chan);
+ l2cap_chan_del(chan, ECONNRESET);
+ l2cap_chan_unlock(chan);
+ }
+ break;
}
switch (result) {
--
2.50.1 (Apple Git-155)
^ permalink raw reply related
* Re: [PATCH v1 1/6] sdio: Add syntactic sugar to store a pointer in sdio_driver_id
From: Uwe Kleine-König (The Capable Hub) @ 2026-05-26 9:38 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: Ulf Hansson, Christian A. Ehrhardt, linux-mmc, Greg Kroah-Hartman,
Wolfram Sang, linux-kernel, Marcel Holtmann, linux-bluetooth,
Matthias Brugger, AngeloGioacchino Del Regno, linux-mediatek,
Ping-Ke Shih, linux-wireless, Felix Fietkau, Lorenzo Bianconi,
Ryder Lee, Shayne Chen, Sean Wang, Brian Norris,
Francesco Dolcini, Andy Shevchenko
In-Reply-To: <CABBYNZJzbEmYzTk2m+Y8SoHVouTMA6Gje_55iJsQ6cYtDLftbQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1709 bytes --]
On Mon, Apr 20, 2026 at 04:46:56PM -0400, Luiz Augusto von Dentz wrote:
> Hi Uwe,
>
> On Mon, Apr 20, 2026 at 4:31 PM Uwe Kleine-König (The Capable Hub)
> <u.kleine-koenig@baylibre.com> wrote:
> >
> > Hello,
> >
> > On Fri, Apr 17, 2026 at 03:10:47PM +0200, Uwe Kleine-König (The Capable Hub) wrote:
> > > On all current Linux architectures sizeof(long) == sizeof(void *) and
> > > this is used a lot through the kernel. For example it enables the usual
> > > practice to store pointers in sdio_driver_id's .driver_data member.
> > >
> > > This works fine, but involves casting and thus isn't type-safe.
> > > Additionally with the CHERI architecture extension there are machines
> > > with sizeof(void *) > sizeof(long) for with the traditional approach of
> > > storing a pointer in .driver_data doesn't work.
> > >
> > > By replacing the plain unsigned long .driver_data by an anonymous union,
> > > most of the casting can be dropped and it yields a working solution for
> > > CHERI.
> > >
> > > All users of struct sdio_driver_id are initialized in a way that is
> > > compatible with the new definition, so no adaptions are needed there.
> >
> > sashiko.dev found s/sdio_driver_id/sdio_device_id/ twice in the commit
> > log and once in the short log. If you consider applying this patch
> > please adapt the commit message accordingly.
>
> No problem I can fix them up once applying.
Now that Ulf gave his blessing, would you please merge the first patch
and the bluetooth ones (#2 and #3)? I will follow up then once your tree
hits Linus's tree with the remaining patches for wifi.
Please don't forget about s/sdio_driver_id/sdio_device_id/.
Thanks
Uwe
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply
* [Bug 221521] Bluetooth: btusb/mt7921 - Failed to send wmt func ctrl (-22) on MediaTek MT7921 combo adapter
From: bugzilla-daemon @ 2026-05-26 7:53 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-221521-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=221521
Artem S. Tashkinov (aros@gmx.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sergey@batalov.email
--- Comment #14 from Artem S. Tashkinov (aros@gmx.com) ---
*** Bug 221576 has been marked as a duplicate of this bug. ***
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [Bug 221576] btmtk: MT7925 USB Bluetooth fails with "Failed to send wmt func ctrl (-22)" since kernel 7.0.7
From: bugzilla-daemon @ 2026-05-26 7:53 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-221576-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=221576
Artem S. Tashkinov (aros@gmx.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #1 from Artem S. Tashkinov (aros@gmx.com) ---
This is fixed in 7.0.10.
*** This bug has been marked as a duplicate of bug 221521 ***
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bnep_add_connection
From: syzbot @ 2026-05-26 6:46 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, marcel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 4d3a2a466b8d HID: core: Fix size_t specifier in hid_report..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=111e702e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec
dashboard link: https://syzkaller.appspot.com/bug?extid=604a39147226ba42d117
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-4d3a2a46.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e6f8ace9c896/vmlinux-4d3a2a46.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d18ecf0e8cf/bzImage-4d3a2a46.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+604a39147226ba42d117@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1764
==================================================================
BUG: KASAN: slab-use-after-free in strnlen+0x66/0x90 lib/string.c:432
Read of size 1 at addr ffff8880126e8120 by task syz.0.0/5330
CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
strnlen+0x66/0x90 lib/string.c:432
strnlen include/linux/fortify-string.h:231 [inline]
__fortify_strlen include/linux/fortify-string.h:267 [inline]
strcpy include/linux/fortify-string.h:794 [inline]
bnep_add_connection+0x90c/0xca0 net/bluetooth/bnep/core.c:649
do_bnep_sock_ioctl+0x40b/0x650 net/bluetooth/bnep/sock.c:83
sock_do_ioctl+0x101/0x320 net/socket.c:1313
sock_ioctl+0x5c6/0x7f0 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3074f9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3075f38fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f3075215fa0 RCX: 00007f3074f9ce59
RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000006
RBP: 00007f3075032d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3075216038 R14: 00007f3075215fa0 R15: 00007fff1a9f2b28
</TASK>
Allocated by task 5330:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5295 [inline]
__kvmalloc_node_noprof+0x528/0x8a0 mm/slub.c:6832
alloc_netdev_mqs+0xa8/0x1210 net/core/dev.c:12029
bnep_add_connection+0x214/0xca0 net/bluetooth/bnep/core.c:584
do_bnep_sock_ioctl+0x40b/0x650 net/bluetooth/bnep/sock.c:83
sock_do_ioctl+0x101/0x320 net/socket.c:1313
sock_ioctl+0x5c6/0x7f0 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5333:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6250 [inline]
kfree+0x1c5/0x640 mm/slub.c:6565
device_release+0xc4/0x1f0 drivers/base/core.c:-1
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x228/0x560 lib/kobject.c:737
bnep_session+0x2b45/0x2c50 net/bluetooth/bnep/core.c:545
kthread+0x389/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff8880126e8000
which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 288 bytes inside of
freed 4096-byte region [ffff8880126e8000, ffff8880126e9000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88801abd5001
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac58500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800040004 00000000f5000000 ffff88801abd5001
head: 00fff00000000040 ffff88801ac58500 dead000000000100 dead000000000122
head: 0000000000000000 0000000800040004 00000000f5000000 ffff88801abd5001
head: 00fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4709, tgid 4709 (udevd), ts 42519099965, free_ts 42499523170
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
alloc_slab_page mm/slub.c:3278 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3467
new_slab mm/slub.c:3525 [inline]
refill_objects+0x339/0x3d0 mm/slub.c:7271
refill_sheaf mm/slub.c:2816 [inline]
__pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kvmalloc_node_noprof+0x657/0x8a0 mm/slub.c:6832
seq_buf_alloc fs/seq_file.c:39 [inline]
seq_read_iter+0x202/0xe10 fs/seq_file.c:211
new_sync_read fs/read_write.c:493 [inline]
vfs_read+0x582/0xa70 fs/read_write.c:574
ksys_read+0x150/0x270 fs/read_write.c:717
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 4707 tgid 4707 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2943
__slab_free+0x274/0x2c0 mm/slub.c:5612
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4569 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kvmalloc_node_noprof+0x4d7/0x8a0 mm/slub.c:6832
seq_buf_alloc fs/seq_file.c:39 [inline]
seq_read_iter+0x202/0xe10 fs/seq_file.c:211
new_sync_read fs/read_write.c:493 [inline]
vfs_read+0x582/0xa70 fs/read_write.c:574
ksys_read+0x150/0x270 fs/read_write.c:717
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880126e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880126e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880126e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880126e8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880126e8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply
* Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt
From: Paul Menzel @ 2026-05-26 6:43 UTC (permalink / raw)
To: Muhammad Bilal
Cc: linux-bluetooth, marcel, luiz.dentz, gregkh, johan.hedberg,
linux-kernel, stable
In-Reply-To: <20260526021747.31634-1-meatuni001@gmail.com>
Dear Muhammad,
Thank you for your patch.
Am 26.05.26 um 04:17 schrieb Muhammad Bilal:
> l2cap_get_conf_opt() reads opt->val via a switch on opt->len (1, 2,
> or 4 bytes). opt->len is a remote-controlled u8. All three callers
> loop on (len >= L2CAP_CONF_OPT_SIZE), so the loop body executes with
> as few as 2 bytes remaining. A packet ending with opt->len=4 and
> only 2 bytes left causes get_unaligned_le32(opt->val) to read 4 bytes
> past the buffer before the caller can act on the return value.
>
> Commit 7c9cbd0b5e38 ("Bluetooth: Verify that l2cap_get_conf_opt
> provides large enough buffer") added a post-call len < 0 guard in
> each caller, but the over-read fires inside l2cap_get_conf_opt()
> before that guard is reached.
>
> Add a buflen parameter and validate L2CAP_CONF_OPT_SIZE + opt->len
> <= buflen before any access to opt->val. Return -EINVAL on
> violation. Update all three callers to capture the return value and
> break on negative. With the bounds check ensuring the option fits
> within the remaining buffer, the post-call len < 0 check is no
> longer needed and is removed.
By any chance, do you have a reproducer?
> Fixes: 7c9cbd0b5e38 ("Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer")
> Cc: stable@vger.kernel.org
> Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
> ---
> net/bluetooth/l2cap_core.c | 31 ++++++++++++++++++++++++-------
> 1 file changed, 24 insertions(+), 7 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index fdccd62ccca8..6052ffb280ac 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -3051,12 +3051,23 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
> }
>
> static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
> - unsigned long *val)
> + unsigned long *val, size_t buflen)
> {
> struct l2cap_conf_opt *opt = *ptr;
> int len;
>
> + /* Guard opt->len dereference: reject if the 2-byte option header
> + * itself does not fit in the remaining buffer.
> + */
> + if (buflen < L2CAP_CONF_OPT_SIZE)
> + return -EINVAL;
I always wonder, if Linux should log a debug message or even warning.
> +
> len = L2CAP_CONF_OPT_SIZE + opt->len;
> +
> + /* Reject options whose payload extends past the remaining buffer. */
> + if ((size_t)len > buflen)
> + return -EINVAL;
Ditto.
> +
> *ptr += len;
>
> *type = opt->type;
> @@ -3437,9 +3448,11 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
> BT_DBG("chan %p", chan);
>
> while (len >= L2CAP_CONF_OPT_SIZE) {
> - len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
> - if (len < 0)
> + int optlen = l2cap_get_conf_opt(&req, &type, &olen, &val, len);
> +
> + if (optlen < 0)
> break;
> + len -= optlen;
>
> hint = type & L2CAP_CONF_HINT;
> type &= L2CAP_CONF_MASK;
> @@ -3675,9 +3688,11 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
> BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
>
> while (len >= L2CAP_CONF_OPT_SIZE) {
> - len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
> - if (len < 0)
> + int optlen = l2cap_get_conf_opt(&rsp, &type, &olen, &val, len);
> +
> + if (optlen < 0)
> break;
> + len -= optlen;
>
> switch (type) {
> case L2CAP_CONF_MTU:
> @@ -3946,9 +3961,11 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
> return;
>
> while (len >= L2CAP_CONF_OPT_SIZE) {
> - len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
> - if (len < 0)
> + int optlen = l2cap_get_conf_opt(&rsp, &type, &olen, &val, len);
> +
> + if (optlen < 0)
> break;
> + len -= optlen;
>
> switch (type) {
> case L2CAP_CONF_RFC:
The diff looks good.
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
^ permalink raw reply
* RE: Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
From: bluez.test.bot @ 2026-05-26 5:06 UTC (permalink / raw)
To: linux-bluetooth, winter91
In-Reply-To: <tencent_859B04510A77948C6A97FF769CBB9262A007@qq.com>
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100686
---Test result---
Test Summary:
CheckPatch PASS 0.68 seconds
VerifyFixes PASS 0.12 seconds
VerifySignedoff PASS 0.12 seconds
GitLint PASS 0.30 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 27.63 seconds
CheckAllWarning PASS 30.35 seconds
CheckSparse PASS 28.49 seconds
BuildKernel32 PASS 26.83 seconds
TestRunnerSetup PASS 584.38 seconds
TestRunner_6lowpan-tester PASS 22.86 seconds
IncrementalBuild PASS 27.60 seconds
https://github.com/bluez/bluetooth-next/pull/241
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: [v1,1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt
From: bluez.test.bot @ 2026-05-26 5:05 UTC (permalink / raw)
To: linux-bluetooth, meatuni001
In-Reply-To: <20260526021747.31634-1-meatuni001@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100657
---Test result---
Test Summary:
CheckPatch PASS 0.70 seconds
VerifyFixes PASS 0.11 seconds
VerifySignedoff PASS 0.12 seconds
GitLint PASS 0.29 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 26.93 seconds
CheckAllWarning PASS 29.76 seconds
CheckSparse PASS 28.95 seconds
BuildKernel32 PASS 26.00 seconds
TestRunnerSetup PASS 572.85 seconds
TestRunner_l2cap-tester PASS 59.10 seconds
IncrementalBuild PASS 25.01 seconds
https://github.com/bluez/bluetooth-next/pull/240
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
From: Zhao Dongdong @ 2026-05-26 3:21 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, Zhao Dongdong
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
The skb_clone() function can return NULL if memory allocation fails.
send_mcast_pkt() calls skb_clone() without checking the return value, which
can lead to a NULL pointer dereference in send_pkt() when it dereferences
skb->data.
Add a NULL check after skb_clone() and skip the peer if the clone fails.
Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
net/bluetooth/6lowpan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 2f03b780b40d..960a19b3e26d 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -486,6 +486,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
int ret;
local_skb = skb_clone(skb, GFP_ATOMIC);
+ if (!local_skb)
+ continue;
BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
netdev->name,
--
2.25.1
^ permalink raw reply related
* [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt
From: Muhammad Bilal @ 2026-05-26 2:17 UTC (permalink / raw)
To: linux-bluetooth
Cc: marcel, luiz.dentz, gregkh, johan.hedberg, linux-kernel, stable
l2cap_get_conf_opt() reads opt->val via a switch on opt->len (1, 2,
or 4 bytes). opt->len is a remote-controlled u8. All three callers
loop on (len >= L2CAP_CONF_OPT_SIZE), so the loop body executes with
as few as 2 bytes remaining. A packet ending with opt->len=4 and
only 2 bytes left causes get_unaligned_le32(opt->val) to read 4 bytes
past the buffer before the caller can act on the return value.
Commit 7c9cbd0b5e38 ("Bluetooth: Verify that l2cap_get_conf_opt
provides large enough buffer") added a post-call len < 0 guard in
each caller, but the over-read fires inside l2cap_get_conf_opt()
before that guard is reached.
Add a buflen parameter and validate L2CAP_CONF_OPT_SIZE + opt->len
<= buflen before any access to opt->val. Return -EINVAL on
violation. Update all three callers to capture the return value and
break on negative. With the bounds check ensuring the option fits
within the remaining buffer, the post-call len < 0 check is no
longer needed and is removed.
Fixes: 7c9cbd0b5e38 ("Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
net/bluetooth/l2cap_core.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index fdccd62ccca8..6052ffb280ac 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3051,12 +3051,23 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
}
static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
- unsigned long *val)
+ unsigned long *val, size_t buflen)
{
struct l2cap_conf_opt *opt = *ptr;
int len;
+ /* Guard opt->len dereference: reject if the 2-byte option header
+ * itself does not fit in the remaining buffer.
+ */
+ if (buflen < L2CAP_CONF_OPT_SIZE)
+ return -EINVAL;
+
len = L2CAP_CONF_OPT_SIZE + opt->len;
+
+ /* Reject options whose payload extends past the remaining buffer. */
+ if ((size_t)len > buflen)
+ return -EINVAL;
+
*ptr += len;
*type = opt->type;
@@ -3437,9 +3448,11 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
BT_DBG("chan %p", chan);
while (len >= L2CAP_CONF_OPT_SIZE) {
- len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
- if (len < 0)
+ int optlen = l2cap_get_conf_opt(&req, &type, &olen, &val, len);
+
+ if (optlen < 0)
break;
+ len -= optlen;
hint = type & L2CAP_CONF_HINT;
type &= L2CAP_CONF_MASK;
@@ -3675,9 +3688,11 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
while (len >= L2CAP_CONF_OPT_SIZE) {
- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
- if (len < 0)
+ int optlen = l2cap_get_conf_opt(&rsp, &type, &olen, &val, len);
+
+ if (optlen < 0)
break;
+ len -= optlen;
switch (type) {
case L2CAP_CONF_MTU:
@@ -3946,9 +3961,11 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
return;
while (len >= L2CAP_CONF_OPT_SIZE) {
- len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
- if (len < 0)
+ int optlen = l2cap_get_conf_opt(&rsp, &type, &olen, &val, len);
+
+ if (optlen < 0)
break;
+ len -= optlen;
switch (type) {
case L2CAP_CONF_RFC:
--
2.53.0
^ permalink raw reply related
* RE: Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
From: bluez.test.bot @ 2026-05-25 18:35 UTC (permalink / raw)
To: linux-bluetooth, doruk
In-Reply-To: <20260525162438.96881-1-doruk@0sec.ai>
[-- Attachment #1: Type: text/plain, Size: 3602 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100544
---Test result---
Test Summary:
CheckPatch FAIL 0.76 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.14 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 25.79 seconds
CheckAllWarning PASS 28.12 seconds
CheckSparse PASS 27.01 seconds
BuildKernel32 PASS 25.40 seconds
TestRunnerSetup PASS 532.35 seconds
TestRunner_l2cap-tester PASS 61.90 seconds
TestRunner_iso-tester PASS 88.07 seconds
TestRunner_bnep-tester PASS 19.91 seconds
TestRunner_mgmt-tester FAIL 214.11 seconds
TestRunner_rfcomm-tester PASS 25.41 seconds
TestRunner_sco-tester PASS 32.40 seconds
TestRunner_ioctl-tester PASS 26.22 seconds
TestRunner_mesh-tester FAIL 26.05 seconds
TestRunner_smp-tester PASS 23.65 seconds
TestRunner_userchan-tester PASS 20.11 seconds
TestRunner_6lowpan-tester PASS 23.00 seconds
IncrementalBuild PASS 24.77 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 035c25007c9e ("Bluetooth: hci_sync: Fix UAF in le_read_features_complete")'
#121:
This is the same class of bug as the one fixed by commit 035c25007c9e
("Bluetooth: hci_sync: Fix UAF on le_read_features_complete") which
WARNING: Please use correct Fixes: style 'Fixes: <12+ chars of sha1> ("<title line>")' - ie: 'Fixes: c09b80be6ffc ("Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED")'
#128:
Fixes: c09b80be6ffc ("Bluetooth: hci_conn: Consolidate code for LE Create CIS")
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#130:
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
total: 1 errors, 2 warnings, 0 checks, 22 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14593508.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.253 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.018 seconds
Mesh - Send cancel - 2 Timed out 1.992 seconds
https://github.com/bluez/bluetooth-next/pull/239
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB
From: bluez.test.bot @ 2026-05-25 18:26 UTC (permalink / raw)
To: linux-bluetooth, zenmchen
In-Reply-To: <20260525161942.5206-1-zenmchen@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1675 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100543
---Test result---
Test Summary:
CheckPatch FAIL 0.73 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 0.33 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 25.17 seconds
CheckAllWarning PASS 27.61 seconds
CheckSparse PASS 26.34 seconds
BuildKernel32 PASS 24.62 seconds
TestRunnerSetup PASS 521.83 seconds
IncrementalBuild PASS 24.34 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB
WARNING: The commit message has 'stable@', perhaps it also needs a 'Fixes:' tag?
total: 0 errors, 1 warnings, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14593507.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluetooth-next/pull/238
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-05-25 17:52 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1085439
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* RE: Add configurable default LE PHY policy
From: bluez.test.bot @ 2026-05-25 16:55 UTC (permalink / raw)
To: linux-bluetooth, tarjeib
In-Reply-To: <20260525145010.154170-2-tarjeib@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 825 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100512
---Test result---
Test Summary:
CheckPatch PASS 0.58 seconds
GitLint PASS 0.33 seconds
BuildEll PASS 20.48 seconds
BluezMake PASS 632.11 seconds
CheckSmatch PASS 328.33 seconds
bluezmakeextell PASS 167.60 seconds
IncrementalBuild PASS 620.54 seconds
ScanBuild PASS 923.33 seconds
https://github.com/bluez/bluez/pull/2153
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [Bug 221576] New: btmtk: MT7925 USB Bluetooth fails with "Failed to send wmt func ctrl (-22)" since kernel 7.0.7
From: bugzilla-daemon @ 2026-05-25 16:52 UTC (permalink / raw)
To: linux-bluetooth
https://bugzilla.kernel.org/show_bug.cgi?id=221576
Bug ID: 221576
Summary: btmtk: MT7925 USB Bluetooth fails with "Failed to send
wmt func ctrl (-22)" since kernel 7.0.7
Product: Drivers
Version: 2.5
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Bluetooth
Assignee: linux-bluetooth@vger.kernel.org
Reporter: sergey@batalov.email
Regression: No
Regression between kernel 7.0.2 (working) and 7.0.7 (broken) and 7.0.9
(broken).
Hardware: ThinkPad, MediaTek MT7925 USB Bluetooth
USB ID: 0e8d:e025 (MediaTek Inc. Wireless_Device)
Kernel 7.0.2: Bluetooth initializes successfully
"Bluetooth: hci0: Device setup in 1774290 usecs"
Kernel 7.0.7 and 7.0.9: Initialization fails
"Bluetooth: hci0: HW/SW Version: 0x00000000, Build Time: 20260414153243"
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)"
"Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection command is
advertised, but not supported."
Firmware: mediatek/mt7925/BT_RAM_CODE_MT7925_1_1_hdr.bin (present, correct md5)
Distribution: openSUSE Tumbleweed
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [PATCH] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
From: Doruk Tan Ozturk @ 2026-05-25 16:24 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, security, Doruk Tan Ozturk, stable
hci_le_create_cis_sync() dereferences conn->conn_timeout after releasing
both rcu_read_lock() and hci_dev_lock(hdev). The conn pointer was
obtained from an RCU-protected iteration over hdev->conn_hash.list and
is not valid once these locks are dropped. A concurrent disconnect can
free the hci_conn between the unlock and the dereference, causing a
use-after-free read.
The cancellation mechanism in hci_conn_del() cannot prevent this because
hci_le_create_cis_pending() queues hci_create_cis_sync with data=NULL:
hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
While hci_conn_del() dequeues with data=conn:
hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
Since NULL != conn, the lookup in _hci_cmd_sync_lookup_entry() never
matches, and the pending work item is not cancelled.
Fix this by saving conn->conn_timeout into a local variable while the
locks are still held, so the stale conn pointer is never dereferenced
after unlock.
This is the same class of bug as the one fixed by commit 035c25007c9e
("Bluetooth: hci_sync: Fix UAF on le_read_features_complete") which
addressed the identical pattern in a different function.
This vulnerability was identified using 0sec.ai, an open-source
automated security auditing platform (https://github.com/0sec-labs).
Fixes: c09b80be6ffc ("Bluetooth: hci_conn: Consolidate code for LE Create CIS")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
net/bluetooth/hci_sync.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index XXXXXXX..XXXXXXX 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6700,6 +6700,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev)
DEFINE_FLEX(struct hci_cp_le_create_cis, cmd, cis, num_cis, 0x1f);
size_t aux_num_cis = 0;
struct hci_conn *conn;
+ u16 timeout = 0;
u8 cig = BT_ISO_QOS_CIG_UNSET;
/* The spec allows only one pending LE Create CIS command at a time. If
@@ -6773,6 +6774,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev)
set_bit(HCI_CONN_CREATE_CIS, &conn->flags);
cis->acl_handle = cpu_to_le16(conn->parent->handle);
cis->cis_handle = cpu_to_le16(conn->handle);
+ timeout = conn->conn_timeout;
aux_num_cis++;
if (aux_num_cis >= cmd->num_cis)
@@ -6791,7 +6793,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev)
return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CIS,
struct_size(cmd, cis, cmd->num_cis),
cmd, HCI_EVT_LE_CIS_ESTABLISHED,
- conn->conn_timeout, NULL);
+ timeout, NULL);
}
int hci_le_remove_cig_sync(struct hci_dev *hdev, u8 handle)
--
2.45.0
^ permalink raw reply
* [PATCH] Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB
From: Zenm Chen @ 2026-05-25 16:19 UTC (permalink / raw)
To: marcel, luiz.dentz, linux-bluetooth, linux-kernel
Cc: pkshih, max.chou, hildawu, rtl8821cerfe2, guillem, zenmchen,
stable
Add USB ID 2c4e:0128 for Mercusys MA60XNB, an RTL8851BU-based
Wi-Fi + Bluetooth adapter.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=2c4e ProdID=0128 Rev= 0.00
S: Manufacturer=Realtek
S: Product=802.11ax WLAN Adapter
S: SerialNumber=00e04c000001
C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtw89_8851bu
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org # 6.6.x
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 3523d86a4..a13f10c7a 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -532,6 +532,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x7392, 0xe611), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2c4e, 0x0128), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8852AE Bluetooth devices */
{ USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK |
--
2.53.0
^ permalink raw reply related
* [bluez/bluez]
From: BluezTestBot @ 2026-05-25 16:10 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1100433
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] c3044c: adapter: Add configurable default LE PHYs
From: Tarjei @ 2026-05-25 16:09 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1100512
Home: https://github.com/bluez/bluez
Commit: c3044c94775a69cedf42fe5b0dd5887941c5b8c1
https://github.com/bluez/bluez/commit/c3044c94775a69cedf42fe5b0dd5887941c5b8c1
Author: Tarjei Bitustøyl <tarjeib@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/adapter.c
M src/btd.h
M src/main.c
M src/main.conf
Log Message:
-----------
adapter: Add configurable default LE PHYs
Some controllers mis-handle LE procedures on specific PHYs with
certain peers. On an Intel AX210-class controller, connecting to a
Frostbay BLE device can fail during early ATT/GATT setup unless the
adapter is limited to LE 1M TX/RX.
Add an opt-in [LE] DefaultPHYs setting to bluetoothd and apply it at
adapter startup using MGMT_OP_GET/SET_PHY_CONFIGURATION while
preserving non-configurable PHY bits.
This provides a generic, adapter-wide workaround for controller-
specific LE PHY interoperability problems affecting scanning and
connection establishment, without adding device-specific quirks.
v4:
- Replace the hard tabs in the changelog continuation lines with spaces
to satisfy GitLint.
v3:
- Match the queue header include spelling in main.c with device.h to
avoid the Sparse redefinition warning seen in CI.
v2:
- Check MGMT_SETTING_PHY_CONFIGURATION before sending PHY
configuration commands.
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [PATCH BlueZ v4 1/1] adapter: Add configurable default LE PHYs
From: Tarjei Bitustøyl @ 2026-05-25 14:50 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Tarjei Bitustøyl
In-Reply-To: <20260525145010.154170-1-tarjeib@gmail.com>
Some controllers mis-handle LE procedures on specific PHYs with
certain peers. On an Intel AX210-class controller, connecting to a
Frostbay BLE device can fail during early ATT/GATT setup unless the
adapter is limited to LE 1M TX/RX.
Add an opt-in [LE] DefaultPHYs setting to bluetoothd and apply it at
adapter startup using MGMT_OP_GET/SET_PHY_CONFIGURATION while
preserving non-configurable PHY bits.
This provides a generic, adapter-wide workaround for controller-
specific LE PHY interoperability problems affecting scanning and
connection establishment, without adding device-specific quirks.
v4:
- Replace the hard tabs in the changelog continuation lines with spaces
to satisfy GitLint.
v3:
- Match the queue header include spelling in main.c with device.h to
avoid the Sparse redefinition warning seen in CI.
v2:
- Check MGMT_SETTING_PHY_CONFIGURATION before sending PHY
configuration commands.
---
src/adapter.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/btd.h | 2 ++
src/main.c | 63 +++++++++++++++++++++++++++++++++++++++-
src/main.conf | 8 ++++++
4 files changed, 151 insertions(+), 1 deletion(-)
diff --git a/src/adapter.c b/src/adapter.c
index 20f7c3e03..46df362c5 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -4972,6 +4972,84 @@ done:
mgmt_tlv_list_free(list);
}
+static void set_default_le_phys_complete(uint8_t status, uint16_t length,
+ const void *param, void *user_data)
+{
+ struct btd_adapter *adapter = user_data;
+
+ if (status != MGMT_STATUS_SUCCESS)
+ btd_error(adapter->dev_id,
+ "Failed to set default LE PHYs for hci%u: %s (0x%02x)",
+ adapter->dev_id, mgmt_errstr(status), status);
+}
+
+static void get_default_le_phys_complete(uint8_t status, uint16_t length,
+ const void *param, void *user_data)
+{
+ struct btd_adapter *adapter = user_data;
+ const struct mgmt_rp_get_phy_confguration *rp = param;
+ struct mgmt_cp_set_phy_confguration cp;
+ uint32_t configurable_phys;
+ uint32_t selected_phys;
+ uint32_t next_phys;
+
+ if (status != MGMT_STATUS_SUCCESS) {
+ btd_error(adapter->dev_id,
+ "Failed to read PHY configuration for hci%u: %s (0x%02x)",
+ adapter->dev_id, mgmt_errstr(status), status);
+ return;
+ }
+
+ if (length < sizeof(*rp)) {
+ btd_error(adapter->dev_id,
+ "Too small get PHY configuration response for hci%u",
+ adapter->dev_id);
+ return;
+ }
+
+ configurable_phys = btohl(rp->configurable_phys);
+ selected_phys = btohl(rp->selected_phys);
+
+ configurable_phys &= MGMT_PHY_LE_TX_MASK | MGMT_PHY_LE_RX_MASK;
+ next_phys = selected_phys & ~configurable_phys;
+ next_phys |= btd_opts.default_le_phys & configurable_phys;
+
+ if (next_phys == selected_phys)
+ return;
+
+ cp.selected_phys = cpu_to_le32(next_phys);
+
+ if (mgmt_send(adapter->mgmt, MGMT_OP_SET_PHY_CONFIGURATION,
+ adapter->dev_id, sizeof(cp), &cp,
+ set_default_le_phys_complete, adapter, NULL) > 0)
+ return;
+
+ btd_error(adapter->dev_id,
+ "Failed to set default LE PHYs for hci%u",
+ adapter->dev_id);
+}
+
+static void load_default_le_phys(struct btd_adapter *adapter)
+{
+ if (!btd_opts.default_le_phys_configured)
+ return;
+
+ if (!(adapter->supported_settings & MGMT_SETTING_LE))
+ return;
+
+ if (!(adapter->supported_settings & MGMT_SETTING_PHY_CONFIGURATION))
+ return;
+
+ if (mgmt_send(adapter->mgmt, MGMT_OP_GET_PHY_CONFIGURATION,
+ adapter->dev_id, 0, NULL,
+ get_default_le_phys_complete, adapter, NULL) > 0)
+ return;
+
+ btd_error(adapter->dev_id,
+ "Failed to read PHY configuration for hci%u",
+ adapter->dev_id);
+}
+
static void load_devices(struct btd_adapter *adapter)
{
char dirname[PATH_MAX];
@@ -9455,6 +9533,7 @@ load:
btd_profile_foreach(probe_profile, adapter);
clear_blocked(adapter);
load_defaults(adapter);
+ load_default_le_phys(adapter);
load_devices(adapter);
/* restore Service Changed CCC value for bonded devices */
diff --git a/src/btd.h b/src/btd.h
index db2e81239..59f44dc8c 100644
--- a/src/btd.h
+++ b/src/btd.h
@@ -140,6 +140,8 @@ struct btd_opts {
bool device_privacy;
uint32_t name_request_retry_delay;
uint8_t secure_conn;
+ uint32_t default_le_phys;
+ bool default_le_phys_configured;
struct btd_defaults defaults;
diff --git a/src/main.c b/src/main.c
index 8aa19a3e3..83be19be3 100644
--- a/src/main.c
+++ b/src/main.c
@@ -32,6 +32,7 @@
#include <dbus/dbus.h>
#include "bluetooth/bluetooth.h"
+#include "bluetooth/mgmt.h"
#include "bluetooth/sdp.h"
#include "gdbus/gdbus.h"
@@ -43,7 +44,7 @@
#include "shared/att-types.h"
#include "shared/mainloop.h"
#include "shared/timeout.h"
-#include "shared/queue.h"
+#include "src/shared/queue.h"
#include "shared/crypto.h"
#include "bluetooth/uuid.h"
#include "shared/util.h"
@@ -132,6 +133,7 @@ static const char *le_options[] = {
"Autoconnecttimeout",
"AdvMonAllowlistScanDuration",
"AdvMonNoFilterScanDuration",
+ "DefaultPHYs",
"EnableAdvMonInterleaveScan",
NULL
};
@@ -145,6 +147,8 @@ static const char *policy_options[] = {
NULL
};
+static void parse_default_le_phys(GKeyFile *config);
+
static const char *gatt_options[] = {
"Cache",
"KeySize",
@@ -751,6 +755,7 @@ static void parse_le_config(GKeyFile *config)
return;
parse_mode_config(config, "LE", params, ARRAY_SIZE(params));
+ parse_default_le_phys(config);
}
static bool match_experimental(const void *data, const void *match_data)
@@ -966,6 +971,62 @@ static void parse_repairing(GKeyFile *config)
g_free(str);
}
+struct phy_config_entry {
+ const char *name;
+ uint32_t bit;
+};
+
+static const struct phy_config_entry le_phy_configs[] = {
+ { "LE1MTX", MGMT_PHY_LE_1M_TX },
+ { "LE1MRX", MGMT_PHY_LE_1M_RX },
+ { "LE2MTX", MGMT_PHY_LE_2M_TX },
+ { "LE2MRX", MGMT_PHY_LE_2M_RX },
+ { "LECODEDTX", MGMT_PHY_LE_CODED_TX },
+ { "LECODEDRX", MGMT_PHY_LE_CODED_RX },
+};
+
+static void parse_default_le_phys(GKeyFile *config)
+{
+ char *str = NULL;
+ char **tokens;
+ uint32_t phys = 0;
+ bool valid = false;
+ int i;
+
+ if (!parse_config_string(config, "LE", "DefaultPHYs", &str))
+ return;
+
+ tokens = g_strsplit_set(str, ", \t", -1);
+
+ for (i = 0; tokens[i]; i++) {
+ const char *token = tokens[i];
+ size_t j;
+
+ if (!token[0])
+ continue;
+
+ for (j = 0; j < ARRAY_SIZE(le_phy_configs); j++) {
+ if (strcasecmp(le_phy_configs[j].name, token) != 0)
+ continue;
+
+ phys |= le_phy_configs[j].bit;
+ valid = true;
+ break;
+ }
+
+ if (j == ARRAY_SIZE(le_phy_configs))
+ warn("Invalid DefaultPHYs token: %s", token);
+ }
+
+ if (valid) {
+ btd_opts.default_le_phys = phys;
+ btd_opts.default_le_phys_configured = true;
+ }
+
+ g_strfreev(tokens);
+ g_free(str);
+}
+
static bool parse_config_hex(GKeyFile *config, char *group,
const char *key, uint32_t *val)
{
diff --git a/src/main.conf b/src/main.conf
index 5846ef92d..ed955897e 100644
--- a/src/main.conf
+++ b/src/main.conf
@@ -247,6 +247,14 @@
# Default: 500
#AdvMonNoFilterScanDuration=
+# Configure the controller's default LE PHY policy used for scanning and
+# connection establishment. Only configurable LE PHYs are changed; mandatory
+# PHYs remain selected automatically.
+# Possible values: comma or space separated list of LE1MTX, LE1MRX, LE2MTX,
+# LE2MRX, LECODEDTX, LECODEDRX.
+# Example: keep LE on 1M only.
+#DefaultPHYs = LE1MTX LE1MRX
+
# Enable/Disable Advertisement Monitor interleave scan for power saving.
# 0: disable
# 1: enable
--
2.43.0
^ permalink raw reply related
* [PATCH BlueZ v4 0/1] Add configurable default LE PHY policy
From: Tarjei Bitustøyl @ 2026-05-25 14:50 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Tarjei Bitustøyl
In-Reply-To: <20260524221421.258593-1-tarjeib@gmail.com>
This adds an opt-in bluetoothd setting for the adapter's default LE PHY
policy.
v4:
- Replace the hard tabs in the changelog continuation lines with spaces
to satisfy GitLint.
v3:
- Match the queue header include spelling in main.c with device.h to
avoid the Sparse redefinition warning seen in CI.
v2:
- Check MGMT_SETTING_PHY_CONFIGURATION before sending PHY
configuration commands.
Tarjei Bitustøyl (1):
adapter: Add configurable default LE PHYs
src/adapter.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/btd.h | 2 ++
src/main.c | 63 +++++++++++++++++++++++++++++++++++++++-
src/main.conf | 8 ++++++
4 files changed, 151 insertions(+), 1 deletion(-)
--
2.43.0
^ permalink raw reply
* RE: Add configurable default LE PHY policy
From: bluez.test.bot @ 2026-05-25 14:33 UTC (permalink / raw)
To: linux-bluetooth, tarjeib
In-Reply-To: <20260525113709.115020-2-tarjeib@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1144 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100433
---Test result---
Test Summary:
CheckPatch PASS 0.39 seconds
GitLint FAIL 0.21 seconds
BuildEll PASS 19.92 seconds
BluezMake PASS 646.41 seconds
CheckSmatch PASS 354.93 seconds
bluezmakeextell PASS 182.02 seconds
IncrementalBuild PASS 665.89 seconds
ScanBuild PASS 1045.30 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v3,1/1] adapter: Add configurable default LE PHYs
18: B3 Line contains hard tab characters (\t): " avoid the Sparse redefinition warning seen in CI."
22: B3 Line contains hard tab characters (\t): " configuration commands."
https://github.com/bluez/bluez/pull/2152
---
Regards,
Linux Bluetooth
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox