* Re: [PATCH v2 0/3] Bluetooth: hci_core: Refactor HCI reset functions
From: patchwork-bot+bluetooth @ 2026-05-27 20:50 UTC (permalink / raw)
To: Heitor Alves de Siqueira
Cc: marcel, luiz.dentz, padovan, schspa, linux-bluetooth,
linux-kernel, kernel-dev, luiz.von.dentz
In-Reply-To: <20260526-hci_send-v2-0-596977a9a814@igalia.com>
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Tue, 26 May 2026 10:50:56 -0300 you wrote:
> Dear maintainers,
>
> While investigating some warnings reported by syzbot on the hdev
> workqueue, Luiz kindly mentioned the possibility of reworking the reset
> functions in hci_core. A lot of the work done "manually" in
> hci_dev_do_reset() is already handled by the close/open functions in
> hci_sync, and those also handle missing functionality related to LE,
> discovery and advertising.
>
> [...]
Here is the summary with links:
- [v2,1/3] Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions
https://git.kernel.org/bluetooth/bluetooth-next/c/54f93846b7a8
- [v2,2/3] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
https://git.kernel.org/bluetooth/bluetooth-next/c/db6e813f5789
- [v2,3/3] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
https://git.kernel.org/bluetooth/bluetooth-next/c/a92f90568cc9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
From: patchwork-bot+bluetooth @ 2026-05-27 20:50 UTC (permalink / raw)
To: Muhammad Bilal; +Cc: linux-bluetooth, stable, marcel, luiz.dentz
In-Reply-To: <20260527045919.39077-1-meatuni001@gmail.com>
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 27 May 2026 04:59:17 +0000 you wrote:
> iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
> before using sk, with no reference held. A concurrent iso_sock_kill()
> can free sk in that window, causing use-after-free on sk->sk_state and
> sock_queue_rcv_skb().
>
> Fix by replacing the bare pointer read with iso_sock_hold(conn), which
> calls sock_hold() while the spinlock is held, atomically elevating the
> refcount before the lock drops. Add a drop_put label so sock_put() is
> called on all exit paths where the hold succeeded.
>
> [...]
Here is the summary with links:
- [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
https://git.kernel.org/bluetooth/bluetooth-next/c/7e3545cc3d1a
- [2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
https://git.kernel.org/bluetooth/bluetooth-next/c/7978ae58aafb
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-05-27 19:09 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1086284
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* RE: Bluetooth: MGMT: Add management security level changed event
From: bluez.test.bot @ 2026-05-27 14:34 UTC (permalink / raw)
To: linux-bluetooth, frederic.danis
In-Reply-To: <20260527115841.267098-1-frederic.danis@collabora.com>
[-- Attachment #1: Type: text/plain, Size: 2472 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101615
---Test result---
Test Summary:
CheckPatch PASS 1.66 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.14 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.50 seconds
BuildKernel PASS 28.67 seconds
CheckAllWarning PASS 32.03 seconds
CheckSparse PASS 30.47 seconds
BuildKernel32 PASS 28.42 seconds
TestRunnerSetup PASS 613.90 seconds
TestRunner_l2cap-tester FAIL 61.35 seconds
TestRunner_iso-tester PASS 80.34 seconds
TestRunner_bnep-tester PASS 20.17 seconds
TestRunner_mgmt-tester FAIL 217.24 seconds
TestRunner_rfcomm-tester PASS 25.59 seconds
TestRunner_sco-tester PASS 32.88 seconds
TestRunner_ioctl-tester PASS 27.11 seconds
TestRunner_mesh-tester FAIL 25.93 seconds
TestRunner_smp-tester PASS 23.64 seconds
TestRunner_userchan-tester PASS 20.19 seconds
TestRunner_6lowpan-tester PASS 23.27 seconds
IncrementalBuild PASS 26.27 seconds
Details
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0
Failed Test Cases
L2CAP BR/EDR Server - Set PHY 1M Failed 0.274 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.247 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.006 seconds
Mesh - Send cancel - 2 Timed out 1.998 seconds
https://github.com/bluez/bluetooth-next/pull/250
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-05-27 13:48 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1086088
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* Re: [PATCH v7 1/2] dt-bindings: net: bluetooth: Add brcm,bcm4384-bt
From: Krzysztof Kozlowski @ 2026-05-27 13:12 UTC (permalink / raw)
To: kaihsin Chung, linux-bluetooth
Cc: marcel, luiz.dentz, devicetree, robh, krzk+dt, conor+dt,
linux-kernel, kaihsin Chung
In-Reply-To: <20260527090849.3647601-2-kaihsin.chung@synaptics.com>
On 27/05/2026 11:08, kaihsin Chung wrote:
> Add the compatible string for the Broadcom BCM4384
> Bluetooth controller.
>
> Signed-off-by: Kaihsin Chung <kaihsin.chung@synaptics.com>
> ---
You ignored most of my comments and did the same mistakes. Go back to
previous version and implement the comments.
Best regards,
Krzysztof
^ permalink raw reply
* [PATCH] Bluetooth: MGMT: Add management security level changed event
From: Frédéric Danis @ 2026-05-27 11:58 UTC (permalink / raw)
To: linux-bluetooth
Add an event on device security level change to let user space
know which level is currently in use.
Reset security level to 0 on disconnection so further connections
will correctly report security level changes.
This will be used for BlueZ qualification automation.
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
---
include/net/bluetooth/hci_core.h | 7 +++++--
include/net/bluetooth/mgmt.h | 6 ++++++
net/bluetooth/hci_conn.c | 16 +++++++++++++---
net/bluetooth/hci_event.c | 8 ++++----
net/bluetooth/mgmt.c | 13 +++++++++++++
5 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index aa600fbf9a53..5883d563bd6b 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1863,6 +1863,8 @@ int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type);
void hci_smp_ltks_clear(struct hci_dev *hdev);
int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
+void hci_conn_set_sec_level(struct hci_conn *conn, u8 sec_level);
+
struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa);
struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
u8 addr_type);
@@ -2203,10 +2205,10 @@ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status)
if (!status) {
if (conn->sec_level == BT_SECURITY_SDP)
- conn->sec_level = BT_SECURITY_LOW;
+ hci_conn_set_sec_level(conn, BT_SECURITY_LOW);
if (conn->pending_sec_level > conn->sec_level)
- conn->sec_level = conn->pending_sec_level;
+ hci_conn_set_sec_level(conn, conn->pending_sec_level);
}
mutex_lock(&hci_cb_list_lock);
@@ -2493,6 +2495,7 @@ void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip);
void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
bdaddr_t *bdaddr, u8 addr_type);
+void mgmt_security_level_changed(struct hci_conn *conn, u8 level);
int hci_abort_conn(struct hci_conn *conn, u8 reason);
void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
index 8234915854b6..9f145e387e3c 100644
--- a/include/net/bluetooth/mgmt.h
+++ b/include/net/bluetooth/mgmt.h
@@ -1195,3 +1195,9 @@ struct mgmt_ev_mesh_device_found {
struct mgmt_ev_mesh_pkt_cmplt {
__u8 handle;
} __packed;
+
+#define MGMT_EV_SECURITY_LEVEL_CHANGED 0x0033
+struct mgmt_ev_security_level_changed {
+ struct mgmt_addr_info addr;
+ __u8 level;
+} __packed;
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 54eabaa46960..6eeebd1583fe 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1203,6 +1203,8 @@ static void hci_conn_unlink(struct hci_conn *conn)
if (!conn->parent) {
struct hci_link *link, *t;
+ hci_conn_set_sec_level(conn, BT_SECURITY_SDP);
+
list_for_each_entry_safe(link, t, &conn->link_list, list) {
struct hci_conn *child = link->conn;
@@ -1504,7 +1506,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
conn->pending_sec_level = sec_level;
}
- conn->sec_level = BT_SECURITY_LOW;
+ hci_conn_set_sec_level(conn, BT_SECURITY_LOW);
conn->conn_timeout = conn_timeout;
conn->le_adv_phy = phy;
conn->le_adv_sec_phy = sec_phy;
@@ -1731,7 +1733,7 @@ struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
conn->state = BT_CONNECT;
set_bit(HCI_CONN_SCANNING, &conn->flags);
- conn->sec_level = BT_SECURITY_LOW;
+ hci_conn_set_sec_level(conn, BT_SECURITY_LOW);
conn->pending_sec_level = sec_level;
conn->conn_timeout = conn_timeout;
conn->conn_reason = conn_reason;
@@ -1779,7 +1781,7 @@ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
int err;
- acl->sec_level = BT_SECURITY_LOW;
+ hci_conn_set_sec_level(acl, BT_SECURITY_LOW);
acl->pending_sec_level = sec_level;
acl->auth_type = auth_type;
acl->conn_timeout = timeout;
@@ -3391,3 +3393,11 @@ int hci_ethtool_ts_info(unsigned int index, int sk_proto,
hci_dev_put(hdev);
return 0;
}
+
+void hci_conn_set_sec_level(struct hci_conn *conn, u8 sec_level)
+{
+ if (sec_level != conn->sec_level) {
+ conn->sec_level = sec_level;
+ mgmt_security_level_changed(conn, sec_level);
+ }
+}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index eea2f810aafa..d1108ce73a39 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3502,7 +3502,7 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
if (!ev->status) {
clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
set_bit(HCI_CONN_AUTH, &conn->flags);
- conn->sec_level = conn->pending_sec_level;
+ hci_conn_set_sec_level(conn, conn->pending_sec_level);
} else {
if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
@@ -3609,7 +3609,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
/* Encryption implies authentication */
set_bit(HCI_CONN_AUTH, &conn->flags);
set_bit(HCI_CONN_ENCRYPT, &conn->flags);
- conn->sec_level = conn->pending_sec_level;
+ hci_conn_set_sec_level(conn, conn->pending_sec_level);
/* P-256 authentication key implies FIPS */
if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
@@ -5212,7 +5212,7 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
goto unlock;
if (!ev->status)
- conn->sec_level = conn->pending_sec_level;
+ hci_conn_set_sec_level(conn, conn->pending_sec_level);
clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
@@ -5842,7 +5842,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
mgmt_device_connected(hdev, conn, NULL, 0);
- conn->sec_level = BT_SECURITY_LOW;
+ hci_conn_set_sec_level(conn, BT_SECURITY_LOW);
conn->state = BT_CONFIG;
/* Store current advertising instance as connection advertising instance
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index de5bd6b637b2..933ac34fc8ac 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -180,6 +180,7 @@ static const u16 mgmt_events[] = {
MGMT_EV_CONTROLLER_RESUME,
MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
MGMT_EV_ADV_MONITOR_DEVICE_LOST,
+ MGMT_EV_SECURITY_LEVEL_CHANGED,
};
static const u16 mgmt_untrusted_commands[] = {
@@ -10533,6 +10534,18 @@ void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
mgmt_adv_monitor_device_found(hdev, bdaddr, report_device, skb, NULL);
}
+void mgmt_security_level_changed(struct hci_conn *conn, u8 level)
+{
+ struct mgmt_ev_security_level_changed ev;
+
+ bacpy(&ev.addr.bdaddr, &conn->dst);
+ ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
+ ev.level = level;
+
+ mgmt_event(MGMT_EV_SECURITY_LEVEL_CHANGED, conn->hdev, &ev, sizeof(ev),
+ NULL);
+}
+
void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
u8 addr_type, s8 rssi, u8 *name, u8 name_len)
{
--
2.43.0
^ permalink raw reply related
* RE: [net] 6lowpan: fix off-by-one in multicast context address compression
From: bluez.test.bot @ 2026-05-27 10:59 UTC (permalink / raw)
To: linux-bluetooth, zhaoyz24
In-Reply-To: <20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn>
[-- Attachment #1: Type: text/plain, Size: 4381 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101476
---Test result---
Test Summary:
CheckPatch FAIL 0.58 seconds
VerifyFixes PASS 0.09 seconds
VerifySignedoff PASS 0.08 seconds
GitLint PASS 0.23 seconds
SubjectPrefix FAIL 0.08 seconds
BuildKernel PASS 26.92 seconds
CheckAllWarning PASS 29.05 seconds
CheckSparse PASS 27.15 seconds
BuildKernel32 PASS 25.60 seconds
TestRunnerSetup PASS 572.33 seconds
TestRunner_l2cap-tester FAIL 58.33 seconds
TestRunner_iso-tester PASS 79.66 seconds
TestRunner_bnep-tester PASS 19.58 seconds
TestRunner_mgmt-tester FAIL 224.69 seconds
TestRunner_rfcomm-tester PASS 26.56 seconds
TestRunner_sco-tester PASS 33.37 seconds
TestRunner_ioctl-tester PASS 26.48 seconds
TestRunner_mesh-tester FAIL 25.91 seconds
TestRunner_smp-tester PASS 23.48 seconds
TestRunner_userchan-tester PASS 20.47 seconds
TestRunner_6lowpan-tester PASS 23.45 seconds
IncrementalBuild PASS 25.25 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[net] 6lowpan: fix off-by-one in multicast context address compression
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#113:
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#114:
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#115:
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#116:
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#117:
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#118:
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:GLM-5.1
total: 0 errors, 6 warnings, 0 checks, 14 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14596745.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0
Failed Test Cases
L2CAP BR/EDR Server - Set PHY 3M Failed 0.251 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.260 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.497 seconds
Mesh - Send cancel - 2 Timed out 1.995 seconds
https://github.com/bluez/bluetooth-next/pull/249
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH v7 2/2] Bluetooth: btbcm: Add Synaptics 4384 chip support
From: kaihsin Chung @ 2026-05-27 9:08 UTC (permalink / raw)
To: linux-bluetooth
Cc: marcel, luiz.dentz, devicetree, robh, krzk+dt, conor+dt,
linux-kernel, kaihsin Chung
In-Reply-To: <20260527090849.3647601-1-kaihsin.chung@synaptics.com>
Add support for the Synaptics 4384 Bluetooth controller
by adding the corresponding chip IDs and device tree
matching support.
Signed-off-by: Kaihsin Chung <kaihsin.chung@synaptics.com>
---
drivers/bluetooth/btbcm.c | 6 +++++-
drivers/bluetooth/hci_bcm.c | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
index f9a7c790d7e2..1164cca40324 100644
--- a/drivers/bluetooth/btbcm.c
+++ b/drivers/bluetooth/btbcm.c
@@ -31,6 +31,7 @@
#define BDADDR_BCM4334B0 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb0, 0x34, 0x43}})
#define BDADDR_BCM4345C5 (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0xc5, 0x45, 0x43}})
#define BDADDR_BCM43341B (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0x1b, 0x34, 0x43}})
+#define BDADDR_BCM4384B0 (&(bdaddr_t) {{0x93, 0x76, 0x00, 0xb0, 0x84, 0x43}})
#define BCM_FW_NAME_LEN 64
#define BCM_FW_NAME_COUNT_MAX 4
@@ -130,7 +131,8 @@ int btbcm_check_bdaddr(struct hci_dev *hdev)
!bacmp(&bda->bdaddr, BDADDR_BCM4345C5) ||
!bacmp(&bda->bdaddr, BDADDR_BCM43430A0) ||
!bacmp(&bda->bdaddr, BDADDR_BCM43430A1) ||
- !bacmp(&bda->bdaddr, BDADDR_BCM43341B)) {
+ !bacmp(&bda->bdaddr, BDADDR_BCM43341B) ||
+ !bacmp(&bda->bdaddr, BDADDR_BCM4384B0)) {
/* Try falling back to BDADDR EFI variable */
if (btbcm_set_bdaddr_from_efi(hdev) != 0) {
bt_dev_info(hdev, "BCM: Using default device address (%pMR)",
@@ -515,6 +517,8 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = {
{ 0x4106, "BCM4335A0" }, /* 002.001.006 */
{ 0x410c, "BCM43430B0" }, /* 002.001.012 */
{ 0x2119, "BCM4373A0" }, /* 001.001.025 */
+ { 0x2128, "BCM4384A0" },/* 001.001.040 */
+ { 0x4119, "BCM4384B0"},/* 002.001.025 */
{ }
};
diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
index 874d23089b39..783346a4a59b 100644
--- a/drivers/bluetooth/hci_bcm.c
+++ b/drivers/bluetooth/hci_bcm.c
@@ -1609,6 +1609,7 @@ static const struct of_device_id bcm_bluetooth_of_match[] = {
{ .compatible = "brcm,bcm4335a0" },
{ .compatible = "cypress,cyw4373a0-bt", .data = &cyw4373a0_device_data },
{ .compatible = "infineon,cyw55572-bt", .data = &cyw55572_device_data },
+ { .compatible = "brcm,bcm4384-bt" },
{ },
};
MODULE_DEVICE_TABLE(of, bcm_bluetooth_of_match);
--
2.43.0
^ permalink raw reply related
* [PATCH v7 1/2] dt-bindings: net: bluetooth: Add brcm,bcm4384-bt
From: kaihsin Chung @ 2026-05-27 9:08 UTC (permalink / raw)
To: linux-bluetooth
Cc: marcel, luiz.dentz, devicetree, robh, krzk+dt, conor+dt,
linux-kernel, kaihsin Chung
In-Reply-To: <20260527090849.3647601-1-kaihsin.chung@synaptics.com>
Add the compatible string for the Broadcom BCM4384
Bluetooth controller.
Signed-off-by: Kaihsin Chung <kaihsin.chung@synaptics.com>
---
Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml b/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml
index cc70b00c6ce5..404853933b7c 100644
--- a/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml
+++ b/Documentation/devicetree/bindings/net/broadcom-bluetooth.yaml
@@ -26,6 +26,7 @@ properties:
- brcm,bcm43540-bt
- brcm,bcm4335a0
- brcm,bcm4349-bt
+ - brcm,bcm4384-bt
- cypress,cyw4373a0-bt
- infineon,cyw55572-bt
--
2.43.0
^ permalink raw reply related
* [PATCH v7 0/2] Add Synaptics BCM4384 Bluetooth support
From: kaihsin Chung @ 2026-05-27 9:08 UTC (permalink / raw)
To: linux-bluetooth
Cc: marcel, luiz.dentz, devicetree, robh, krzk+dt, conor+dt,
linux-kernel, Kaihsin Chung
In-Reply-To: <20260408083217.1915419-1-kaihsin.chung@synaptics.com>
From: Kaihsin Chung <kaihsin.chung@synaptics.com>
This series adds support for the Synaptics BCM4384
Bluetooth controller.
Patch 1 adds the DT compatible string.
Patch 2 adds Bluetooth driver support.
kaihsin Chung (2):
dt-bindings: net: bluetooth: Add brcm,bcm4383-bt
Bluetooth: btbcm: Add Synaptics 4384 chip support
.../devicetree/bindings/net/broadcom-bluetooth.yaml | 1 +
drivers/bluetooth/btbcm.c | 6 +++++-
drivers/bluetooth/hci_bcm.c | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
--
2.43.0
^ permalink raw reply
* [PATCH net] 6lowpan: fix off-by-one in multicast context address compression
From: Yizhou Zhao @ 2026-05-27 8:18 UTC (permalink / raw)
To: netdev
Cc: Yizhou Zhao, Alexander Aring, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, linux-bluetooth,
linux-wpan, linux-kernel, Yuxiang Yang, Ao Wang, Xuewei Feng,
Qi Li, Ke Xu
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.
This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:GLM-5.1
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
---
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index e116d30..37eaff3 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -1086,12 +1086,12 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
const struct lowpan_iphc_ctx *ctx,
const struct in6_addr *ipaddr)
{
- u8 data[6];
+ u8 data[6] = {};
/* flags/scope, reserved (RIID) */
memcpy(data, &ipaddr->s6_addr[1], 2);
/* group ID */
- memcpy(&data[1], &ipaddr->s6_addr[11], 4);
+ memcpy(&data[2], &ipaddr->s6_addr[12], 4);
lowpan_push_hc_data(hc_ptr, data, 6);
return LOWPAN_IPHC_DAM_00;
--
2.43.0
^ permalink raw reply related
* RE: [1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
From: bluez.test.bot @ 2026-05-27 6:41 UTC (permalink / raw)
To: linux-bluetooth, meatuni001
In-Reply-To: <20260527045919.39077-1-meatuni001@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101377
---Test result---
Test Summary:
CheckPatch PASS 1.58 seconds
VerifyFixes PASS 0.13 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 1.16 seconds
SubjectPrefix PASS 0.25 seconds
BuildKernel PASS 25.09 seconds
CheckAllWarning PASS 27.91 seconds
CheckSparse PASS 26.59 seconds
BuildKernel32 PASS 24.64 seconds
TestRunnerSetup PASS 527.80 seconds
TestRunner_iso-tester PASS 81.16 seconds
IncrementalBuild PASS 26.12 seconds
https://github.com/bluez/bluetooth-next/pull/248
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt
From: Muhammad Bilal @ 2026-05-27 5:18 UTC (permalink / raw)
To: pmenzel; +Cc: linux-bluetooth, marcel, luiz.dentz, gregkh, linux-kernel, stable
In-Reply-To: <51761fe5-2244-457b-bf60-060e43f0cbd1@molgen.mpg.de>
Thanks for the review.
> By any chance, do you have a reproducer?
No standalone reproducer is available. The issue can be triggered by
a malformed L2CAP configuration request where opt->len exceeds the
remaining buffer, i.e. a crafted packet from a remote peer.
> I always wonder, if Linux should log a debug message or even warning.
Existing callers generally handle malformed configuration options by
silently aborting parsing, so I followed the same pattern. Adding a
BT_ERR() on -EINVAL could be reasonable; I can include that in a v2
if preferred.
Regards,
Muhammad Bilal
^ permalink raw reply
* [PATCH 2/2] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
From: Muhammad Bilal @ 2026-05-27 4:59 UTC (permalink / raw)
To: linux-bluetooth; +Cc: stable, marcel, luiz.dentz, Muhammad Bilal
In-Reply-To: <20260527045919.39077-1-meatuni001@gmail.com>
iso_sock_close() calls iso_sock_clear_timer() before acquiring
lock_sock(sk).
iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the
socket lock held:
if (!iso_pi(sk)->conn)
return;
cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
Concurrently, iso_conn_del() executes under lock_sock(sk) and calls
iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in
the final reference to the connection being dropped:
CPU0 CPU1
---- ----
iso_sock_clear_timer()
if (conn != NULL) ... lock_sock(sk)
iso_chan_del()
iso_pi(sk)->conn = NULL
cancel_delayed_work(conn) /* NULL deref or UAF */
iso_pi(sk)->conn is not stable across the unlock window, causing a
NULL pointer dereference or use-after-free.
Serialize iso_sock_clear_timer() with the socket lock by moving it
inside lock_sock()/release_sock(), matching the pattern used in
iso_conn_del() and all other call sites.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index f03b7fa5dccc..876649556d3c 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -864,8 +864,8 @@ static void __iso_sock_close(struct sock *sk)
/* Must be called on unlocked socket. */
static void iso_sock_close(struct sock *sk)
{
- iso_sock_clear_timer(sk);
lock_sock(sk);
+ iso_sock_clear_timer(sk);
__iso_sock_close(sk);
release_sock(sk);
iso_sock_kill(sk);
--
2.53.0
^ permalink raw reply related
* [PATCH 1/2] Bluetooth: ISO: fix UAF in iso_recv_frame
From: Muhammad Bilal @ 2026-05-27 4:59 UTC (permalink / raw)
To: linux-bluetooth; +Cc: stable, marcel, luiz.dentz, Muhammad Bilal
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
net/bluetooth/iso.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index d7af617cda45..f03b7fa5dccc 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -564,7 +564,7 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
struct sock *sk;
iso_conn_lock(conn);
- sk = conn->sk;
+ sk = iso_sock_hold(conn);
iso_conn_unlock(conn);
if (!sk)
@@ -573,11 +573,15 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
BT_DBG("sk %p len %d", sk, skb->len);
if (sk->sk_state != BT_CONNECTED)
- goto drop;
+ goto drop_put;
- if (!sock_queue_rcv_skb(sk, skb))
+ if (!sock_queue_rcv_skb(sk, skb)) {
+ sock_put(sk);
return;
+ }
+drop_put:
+ sock_put(sk);
drop:
kfree_skb(skb);
}
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v5 1/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: Siwei Zhang @ 2026-05-27 4:16 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: Marcel Holtmann, linux-bluetooth
In-Reply-To: <CABBYNZL_ymHCE+uf6kJ2Mi=R4pEwy-wcSL3HKDP0krd7D73Kqw@mail.gmail.com>
Hi Luiz,
On Tue, May 26, 2026, at 4:46 PM, Luiz Augusto von Dentz wrote:
> Hi Siwei,
>
> On Wed, May 20, 2026 at 12:20 PM Siwei Zhang <oss@fourdim.xyz> wrote:
>>
>> l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
>> release_sock(parent). Once the parent lock is released, the child
>> socket sk can be freed by another task.
>>
>> Allocate the channel outside the func to prevent this.
>>
>> Fixes: 8ffb929098a5 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
>> Cc: stable@kernel.org
>> Assisted-by: Claude:claude-opus-4-6
>> Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
>> ---
>> include/net/bluetooth/l2cap.h | 8 +++--
>> net/bluetooth/6lowpan.c | 14 ++++-----
>> net/bluetooth/l2cap_core.c | 58 ++++++++++++++++++++++++++++-------
>> net/bluetooth/l2cap_sock.c | 48 +++++++++++++++++------------
>> net/bluetooth/smp.c | 13 +++-----
>> 5 files changed, 91 insertions(+), 50 deletions(-)
>>
>> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
>> index 5172afee5494..f7a11e6431f0 100644
>> --- a/include/net/bluetooth/l2cap.h
>> +++ b/include/net/bluetooth/l2cap.h
>> @@ -619,7 +619,8 @@ struct l2cap_chan {
>> struct l2cap_ops {
>> char *name;
>>
>> - struct l2cap_chan *(*new_connection) (struct l2cap_chan *chan);
>> + int (*new_connection)(struct l2cap_chan *chan,
>> + struct l2cap_chan *new_chan);
>> int (*recv) (struct l2cap_chan * chan,
>> struct sk_buff *skb);
>> void (*teardown) (struct l2cap_chan *chan, int err);
>> @@ -883,9 +884,10 @@ static inline __u16 __next_seq(struct l2cap_chan *chan, __u16 seq)
>> return (seq + 1) % (chan->tx_win_max + 1);
>> }
>>
>> -static inline struct l2cap_chan *l2cap_chan_no_new_connection(struct l2cap_chan *chan)
>> +static inline int l2cap_chan_no_new_connection(struct l2cap_chan *chan,
>> + struct l2cap_chan *new_chan)
>> {
>> - return NULL;
>> + return -EOPNOTSUPP;
>> }
>>
>> static inline int l2cap_chan_no_recv(struct l2cap_chan *chan, struct sk_buff *skb)
>> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
>> index 23a229ab6a33..286c0b45055b 100644
>> --- a/net/bluetooth/6lowpan.c
>> +++ b/net/bluetooth/6lowpan.c
>> @@ -743,19 +743,19 @@ static inline void chan_ready_cb(struct l2cap_chan *chan)
>> ifup(dev->netdev);
>> }
>>
>> -static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
>> +static inline int chan_new_conn_cb(struct l2cap_chan *pchan,
>> + struct l2cap_chan *chan)
>> {
>> - struct l2cap_chan *chan;
>> -
>> - chan = chan_create();
>> - if (!chan)
>> - return NULL;
>> + l2cap_chan_set_defaults(chan);
>>
>> + chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
>> + chan->mode = L2CAP_MODE_LE_FLOWCTL;
>> + chan->imtu = 1280;
>
> The 3 lines above make no sense.
>
chan_create code in 6lowpan.c
static struct l2cap_chan *chan_create(void)
{
struct l2cap_chan *chan;
chan = l2cap_chan_create();
if (!chan)
return NULL;
l2cap_chan_set_defaults(chan);
chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
chan->mode = L2CAP_MODE_LE_FLOWCTL;
chan->imtu = 1280;
return chan;
}
Since we allocate chan outside and replace the chan_create here,
I do think these are needed and they are specific to 6lowpan only.
I can refactor it in this patch or in a follow-up patch. I would prefer it
to be in a follow-up patch.
>> chan->ops = pchan->ops;
>>
>> BT_DBG("chan %p pchan %p", chan, pchan);
>>
>> - return chan;
>> + return 0;
>> }
>>
>> static void unregister_dev(struct lowpan_btle_dev *dev)
>> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
>> index fdccd62ccca8..505f32034971 100644
>> --- a/net/bluetooth/l2cap_core.c
>> +++ b/net/bluetooth/l2cap_core.c
>> @@ -4051,10 +4051,16 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
>> goto response;
>> }
>>
>> - chan = pchan->ops->new_connection(pchan);
>> + chan = l2cap_chan_create();
>> if (!chan)
>> goto response;
>>
>> + if (pchan->ops->new_connection(pchan, chan) < 0) {
>> + l2cap_chan_put(chan);
>> + chan = NULL;
>> + goto response;
>> + }
>> +
>> /* For certain devices (ex: HID mouse), support for authentication,
>> * pairing and bonding is optional. For such devices, inorder to avoid
>> * the ACL alive for too long after L2CAP disconnection, reset the ACL
>> @@ -4132,6 +4138,10 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
>> chan->num_conf_req++;
>> }
>>
>> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
>> + if (chan)
>> + l2cap_chan_put(chan);
>> +
>> l2cap_chan_unlock(pchan);
>> l2cap_chan_put(pchan);
>> }
>> @@ -4881,6 +4891,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>> struct l2cap_le_conn_rsp rsp;
>> struct l2cap_chan *chan, *pchan;
>> u16 dcid, scid, credits, mtu, mps;
>> + u16 rsp_mtu, rsp_mps;
>> __le16 psm;
>> u8 result;
>>
>> @@ -4893,6 +4904,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>> psm = req->psm;
>> dcid = 0;
>> credits = 0;
>> + rsp_mtu = 0;
>> + rsp_mps = 0;
>>
>> if (mtu < 23 || mps < 23)
>> return -EPROTO;
>> @@ -4953,12 +4966,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>> goto response_unlock;
>> }
>>
>> - chan = pchan->ops->new_connection(pchan);
>> + chan = l2cap_chan_create();
>> if (!chan) {
>> result = L2CAP_CR_LE_NO_MEM;
>> goto response_unlock;
>> }
>>
>> + if (pchan->ops->new_connection(pchan, chan) < 0) {
>> + l2cap_chan_put(chan);
>> + chan = NULL;
>> + result = L2CAP_CR_LE_NO_MEM;
>> + goto response_unlock;
>> + }
>> +
>> bacpy(&chan->src, &conn->hcon->src);
>> bacpy(&chan->dst, &conn->hcon->dst);
>> chan->src_type = bdaddr_src_type(conn->hcon);
>> @@ -4974,6 +4994,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>>
>> dcid = chan->scid;
>> credits = chan->rx_credits;
>> + rsp_mtu = chan->imtu;
>> + rsp_mps = chan->mps;
>>
>> __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
>>
>> @@ -4993,6 +5015,9 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>> result = L2CAP_CR_LE_SUCCESS;
>> }
>>
>> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
>> + l2cap_chan_put(chan);
>> +
>> response_unlock:
>> l2cap_chan_unlock(pchan);
>> l2cap_chan_put(pchan);
>> @@ -5001,13 +5026,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>> return 0;
>>
>> response:
>> - if (chan) {
>> - rsp.mtu = cpu_to_le16(chan->imtu);
>> - rsp.mps = cpu_to_le16(chan->mps);
>> - } else {
>> - rsp.mtu = 0;
>> - rsp.mps = 0;
>> - }
>> + rsp.mtu = cpu_to_le16(rsp_mtu);
>> + rsp.mps = cpu_to_le16(rsp_mps);
>>
>> rsp.dcid = cpu_to_le16(dcid);
>> rsp.credits = cpu_to_le16(credits);
>> @@ -5177,12 +5197,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
>> continue;
>> }
>>
>> - chan = pchan->ops->new_connection(pchan);
>> + chan = l2cap_chan_create();
>> if (!chan) {
>> result = L2CAP_CR_LE_NO_MEM;
>> continue;
>> }
>>
>> + if (pchan->ops->new_connection(pchan, chan) < 0) {
>> + l2cap_chan_put(chan);
>> + result = L2CAP_CR_LE_NO_MEM;
>> + continue;
>> + }
>> +
>> bacpy(&chan->src, &conn->hcon->src);
>> bacpy(&chan->dst, &conn->hcon->dst);
>> chan->src_type = bdaddr_src_type(conn->hcon);
>> @@ -5217,6 +5243,9 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
>> } else {
>> l2cap_chan_ready(chan);
>> }
>> +
>> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
>> + l2cap_chan_put(chan);
>> }
>>
>> unlock:
>> @@ -7399,7 +7428,11 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
>> goto next;
>>
>> l2cap_chan_lock(pchan);
>> - chan = pchan->ops->new_connection(pchan);
>> + chan = l2cap_chan_create();
>> + if (chan && pchan->ops->new_connection(pchan, chan) < 0) {
>> + l2cap_chan_put(chan);
>> + chan = NULL;
>> + }
>> if (chan) {
>> bacpy(&chan->src, &hcon->src);
>> bacpy(&chan->dst, &hcon->dst);
>> @@ -7407,6 +7440,9 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
>> chan->dst_type = dst_type;
>>
>> __l2cap_chan_add(conn, chan);
>> +
>> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
>> + l2cap_chan_put(chan);
>> }
>>
>> l2cap_chan_unlock(pchan);
>> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
>> index dede550d6031..598f24c8f704 100644
>> --- a/net/bluetooth/l2cap_sock.c
>> +++ b/net/bluetooth/l2cap_sock.c
>> @@ -46,7 +46,8 @@ static struct bt_sock_list l2cap_sk_list = {
>> static const struct proto_ops l2cap_sock_ops;
>> static void l2cap_sock_init(struct sock *sk, struct sock *parent);
>> static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>> - int proto, gfp_t prio, int kern);
>> + int proto, gfp_t prio, int kern,
>> + struct l2cap_chan *chan);
>> static void l2cap_sock_cleanup_listen(struct sock *parent);
>>
>> bool l2cap_is_socket(struct socket *sock)
>> @@ -1507,12 +1508,13 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
>> }
>> }
>>
>> -static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>> +static int l2cap_sock_new_connection_cb(struct l2cap_chan *chan,
>> + struct l2cap_chan *new_chan)
>> {
>> struct sock *sk, *parent = chan->data;
>>
>> if (!parent)
>> - return NULL;
>> + return -EINVAL;
>>
>> lock_sock(parent);
>>
>> @@ -1520,15 +1522,15 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>> if (sk_acceptq_is_full(parent)) {
>> BT_DBG("backlog full %d", parent->sk_ack_backlog);
>> release_sock(parent);
>> - return NULL;
>> + return -ENOBUFS;
>> }
>>
>> sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
>> - GFP_ATOMIC, 0);
>> + GFP_ATOMIC, 0, new_chan);
>> if (!sk) {
>> release_sock(parent);
>> - return NULL;
>> - }
>> + return -ENOMEM;
>> + }
>>
>> bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
>>
>> @@ -1538,7 +1540,7 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>>
>> release_sock(parent);
>>
>> - return l2cap_pi(sk)->chan;
>> + return 0;
>> }
>>
>> static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
>> @@ -1939,10 +1941,10 @@ static struct proto l2cap_proto = {
>> };
>>
>> static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>> - int proto, gfp_t prio, int kern)
>> + int proto, gfp_t prio, int kern,
>> + struct l2cap_chan *chan)
>> {
>> struct sock *sk;
>> - struct l2cap_chan *chan;
>>
>> sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
>> if (!sk)
>> @@ -1953,14 +1955,11 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>>
>> INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
>>
>> - chan = l2cap_chan_create();
>> - if (!chan) {
>> - sk_free(sk);
>> - if (sock)
>> - sock->sk = NULL;
>> - return NULL;
>> - }
>> -
>> + /* The sock owns two refs on chan, matching the puts in
>> + * l2cap_sock_kill() and l2cap_sock_destruct(). The caller keeps
>> + * its own ref independent of these.
>> + */
>> + l2cap_chan_hold(chan);
>> l2cap_chan_hold(chan);
>>
>> l2cap_pi(sk)->chan = chan;
>> @@ -1972,6 +1971,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
>> int kern)
>> {
>> struct sock *sk;
>> + struct l2cap_chan *chan;
>>
>> BT_DBG("sock %p", sock);
>>
>> @@ -1986,10 +1986,18 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
>>
>> sock->ops = &l2cap_sock_ops;
>>
>> - sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
>> - if (!sk)
>> + chan = l2cap_chan_create();
>> + if (!chan)
>> return -ENOMEM;
>>
>> + sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern, chan);
>> + if (!sk) {
>> + l2cap_chan_put(chan);
>> + return -ENOMEM;
>> + }
>> + /* Sock has taken its own refs on chan; drop the chan_create() ref. */
>> + l2cap_chan_put(chan);
>> +
>> l2cap_sock_init(sk, NULL);
>> bt_sock_link(&l2cap_sk_list, sk);
>> return 0;
>> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
>> index 1739c1989dbd..25cb5dc580bf 100644
>> --- a/net/bluetooth/smp.c
>> +++ b/net/bluetooth/smp.c
>> @@ -3204,16 +3204,11 @@ static const struct l2cap_ops smp_chan_ops = {
>> .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
>> };
>>
>> -static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
>> +static inline int smp_new_conn_cb(struct l2cap_chan *pchan,
>> + struct l2cap_chan *chan)
>> {
>> - struct l2cap_chan *chan;
>> -
>> BT_DBG("pchan %p", pchan);
>>
>> - chan = l2cap_chan_create();
>> - if (!chan)
>> - return NULL;
>> -
>> chan->chan_type = pchan->chan_type;
>> chan->ops = &smp_chan_ops;
>> chan->scid = pchan->scid;
>> @@ -3229,9 +3224,9 @@ static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
>> */
>> atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
>>
>> - BT_DBG("created chan %p", chan);
>> + BT_DBG("initialised chan %p", chan);
>>
>> - return chan;
>> + return 0;
>> }
>>
>> static const struct l2cap_ops smp_root_chan_ops = {
>> --
>> 2.54.0
>>
>
>
> --
> Luiz Augusto von Dentz
Best,
Siwei
^ permalink raw reply
* RE: [v2] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
From: bluez.test.bot @ 2026-05-26 21:55 UTC (permalink / raw)
To: linux-bluetooth, doruk
In-Reply-To: <20260526194816.65669-1-doruk@0sec.ai>
[-- Attachment #1: Type: text/plain, Size: 3353 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101233
---Test result---
Test Summary:
CheckPatch FAIL 0.57 seconds
VerifyFixes PASS 0.08 seconds
VerifySignedoff PASS 0.07 seconds
GitLint PASS 0.50 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 27.63 seconds
CheckAllWarning PASS 29.79 seconds
CheckSparse PASS 27.65 seconds
BuildKernel32 PASS 25.96 seconds
TestRunnerSetup PASS 576.60 seconds
TestRunner_l2cap-tester PASS 60.69 seconds
TestRunner_iso-tester PASS 82.77 seconds
TestRunner_bnep-tester PASS 20.17 seconds
TestRunner_mgmt-tester FAIL 225.21 seconds
TestRunner_rfcomm-tester PASS 26.55 seconds
TestRunner_sco-tester PASS 33.64 seconds
TestRunner_ioctl-tester PASS 26.47 seconds
TestRunner_mesh-tester FAIL 25.88 seconds
TestRunner_smp-tester PASS 23.88 seconds
TestRunner_userchan-tester PASS 20.88 seconds
TestRunner_6lowpan-tester PASS 23.41 seconds
IncrementalBuild FAIL 4.17 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 035c25007c9e ("Bluetooth: hci_sync: Fix UAF in le_read_features_complete")'
#121:
This is the same class of bug as the one fixed by commit
total: 1 errors, 0 warnings, 0 checks, 22 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14596093.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.271 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.993 seconds
Mesh - Send cancel - 2 Timed out 1.989 seconds
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
error: patch failed: net/bluetooth/hci_sync.c:6700
error: net/bluetooth/hci_sync.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
https://github.com/bluez/bluetooth-next/pull/247
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH v5 1/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: Luiz Augusto von Dentz @ 2026-05-26 20:46 UTC (permalink / raw)
To: Siwei Zhang; +Cc: Marcel Holtmann, linux-bluetooth
In-Reply-To: <20260520162030.2842543-2-oss@fourdim.xyz>
Hi Siwei,
On Wed, May 20, 2026 at 12:20 PM Siwei Zhang <oss@fourdim.xyz> wrote:
>
> l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
> release_sock(parent). Once the parent lock is released, the child
> socket sk can be freed by another task.
>
> Allocate the channel outside the func to prevent this.
>
> Fixes: 8ffb929098a5 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
> Cc: stable@kernel.org
> Assisted-by: Claude:claude-opus-4-6
> Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
> ---
> include/net/bluetooth/l2cap.h | 8 +++--
> net/bluetooth/6lowpan.c | 14 ++++-----
> net/bluetooth/l2cap_core.c | 58 ++++++++++++++++++++++++++++-------
> net/bluetooth/l2cap_sock.c | 48 +++++++++++++++++------------
> net/bluetooth/smp.c | 13 +++-----
> 5 files changed, 91 insertions(+), 50 deletions(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index 5172afee5494..f7a11e6431f0 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -619,7 +619,8 @@ struct l2cap_chan {
> struct l2cap_ops {
> char *name;
>
> - struct l2cap_chan *(*new_connection) (struct l2cap_chan *chan);
> + int (*new_connection)(struct l2cap_chan *chan,
> + struct l2cap_chan *new_chan);
> int (*recv) (struct l2cap_chan * chan,
> struct sk_buff *skb);
> void (*teardown) (struct l2cap_chan *chan, int err);
> @@ -883,9 +884,10 @@ static inline __u16 __next_seq(struct l2cap_chan *chan, __u16 seq)
> return (seq + 1) % (chan->tx_win_max + 1);
> }
>
> -static inline struct l2cap_chan *l2cap_chan_no_new_connection(struct l2cap_chan *chan)
> +static inline int l2cap_chan_no_new_connection(struct l2cap_chan *chan,
> + struct l2cap_chan *new_chan)
> {
> - return NULL;
> + return -EOPNOTSUPP;
> }
>
> static inline int l2cap_chan_no_recv(struct l2cap_chan *chan, struct sk_buff *skb)
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index 23a229ab6a33..286c0b45055b 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -743,19 +743,19 @@ static inline void chan_ready_cb(struct l2cap_chan *chan)
> ifup(dev->netdev);
> }
>
> -static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
> +static inline int chan_new_conn_cb(struct l2cap_chan *pchan,
> + struct l2cap_chan *chan)
> {
> - struct l2cap_chan *chan;
> -
> - chan = chan_create();
> - if (!chan)
> - return NULL;
> + l2cap_chan_set_defaults(chan);
>
> + chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
> + chan->mode = L2CAP_MODE_LE_FLOWCTL;
> + chan->imtu = 1280;
The 3 lines above make no sense.
> chan->ops = pchan->ops;
>
> BT_DBG("chan %p pchan %p", chan, pchan);
>
> - return chan;
> + return 0;
> }
>
> static void unregister_dev(struct lowpan_btle_dev *dev)
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index fdccd62ccca8..505f32034971 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4051,10 +4051,16 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
> goto response;
> }
>
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> if (!chan)
> goto response;
>
> + if (pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + chan = NULL;
> + goto response;
> + }
> +
> /* For certain devices (ex: HID mouse), support for authentication,
> * pairing and bonding is optional. For such devices, inorder to avoid
> * the ACL alive for too long after L2CAP disconnection, reset the ACL
> @@ -4132,6 +4138,10 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
> chan->num_conf_req++;
> }
>
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + if (chan)
> + l2cap_chan_put(chan);
> +
> l2cap_chan_unlock(pchan);
> l2cap_chan_put(pchan);
> }
> @@ -4881,6 +4891,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> struct l2cap_le_conn_rsp rsp;
> struct l2cap_chan *chan, *pchan;
> u16 dcid, scid, credits, mtu, mps;
> + u16 rsp_mtu, rsp_mps;
> __le16 psm;
> u8 result;
>
> @@ -4893,6 +4904,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> psm = req->psm;
> dcid = 0;
> credits = 0;
> + rsp_mtu = 0;
> + rsp_mps = 0;
>
> if (mtu < 23 || mps < 23)
> return -EPROTO;
> @@ -4953,12 +4966,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> goto response_unlock;
> }
>
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> if (!chan) {
> result = L2CAP_CR_LE_NO_MEM;
> goto response_unlock;
> }
>
> + if (pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + chan = NULL;
> + result = L2CAP_CR_LE_NO_MEM;
> + goto response_unlock;
> + }
> +
> bacpy(&chan->src, &conn->hcon->src);
> bacpy(&chan->dst, &conn->hcon->dst);
> chan->src_type = bdaddr_src_type(conn->hcon);
> @@ -4974,6 +4994,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>
> dcid = chan->scid;
> credits = chan->rx_credits;
> + rsp_mtu = chan->imtu;
> + rsp_mps = chan->mps;
>
> __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
>
> @@ -4993,6 +5015,9 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> result = L2CAP_CR_LE_SUCCESS;
> }
>
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + l2cap_chan_put(chan);
> +
> response_unlock:
> l2cap_chan_unlock(pchan);
> l2cap_chan_put(pchan);
> @@ -5001,13 +5026,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> return 0;
>
> response:
> - if (chan) {
> - rsp.mtu = cpu_to_le16(chan->imtu);
> - rsp.mps = cpu_to_le16(chan->mps);
> - } else {
> - rsp.mtu = 0;
> - rsp.mps = 0;
> - }
> + rsp.mtu = cpu_to_le16(rsp_mtu);
> + rsp.mps = cpu_to_le16(rsp_mps);
>
> rsp.dcid = cpu_to_le16(dcid);
> rsp.credits = cpu_to_le16(credits);
> @@ -5177,12 +5197,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
> continue;
> }
>
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> if (!chan) {
> result = L2CAP_CR_LE_NO_MEM;
> continue;
> }
>
> + if (pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + result = L2CAP_CR_LE_NO_MEM;
> + continue;
> + }
> +
> bacpy(&chan->src, &conn->hcon->src);
> bacpy(&chan->dst, &conn->hcon->dst);
> chan->src_type = bdaddr_src_type(conn->hcon);
> @@ -5217,6 +5243,9 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
> } else {
> l2cap_chan_ready(chan);
> }
> +
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + l2cap_chan_put(chan);
> }
>
> unlock:
> @@ -7399,7 +7428,11 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
> goto next;
>
> l2cap_chan_lock(pchan);
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> + if (chan && pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + chan = NULL;
> + }
> if (chan) {
> bacpy(&chan->src, &hcon->src);
> bacpy(&chan->dst, &hcon->dst);
> @@ -7407,6 +7440,9 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
> chan->dst_type = dst_type;
>
> __l2cap_chan_add(conn, chan);
> +
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + l2cap_chan_put(chan);
> }
>
> l2cap_chan_unlock(pchan);
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index dede550d6031..598f24c8f704 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -46,7 +46,8 @@ static struct bt_sock_list l2cap_sk_list = {
> static const struct proto_ops l2cap_sock_ops;
> static void l2cap_sock_init(struct sock *sk, struct sock *parent);
> static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
> - int proto, gfp_t prio, int kern);
> + int proto, gfp_t prio, int kern,
> + struct l2cap_chan *chan);
> static void l2cap_sock_cleanup_listen(struct sock *parent);
>
> bool l2cap_is_socket(struct socket *sock)
> @@ -1507,12 +1508,13 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
> }
> }
>
> -static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
> +static int l2cap_sock_new_connection_cb(struct l2cap_chan *chan,
> + struct l2cap_chan *new_chan)
> {
> struct sock *sk, *parent = chan->data;
>
> if (!parent)
> - return NULL;
> + return -EINVAL;
>
> lock_sock(parent);
>
> @@ -1520,15 +1522,15 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
> if (sk_acceptq_is_full(parent)) {
> BT_DBG("backlog full %d", parent->sk_ack_backlog);
> release_sock(parent);
> - return NULL;
> + return -ENOBUFS;
> }
>
> sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
> - GFP_ATOMIC, 0);
> + GFP_ATOMIC, 0, new_chan);
> if (!sk) {
> release_sock(parent);
> - return NULL;
> - }
> + return -ENOMEM;
> + }
>
> bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
>
> @@ -1538,7 +1540,7 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>
> release_sock(parent);
>
> - return l2cap_pi(sk)->chan;
> + return 0;
> }
>
> static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
> @@ -1939,10 +1941,10 @@ static struct proto l2cap_proto = {
> };
>
> static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
> - int proto, gfp_t prio, int kern)
> + int proto, gfp_t prio, int kern,
> + struct l2cap_chan *chan)
> {
> struct sock *sk;
> - struct l2cap_chan *chan;
>
> sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
> if (!sk)
> @@ -1953,14 +1955,11 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>
> INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
>
> - chan = l2cap_chan_create();
> - if (!chan) {
> - sk_free(sk);
> - if (sock)
> - sock->sk = NULL;
> - return NULL;
> - }
> -
> + /* The sock owns two refs on chan, matching the puts in
> + * l2cap_sock_kill() and l2cap_sock_destruct(). The caller keeps
> + * its own ref independent of these.
> + */
> + l2cap_chan_hold(chan);
> l2cap_chan_hold(chan);
>
> l2cap_pi(sk)->chan = chan;
> @@ -1972,6 +1971,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
> int kern)
> {
> struct sock *sk;
> + struct l2cap_chan *chan;
>
> BT_DBG("sock %p", sock);
>
> @@ -1986,10 +1986,18 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
>
> sock->ops = &l2cap_sock_ops;
>
> - sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
> - if (!sk)
> + chan = l2cap_chan_create();
> + if (!chan)
> return -ENOMEM;
>
> + sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern, chan);
> + if (!sk) {
> + l2cap_chan_put(chan);
> + return -ENOMEM;
> + }
> + /* Sock has taken its own refs on chan; drop the chan_create() ref. */
> + l2cap_chan_put(chan);
> +
> l2cap_sock_init(sk, NULL);
> bt_sock_link(&l2cap_sk_list, sk);
> return 0;
> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
> index 1739c1989dbd..25cb5dc580bf 100644
> --- a/net/bluetooth/smp.c
> +++ b/net/bluetooth/smp.c
> @@ -3204,16 +3204,11 @@ static const struct l2cap_ops smp_chan_ops = {
> .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
> };
>
> -static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
> +static inline int smp_new_conn_cb(struct l2cap_chan *pchan,
> + struct l2cap_chan *chan)
> {
> - struct l2cap_chan *chan;
> -
> BT_DBG("pchan %p", pchan);
>
> - chan = l2cap_chan_create();
> - if (!chan)
> - return NULL;
> -
> chan->chan_type = pchan->chan_type;
> chan->ops = &smp_chan_ops;
> chan->scid = pchan->scid;
> @@ -3229,9 +3224,9 @@ static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
> */
> atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
>
> - BT_DBG("created chan %p", chan);
> + BT_DBG("initialised chan %p", chan);
>
> - return chan;
> + return 0;
> }
>
> static const struct l2cap_ops smp_root_chan_ops = {
> --
> 2.54.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply
* Re: [PATCH v5 1/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: Siwei Zhang @ 2026-05-26 20:38 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, Marcel Holtmann
In-Reply-To: <20260520162030.2842543-2-oss@fourdim.xyz>
Hi Luiz,
On Wed, May 20, 2026, at 12:20 PM, Siwei Zhang wrote:
> l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
> release_sock(parent). Once the parent lock is released, the child
> socket sk can be freed by another task.
>
> Allocate the channel outside the func to prevent this.
>
> Fixes: 8ffb929098a5 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
> Cc: stable@kernel.org
> Assisted-by: Claude:claude-opus-4-6
> Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
> ---
> include/net/bluetooth/l2cap.h | 8 +++--
> net/bluetooth/6lowpan.c | 14 ++++-----
> net/bluetooth/l2cap_core.c | 58 ++++++++++++++++++++++++++++-------
> net/bluetooth/l2cap_sock.c | 48 +++++++++++++++++------------
> net/bluetooth/smp.c | 13 +++-----
> 5 files changed, 91 insertions(+), 50 deletions(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index 5172afee5494..f7a11e6431f0 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -619,7 +619,8 @@ struct l2cap_chan {
> struct l2cap_ops {
> char *name;
>
> - struct l2cap_chan *(*new_connection) (struct l2cap_chan *chan);
> + int (*new_connection)(struct l2cap_chan *chan,
> + struct l2cap_chan *new_chan);
> int (*recv) (struct l2cap_chan * chan,
> struct sk_buff *skb);
> void (*teardown) (struct l2cap_chan *chan, int err);
> @@ -883,9 +884,10 @@ static inline __u16 __next_seq(struct l2cap_chan
> *chan, __u16 seq)
> return (seq + 1) % (chan->tx_win_max + 1);
> }
>
> -static inline struct l2cap_chan *l2cap_chan_no_new_connection(struct
> l2cap_chan *chan)
> +static inline int l2cap_chan_no_new_connection(struct l2cap_chan *chan,
> + struct l2cap_chan *new_chan)
> {
> - return NULL;
> + return -EOPNOTSUPP;
> }
>
> static inline int l2cap_chan_no_recv(struct l2cap_chan *chan, struct
> sk_buff *skb)
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index 23a229ab6a33..286c0b45055b 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -743,19 +743,19 @@ static inline void chan_ready_cb(struct
> l2cap_chan *chan)
> ifup(dev->netdev);
> }
>
> -static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
> +static inline int chan_new_conn_cb(struct l2cap_chan *pchan,
> + struct l2cap_chan *chan)
> {
> - struct l2cap_chan *chan;
> -
> - chan = chan_create();
> - if (!chan)
> - return NULL;
> + l2cap_chan_set_defaults(chan);
>
> + chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
> + chan->mode = L2CAP_MODE_LE_FLOWCTL;
> + chan->imtu = 1280;
> chan->ops = pchan->ops;
>
> BT_DBG("chan %p pchan %p", chan, pchan);
>
> - return chan;
> + return 0;
> }
>
> static void unregister_dev(struct lowpan_btle_dev *dev)
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index fdccd62ccca8..505f32034971 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4051,10 +4051,16 @@ static void l2cap_connect(struct l2cap_conn
> *conn, struct l2cap_cmd_hdr *cmd,
> goto response;
> }
>
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> if (!chan)
> goto response;
>
> + if (pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + chan = NULL;
> + goto response;
> + }
> +
> /* For certain devices (ex: HID mouse), support for authentication,
> * pairing and bonding is optional. For such devices, inorder to avoid
> * the ACL alive for too long after L2CAP disconnection, reset the ACL
> @@ -4132,6 +4138,10 @@ static void l2cap_connect(struct l2cap_conn
> *conn, struct l2cap_cmd_hdr *cmd,
> chan->num_conf_req++;
> }
>
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + if (chan)
> + l2cap_chan_put(chan);
> +
> l2cap_chan_unlock(pchan);
> l2cap_chan_put(pchan);
> }
> @@ -4881,6 +4891,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> struct l2cap_le_conn_rsp rsp;
> struct l2cap_chan *chan, *pchan;
> u16 dcid, scid, credits, mtu, mps;
> + u16 rsp_mtu, rsp_mps;
> __le16 psm;
> u8 result;
>
> @@ -4893,6 +4904,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> psm = req->psm;
> dcid = 0;
> credits = 0;
> + rsp_mtu = 0;
> + rsp_mps = 0;
>
> if (mtu < 23 || mps < 23)
> return -EPROTO;
> @@ -4953,12 +4966,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> goto response_unlock;
> }
>
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> if (!chan) {
> result = L2CAP_CR_LE_NO_MEM;
> goto response_unlock;
> }
>
> + if (pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + chan = NULL;
> + result = L2CAP_CR_LE_NO_MEM;
> + goto response_unlock;
> + }
> +
> bacpy(&chan->src, &conn->hcon->src);
> bacpy(&chan->dst, &conn->hcon->dst);
> chan->src_type = bdaddr_src_type(conn->hcon);
> @@ -4974,6 +4994,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>
> dcid = chan->scid;
> credits = chan->rx_credits;
> + rsp_mtu = chan->imtu;
> + rsp_mps = chan->mps;
>
> __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
>
> @@ -4993,6 +5015,9 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> result = L2CAP_CR_LE_SUCCESS;
> }
>
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + l2cap_chan_put(chan);
> +
> response_unlock:
> l2cap_chan_unlock(pchan);
> l2cap_chan_put(pchan);
> @@ -5001,13 +5026,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
> return 0;
>
> response:
> - if (chan) {
> - rsp.mtu = cpu_to_le16(chan->imtu);
> - rsp.mps = cpu_to_le16(chan->mps);
> - } else {
> - rsp.mtu = 0;
> - rsp.mps = 0;
> - }
> + rsp.mtu = cpu_to_le16(rsp_mtu);
> + rsp.mps = cpu_to_le16(rsp_mps);
>
> rsp.dcid = cpu_to_le16(dcid);
> rsp.credits = cpu_to_le16(credits);
> @@ -5177,12 +5197,18 @@ static inline int l2cap_ecred_conn_req(struct
> l2cap_conn *conn,
> continue;
> }
>
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> if (!chan) {
> result = L2CAP_CR_LE_NO_MEM;
> continue;
> }
>
> + if (pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + result = L2CAP_CR_LE_NO_MEM;
> + continue;
> + }
> +
> bacpy(&chan->src, &conn->hcon->src);
> bacpy(&chan->dst, &conn->hcon->dst);
> chan->src_type = bdaddr_src_type(conn->hcon);
> @@ -5217,6 +5243,9 @@ static inline int l2cap_ecred_conn_req(struct
> l2cap_conn *conn,
> } else {
> l2cap_chan_ready(chan);
> }
> +
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn
> list. */
> + l2cap_chan_put(chan);
> }
>
> unlock:
> @@ -7399,7 +7428,11 @@ static void l2cap_connect_cfm(struct hci_conn
> *hcon, u8 status)
> goto next;
>
> l2cap_chan_lock(pchan);
> - chan = pchan->ops->new_connection(pchan);
> + chan = l2cap_chan_create();
> + if (chan && pchan->ops->new_connection(pchan, chan) < 0) {
> + l2cap_chan_put(chan);
> + chan = NULL;
> + }
> if (chan) {
> bacpy(&chan->src, &hcon->src);
> bacpy(&chan->dst, &hcon->dst);
> @@ -7407,6 +7440,9 @@ static void l2cap_connect_cfm(struct hci_conn
> *hcon, u8 status)
> chan->dst_type = dst_type;
>
> __l2cap_chan_add(conn, chan);
> +
> + /* Drop our local ref; __l2cap_chan_add() pinned chan via the conn list. */
> + l2cap_chan_put(chan);
> }
>
> l2cap_chan_unlock(pchan);
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index dede550d6031..598f24c8f704 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -46,7 +46,8 @@ static struct bt_sock_list l2cap_sk_list = {
> static const struct proto_ops l2cap_sock_ops;
> static void l2cap_sock_init(struct sock *sk, struct sock *parent);
> static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
> - int proto, gfp_t prio, int kern);
> + int proto, gfp_t prio, int kern,
> + struct l2cap_chan *chan);
> static void l2cap_sock_cleanup_listen(struct sock *parent);
>
> bool l2cap_is_socket(struct socket *sock)
> @@ -1507,12 +1508,13 @@ static void l2cap_sock_cleanup_listen(struct
> sock *parent)
> }
> }
>
> -static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
> +static int l2cap_sock_new_connection_cb(struct l2cap_chan *chan,
> + struct l2cap_chan *new_chan)
> {
> struct sock *sk, *parent = chan->data;
>
> if (!parent)
> - return NULL;
> + return -EINVAL;
>
> lock_sock(parent);
>
> @@ -1520,15 +1522,15 @@ static struct l2cap_chan
> *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
> if (sk_acceptq_is_full(parent)) {
> BT_DBG("backlog full %d", parent->sk_ack_backlog);
> release_sock(parent);
> - return NULL;
> + return -ENOBUFS;
> }
>
> sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
> - GFP_ATOMIC, 0);
> + GFP_ATOMIC, 0, new_chan);
> if (!sk) {
> release_sock(parent);
> - return NULL;
> - }
> + return -ENOMEM;
> + }
>
> bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
>
> @@ -1538,7 +1540,7 @@ static struct l2cap_chan
> *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>
> release_sock(parent);
>
> - return l2cap_pi(sk)->chan;
> + return 0;
> }
>
> static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
> @@ -1939,10 +1941,10 @@ static struct proto l2cap_proto = {
> };
>
> static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
> - int proto, gfp_t prio, int kern)
> + int proto, gfp_t prio, int kern,
> + struct l2cap_chan *chan)
> {
> struct sock *sk;
> - struct l2cap_chan *chan;
>
> sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
> if (!sk)
> @@ -1953,14 +1955,11 @@ static struct sock *l2cap_sock_alloc(struct net
> *net, struct socket *sock,
>
> INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
>
> - chan = l2cap_chan_create();
> - if (!chan) {
> - sk_free(sk);
> - if (sock)
> - sock->sk = NULL;
> - return NULL;
> - }
> -
> + /* The sock owns two refs on chan, matching the puts in
> + * l2cap_sock_kill() and l2cap_sock_destruct(). The caller keeps
> + * its own ref independent of these.
> + */
> + l2cap_chan_hold(chan);
> l2cap_chan_hold(chan);
>
> l2cap_pi(sk)->chan = chan;
> @@ -1972,6 +1971,7 @@ static int l2cap_sock_create(struct net *net,
> struct socket *sock, int protocol,
> int kern)
> {
> struct sock *sk;
> + struct l2cap_chan *chan;
>
> BT_DBG("sock %p", sock);
>
> @@ -1986,10 +1986,18 @@ static int l2cap_sock_create(struct net *net,
> struct socket *sock, int protocol,
>
> sock->ops = &l2cap_sock_ops;
>
> - sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
> - if (!sk)
> + chan = l2cap_chan_create();
> + if (!chan)
> return -ENOMEM;
>
> + sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern, chan);
> + if (!sk) {
> + l2cap_chan_put(chan);
> + return -ENOMEM;
> + }
> + /* Sock has taken its own refs on chan; drop the chan_create() ref. */
> + l2cap_chan_put(chan);
> +
> l2cap_sock_init(sk, NULL);
> bt_sock_link(&l2cap_sk_list, sk);
> return 0;
> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
> index 1739c1989dbd..25cb5dc580bf 100644
> --- a/net/bluetooth/smp.c
> +++ b/net/bluetooth/smp.c
> @@ -3204,16 +3204,11 @@ static const struct l2cap_ops smp_chan_ops = {
> .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
> };
>
> -static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
> +static inline int smp_new_conn_cb(struct l2cap_chan *pchan,
> + struct l2cap_chan *chan)
> {
> - struct l2cap_chan *chan;
> -
> BT_DBG("pchan %p", pchan);
>
> - chan = l2cap_chan_create();
> - if (!chan)
> - return NULL;
> -
> chan->chan_type = pchan->chan_type;
> chan->ops = &smp_chan_ops;
> chan->scid = pchan->scid;
> @@ -3229,9 +3224,9 @@ static inline struct l2cap_chan
> *smp_new_conn_cb(struct l2cap_chan *pchan)
> */
> atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
>
> - BT_DBG("created chan %p", chan);
> + BT_DBG("initialised chan %p", chan);
>
> - return chan;
> + return 0;
> }
>
> static const struct l2cap_ops smp_root_chan_ops = {
> --
> 2.54.0
Could you please check this?
Best,
Siwei
^ permalink raw reply
* [PATCH v2] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
From: Doruk Tan Ozturk @ 2026-05-26 19:48 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, security, stable, Doruk Tan Ozturk
hci_le_create_cis_sync() dereferences conn->conn_timeout after releasing
both rcu_read_lock() and hci_dev_lock(hdev). The conn pointer was
obtained from an RCU-protected iteration over hdev->conn_hash.list and
is not valid once these locks are dropped. A concurrent disconnect can
free the hci_conn between the unlock and the dereference, causing a
use-after-free read.
The cancellation mechanism in hci_conn_del() cannot prevent this because
hci_le_create_cis_pending() queues hci_create_cis_sync with data=NULL:
hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
While hci_conn_del() dequeues with data=conn:
hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
Since NULL != conn, the lookup in _hci_cmd_sync_lookup_entry() never
matches, and the pending work item is not cancelled.
Fix this by saving conn->conn_timeout into a local variable while the
locks are still held, so the stale conn pointer is never dereferenced
after unlock.
This is the same class of bug as the one fixed by commit
035c25007c9e ("Bluetooth: hci_sync: Fix UAF in
le_read_features_complete") which addressed the identical pattern in a
different function.
Found by 0sec (https://0sec.ai) using automated source analysis.
Fixes: c09b80be6ffc ("Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: https://lore.kernel.org/linux-bluetooth/20260525162438.96881-1-doruk@0sec.ai/
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
v2:
- fix commit reference title ("Fix UAF in" not "Fix UAF on")
- fix Fixes: tag title to match actual commit
- add Closes: tag per checkpatch
Link: https://lore.kernel.org/linux-bluetooth/20260525162438.96881-1-doruk@0sec.ai/
net/bluetooth/hci_sync.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index XXXXXXX..XXXXXXX 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6700,6 +6700,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev)
DEFINE_FLEX(struct hci_cp_le_create_cis, cmd, cis, num_cis, 0x1f);
size_t aux_num_cis = 0;
struct hci_conn *conn;
+ u16 timeout = 0;
u8 cig = BT_ISO_QOS_CIG_UNSET;
/* The spec allows only one pending LE Create CIS command at a time. If
@@ -6773,6 +6774,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev)
set_bit(HCI_CONN_CREATE_CIS, &conn->flags);
cis->acl_handle = cpu_to_le16(conn->parent->handle);
cis->cis_handle = cpu_to_le16(conn->handle);
+ timeout = conn->conn_timeout;
aux_num_cis++;
if (aux_num_cis >= cmd->num_cis)
@@ -6791,7 +6793,7 @@ int hci_le_create_cis_sync(struct hci_dev *hdev)
return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CIS,
struct_size(cmd, cis, cmd->num_cis),
cmd, HCI_EVT_LE_CIS_ESTABLISHED,
- conn->conn_timeout, NULL);
+ timeout, NULL);
}
int hci_le_remove_cig_sync(struct hci_dev *hdev, u8 handle)
--
2.45.0
^ permalink raw reply
* RE: [v2] Bluetooth: btusb: Add TP-Link UB600 for Realtek 8761BUV
From: Nils Helmig @ 2026-05-26 19:03 UTC (permalink / raw)
To: bluez.test.bot; +Cc: linux-bluetooth, nils.helmig
In-Reply-To: <69ed185e.050a0220.107d78.67fa@mx.google.com>
From: nils.helmig@web.de
I saw that the merge request https://github.com/bluez/bluetooth-next/pull/127 is closed. Any news on this patch? Is there something I should do?
Regards,
Nils Helmig
^ permalink raw reply
* Re: [PATCH BlueZ 1/1] adapter: Add configurable default LE PHYs
From: Tarjei Bitustøyl @ 2026-05-26 18:58 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <CABBYNZLNrWP4-ZtqxL61UR8fxnp+6_Wfwdtfhq=bx2g=VeVLyg@mail.gmail.com>
Yea you're right, I assumed too much here. I have only identified it
with my Frostbay device, not any other device. I've made a GitHub
issue with btmon logs and others that should show the issue.
I do still suspect that this is an issue for other BLE devices on the
Intel AX210 though.
Issue is 2155.
Regards,
Tarjei
tir. 26. mai 2026 kl. 16:27 skrev Luiz Augusto von Dentz <luiz.dentz@gmail.com>:
>
> Hi Tarjei,
>
> On Sun, May 24, 2026 at 6:14 PM Tarjei Bitustøyl <tarjeib@gmail.com> wrote:
> >
> > Some controllers mis-handle LE procedures on specific PHYs with
> > certain peers. On an Intel AX210-class controller, connecting to a
> > Frostbay BLE device can fail during early ATT/GATT setup unless the
> > adapter is limited to LE 1M TX/RX.
>
> Perhaps there should be a GitHub issue explaining exactly what the
> problem is with btmon logs, etc, Then we can evaluate if this needs a
> workaround like this or if we should detect that certain PHYs should
> not be used.
>
> > Add an opt-in [LE] DefaultPHYs setting to bluetoothd and apply it at
> > adapter startup using MGMT_OP_GET/SET_PHY_CONFIGURATION while
> > preserving non-configurable PHY bits.
> >
> > This provides a generic, adapter-wide workaround for controller-
> > specific LE PHY interoperability problems affecting scanning and
> > connection establishment, without adding device-specific quirks.
>
> Well it is not really controller specific though, since it applies to
> any controller on the system. Also, I believe this could be a device
> specific problem so you might be taking away 2M support entirely when
> it could actually be supported with another device.
>
> > ---
> > src/adapter.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > src/btd.h | 2 ++
> > src/main.c | 61 +++++++++++++++++++++++++++++++++++++++++
> > src/main.conf | 8 ++++++
> > 4 files changed, 147 insertions(+)
> >
> > diff --git a/src/adapter.c b/src/adapter.c
> > index 20f7c3e03..fcbb65e38 100644
> > --- a/src/adapter.c
> > +++ b/src/adapter.c
> > @@ -4972,6 +4972,81 @@ done:
> > mgmt_tlv_list_free(list);
> > }
> >
> > +static void set_default_le_phys_complete(uint8_t status, uint16_t length,
> > + const void *param, void *user_data)
> > +{
> > + struct btd_adapter *adapter = user_data;
> > +
> > + if (status != MGMT_STATUS_SUCCESS)
> > + btd_error(adapter->dev_id,
> > + "Failed to set default LE PHYs for hci%u: %s (0x%02x)",
> > + adapter->dev_id, mgmt_errstr(status), status);
> > +}
> > +
> > +static void get_default_le_phys_complete(uint8_t status, uint16_t length,
> > + const void *param, void *user_data)
> > +{
> > + struct btd_adapter *adapter = user_data;
> > + const struct mgmt_rp_get_phy_confguration *rp = param;
> > + struct mgmt_cp_set_phy_confguration cp;
> > + uint32_t configurable_phys;
> > + uint32_t selected_phys;
> > + uint32_t next_phys;
> > +
> > + if (status != MGMT_STATUS_SUCCESS) {
> > + btd_error(adapter->dev_id,
> > + "Failed to read PHY configuration for hci%u: %s (0x%02x)",
> > + adapter->dev_id, mgmt_errstr(status), status);
> > + return;
> > + }
> > +
> > + if (length < sizeof(*rp)) {
> > + btd_error(adapter->dev_id,
> > + "Too small get PHY configuration response for hci%u",
> > + adapter->dev_id);
> > + return;
> > + }
> > +
> > + configurable_phys = btohl(rp->configurable_phys);
> > + selected_phys = btohl(rp->selected_phys);
> > +
> > + configurable_phys &= MGMT_PHY_LE_TX_MASK | MGMT_PHY_LE_RX_MASK;
> > + next_phys = selected_phys & ~configurable_phys;
> > + next_phys |= btd_opts.default_le_phys & configurable_phys;
> > +
> > + if (next_phys == selected_phys)
> > + return;
> > +
> > + cp.selected_phys = cpu_to_le32(next_phys);
> > +
> > + if (mgmt_send(adapter->mgmt, MGMT_OP_SET_PHY_CONFIGURATION,
> > + adapter->dev_id, sizeof(cp), &cp,
> > + set_default_le_phys_complete, adapter, NULL) > 0)
> > + return;
> > +
> > + btd_error(adapter->dev_id,
> > + "Failed to set default LE PHYs for hci%u",
> > + adapter->dev_id);
> > +}
> > +
> > +static void load_default_le_phys(struct btd_adapter *adapter)
> > +{
> > + if (!btd_opts.default_le_phys_configured)
> > + return;
> > +
> > + if (!(adapter->supported_settings & MGMT_SETTING_LE))
> > + return;
> > +
> > + if (mgmt_send(adapter->mgmt, MGMT_OP_GET_PHY_CONFIGURATION,
> > + adapter->dev_id, 0, NULL,
> > + get_default_le_phys_complete, adapter, NULL) > 0)
> > + return;
> > +
> > + btd_error(adapter->dev_id,
> > + "Failed to read PHY configuration for hci%u",
> > + adapter->dev_id);
> > +}
> > +
> > static void load_devices(struct btd_adapter *adapter)
> > {
> > char dirname[PATH_MAX];
> > @@ -9455,6 +9530,7 @@ load:
> > btd_profile_foreach(probe_profile, adapter);
> > clear_blocked(adapter);
> > load_defaults(adapter);
> > + load_default_le_phys(adapter);
> > load_devices(adapter);
> >
> > /* restore Service Changed CCC value for bonded devices */
> > diff --git a/src/btd.h b/src/btd.h
> > index db2e81239..59f44dc8c 100644
> > --- a/src/btd.h
> > +++ b/src/btd.h
> > @@ -140,6 +140,8 @@ struct btd_opts {
> > bool device_privacy;
> > uint32_t name_request_retry_delay;
> > uint8_t secure_conn;
> > + uint32_t default_le_phys;
> > + bool default_le_phys_configured;
> >
> > struct btd_defaults defaults;
> >
> > diff --git a/src/main.c b/src/main.c
> > index 8aa19a3e3..97c64845b 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @@ -32,6 +32,7 @@
> > #include <dbus/dbus.h>
> >
> > #include "bluetooth/bluetooth.h"
> > +#include "bluetooth/mgmt.h"
> > #include "bluetooth/sdp.h"
> >
> > #include "gdbus/gdbus.h"
> > @@ -132,6 +133,7 @@ static const char *le_options[] = {
> > "Autoconnecttimeout",
> > "AdvMonAllowlistScanDuration",
> > "AdvMonNoFilterScanDuration",
> > + "DefaultPHYs",
> > "EnableAdvMonInterleaveScan",
> > NULL
> > };
> > @@ -145,6 +147,8 @@ static const char *policy_options[] = {
> > NULL
> > };
> >
> > +static void parse_default_le_phys(GKeyFile *config);
> > +
> > static const char *gatt_options[] = {
> > "Cache",
> > "KeySize",
> > @@ -751,6 +755,7 @@ static void parse_le_config(GKeyFile *config)
> > return;
> >
> > parse_mode_config(config, "LE", params, ARRAY_SIZE(params));
> > + parse_default_le_phys(config);
> > }
> >
> > static bool match_experimental(const void *data, const void *match_data)
> > @@ -966,6 +971,62 @@ static void parse_repairing(GKeyFile *config)
> > g_free(str);
> > }
> >
> > +struct phy_config_entry {
> > + const char *name;
> > + uint32_t bit;
> > +};
> > +
> > +static const struct phy_config_entry le_phy_configs[] = {
> > + { "LE1MTX", MGMT_PHY_LE_1M_TX },
> > + { "LE1MRX", MGMT_PHY_LE_1M_RX },
> > + { "LE2MTX", MGMT_PHY_LE_2M_TX },
> > + { "LE2MRX", MGMT_PHY_LE_2M_RX },
> > + { "LECODEDTX", MGMT_PHY_LE_CODED_TX },
> > + { "LECODEDRX", MGMT_PHY_LE_CODED_RX },
> > +};
> > +
> > +static void parse_default_le_phys(GKeyFile *config)
> > +{
> > + char *str = NULL;
> > + char **tokens;
> > + uint32_t phys = 0;
> > + bool valid = false;
> > + int i;
> > +
> > + if (!parse_config_string(config, "LE", "DefaultPHYs", &str))
> > + return;
> > +
> > + tokens = g_strsplit_set(str, ", \t", -1);
> > +
> > + for (i = 0; tokens[i]; i++) {
> > + const char *token = tokens[i];
> > + size_t j;
> > +
> > + if (!token[0])
> > + continue;
> > +
> > + for (j = 0; j < ARRAY_SIZE(le_phy_configs); j++) {
> > + if (strcasecmp(le_phy_configs[j].name, token) != 0)
> > + continue;
> > +
> > + phys |= le_phy_configs[j].bit;
> > + valid = true;
> > + break;
> > + }
> > +
> > + if (j == ARRAY_SIZE(le_phy_configs))
> > + warn("Invalid DefaultPHYs token: %s", token);
> > + }
> > +
> > + if (valid) {
> > + btd_opts.default_le_phys = phys;
> > + btd_opts.default_le_phys_configured = true;
> > + }
> > +
> > + g_strfreev(tokens);
> > + g_free(str);
> > +}
> > +
> > static bool parse_config_hex(GKeyFile *config, char *group,
> > const char *key, uint32_t *val)
> > {
> > diff --git a/src/main.conf b/src/main.conf
> > index 5846ef92d..ed955897e 100644
> > --- a/src/main.conf
> > +++ b/src/main.conf
> > @@ -247,6 +247,14 @@
> > # Default: 500
> > #AdvMonNoFilterScanDuration=
> >
> > +# Configure the controller's default LE PHY policy used for scanning and
> > +# connection establishment. Only configurable LE PHYs are changed; mandatory
> > +# PHYs remain selected automatically.
> > +# Possible values: comma or space separated list of LE1MTX, LE1MRX, LE2MTX,
> > +# LE2MRX, LECODEDTX, LECODEDRX.
> > +# Example: keep LE on 1M only.
> > +#DefaultPHYs = LE1MTX LE1MRX
> > +
> > # Enable/Disable Advertisement Monitor interleave scan for power saving.
> > # 0: disable
> > # 1: enable
> > --
> > 2.43.0
> >
> >
>
>
> --
> Luiz Augusto von Dentz
^ permalink raw reply
* RE: [BlueZ,v1,1/2] emulator/btdev: Add LE Set Host Feature V2 command emulation
From: bluez.test.bot @ 2026-05-26 18:24 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260526170309.3529062-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 47711 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101147
---Test result---
Test Summary:
CheckPatch FAIL 1.02 seconds
GitLint PASS 0.68 seconds
BuildEll PASS 19.96 seconds
BluezMake PASS 608.25 seconds
MakeCheck PASS 0.96 seconds
MakeDistcheck PASS 235.82 seconds
CheckValgrind PASS 203.10 seconds
CheckSmatch WARNING 320.79 seconds
bluezmakeextell PASS 167.46 seconds
IncrementalBuild FAIL 604.97 seconds
ScanBuild FAIL 423.04 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v1,1/2] emulator/btdev: Add LE Set Host Feature V2 command emulation
WARNING:BAD_SIGN_OFF: Non-standard signature: Assisted-by:
#103:
Assisted-by: OpenCode:claude-opus-4.6
ERROR:BAD_SIGN_OFF: Unrecognized email address: 'OpenCode:claude-opus-4.6'
#103:
Assisted-by: OpenCode:claude-opus-4.6
/github/workspace/src/patch/14595720.patch total: 1 errors, 1 warnings, 48 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14595720.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[BlueZ,v1,2/2] monitor: Add decoding support for LE Set Host Feature V2
WARNING:BAD_SIGN_OFF: Non-standard signature: Assisted-by:
#116:
Assisted-by: OpenCode:claude-opus-4.6
ERROR:BAD_SIGN_OFF: Unrecognized email address: 'OpenCode:claude-opus-4.6'
#116:
Assisted-by: OpenCode:claude-opus-4.6
WARNING:PREFER_DEFINED_ATTRIBUTE_MACRO: Prefer __packed over __attribute__((packed))
#135: FILE: monitor/bt.h:3194:
+} __attribute__ ((packed));
/github/workspace/src/patch/14595721.patch total: 1 errors, 2 warnings, 57 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14595721.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/btdev.c:478:29: warning: Variable length array is used.monitor/packet.c:2002:26: warning: Variable length array is used.monitor/packet.c: note: in included file:monitor/bt.h:3924:52: warning: array of flexible structuresmonitor/bt.h:3912:40: warning: array of flexible structures
##############################
Test: IncrementalBuild - FAIL
Desc: Incremental build with the patches in the series
Output:
tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12990:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12990 | int main(int argc, char *argv[])
| ^~~~
unit/test-avdtp.c: In function ‘main’:
unit/test-avdtp.c:766:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
766 | int main(int argc, char *argv[])
| ^~~~
unit/test-avrcp.c: In function ‘main’:
unit/test-avrcp.c:989:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
989 | int main(int argc, char *argv[])
| ^~~~
In file included from emulator/btdev.c:31:
emulator/btdev.c: In function ‘cmd_set_host_feature_v2’:
emulator/btdev.c:7915:32: error: dereferencing pointer to incomplete type ‘const struct bt_hci_cmd_le_set_host_feature_v2’
7915 | uint16_t bit = le16_to_cpu(cmd->bit_number);
| ^~
./src/shared/util.h:34:27: note: in definition of macro ‘le16_to_cpu’
34 | #define le16_to_cpu(val) (val)
| ^~~
emulator/btdev.c:7931:20: error: ‘BT_HCI_CMD_LE_SET_HOST_FEATURE_V2’ undeclared (first use in this function); did you mean ‘BT_HCI_CMD_LE_SET_HOST_FEATURE’?
7931 | cmd_complete(dev, BT_HCI_CMD_LE_SET_HOST_FEATURE_V2, &status,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| BT_HCI_CMD_LE_SET_HOST_FEATURE
emulator/btdev.c:7931:20: note: each undeclared identifier is reported only once for each function it appears in
emulator/btdev.c: At top level:
emulator/btdev.c:7942:6: error: ‘BT_HCI_CMD_LE_SET_HOST_FEATURE_V2’ undeclared here (not in a function); did you mean ‘BT_HCI_CMD_LE_SET_HOST_FEATURE’?
7942 | CMD(BT_HCI_CMD_LE_SET_HOST_FEATURE_V2, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/btdev.c:449:13: note: in definition of macro ‘CMD’
449 | .opcode = _opcode, \
| ^~~~~~~
emulator/btdev.c:7954:2: note: in expansion of macro ‘CMD_LE_60’
7954 | CMD_LE_60,
| ^~~~~~~~~
make[1]: *** [Makefile:7058: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4172: all] Error 2
[BlueZ,v1,1/2] emulator/btdev: Add LE Set Host Feature V2 command emulation
tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12990:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12990 | int main(int argc, char *argv[])
| ^~~~
unit/test-avdtp.c: In function ‘main’:
unit/test-avdtp.c:766:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
766 | int main(int argc, char *argv[])
| ^~~~
unit/test-avrcp.c: In function ‘main’:
unit/test-avrcp.c:989:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
989 | int main(int argc, char *argv[])
| ^~~~
In file included from emulator/btdev.c:31:
emulator/btdev.c: In function ‘cmd_set_host_feature_v2’:
emulator/btdev.c:7915:32: error: dereferencing pointer to incomplete type ‘const struct bt_hci_cmd_le_set_host_feature_v2’
7915 | uint16_t bit = le16_to_cpu(cmd->bit_number);
| ^~
./src/shared/util.h:34:27: note: in definition of macro ‘le16_to_cpu’
34 | #define le16_to_cpu(val) (val)
| ^~~
emulator/btdev.c:7931:20: error: ‘BT_HCI_CMD_LE_SET_HOST_FEATURE_V2’ undeclared (first use in this function); did you mean ‘BT_HCI_CMD_LE_SET_HOST_FEATURE’?
7931 | cmd_complete(dev, BT_HCI_CMD_LE_SET_HOST_FEATURE_V2, &status,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| BT_HCI_CMD_LE_SET_HOST_FEATURE
emulator/btdev.c:7931:20: note: each undeclared identifier is reported only once for each function it appears in
emulator/btdev.c: At top level:
emulator/btdev.c:7942:6: error: ‘BT_HCI_CMD_LE_SET_HOST_FEATURE_V2’ undeclared here (not in a function); did you mean ‘BT_HCI_CMD_LE_SET_HOST_FEATURE’?
7942 | CMD(BT_HCI_CMD_LE_SET_HOST_FEATURE_V2, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/btdev.c:449:13: note: in definition of macro ‘CMD’
449 | .opcode = _opcode, \
| ^~~~~~~
emulator/btdev.c:7954:2: note: in expansion of macro ‘CMD_LE_60’
7954 | CMD_LE_60,
| ^~~~~~~~~
make[1]: *** [Makefile:7058: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4172: all] Error 2
##############################
Test: ScanBuild - FAIL
Desc: Run Scan Build
Output:
src/shared/gatt-client.c:447:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:692:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:992:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1098:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1292:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1357:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1632:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1637:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1693:56: warning: Use of memory after it is freed
notify_data->chrc->ccc_write_id = notify_data->att_id = att_id;
~~~~~~~~~~~~~~~~~~~ ^
src/shared/gatt-client.c:2146:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2154:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3332:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3354:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
13 warnings generated.
src/shared/bap.c:1529:8: warning: Use of memory after it is freed
bap = bt_bap_ref_safe(bap);
^~~~~~~~~~~~~~~~~~~~
src/shared/bap.c:2340:20: warning: Use of memory after it is freed
return queue_find(stream->bap->streams, NULL, stream);
^~~~~~~~~~~~~~~~~~~~
2 warnings generated.
src/shared/gatt-client.c:447:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:692:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:992:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1098:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1292:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1357:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1632:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1637:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1693:56: warning: Use of memory after it is freed
notify_data->chrc->ccc_write_id = notify_data->att_id = att_id;
~~~~~~~~~~~~~~~~~~~ ^
src/shared/gatt-client.c:2146:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2154:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3332:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3354:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
13 warnings generated.
tools/hciattach.c:817:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 10)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:865:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 4)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:887:8: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 10)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:909:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 4)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:930:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 4)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/hciattach.c:974:7: warning: Although the value stored to 'n' is used in the enclosing expression, the value is never actually read from 'n'
if ((n = read_hci_event(fd, resp, 6)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
6 warnings generated.
src/shared/bap.c:1529:8: warning: Use of memory after it is freed
bap = bt_bap_ref_safe(bap);
^~~~~~~~~~~~~~~~~~~~
src/shared/bap.c:2340:20: warning: Use of memory after it is freed
return queue_find(stream->bap->streams, NULL, stream);
^~~~~~~~~~~~~~~~~~~~
2 warnings generated.
src/oui.c:50:2: warning: Value stored to 'hwdb' is never read
hwdb = udev_hwdb_unref(hwdb);
^ ~~~~~~~~~~~~~~~~~~~~~
src/oui.c:53:2: warning: Value stored to 'udev' is never read
udev = udev_unref(udev);
^ ~~~~~~~~~~~~~~~~
2 warnings generated.
tools/rfcomm.c:234:3: warning: Value stored to 'i' is never read
i = execvp(cmdargv[0], cmdargv);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:234:7: warning: Null pointer passed to 1st parameter expecting 'nonnull'
i = execvp(cmdargv[0], cmdargv);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:354:8: warning: Although the value stored to 'fd' is used in the enclosing expression, the value is never actually read from 'fd'
if ((fd = open(devname, O_RDONLY | O_NOCTTY)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/rfcomm.c:497:14: warning: Assigned value is garbage or undefined
req.channel = raddr.rc_channel;
^ ~~~~~~~~~~~~~~~~
tools/rfcomm.c:515:8: warning: Although the value stored to 'fd' is used in the enclosing expression, the value is never actually read from 'fd'
if ((fd = open(devname, O_RDONLY | O_NOCTTY)) < 0) {
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5 warnings generated.
tools/ciptool.c:351:7: warning: 5th function call argument is an uninitialized value
sk = do_connect(ctl, dev_id, &src, &dst, psm, (1 << CMTP_LOOPBACK));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
src/sdp-xml.c:126:10: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:306:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:344:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
3 warnings generated.
tools/sdptool.c:941:26: warning: Result of 'malloc' is converted to a pointer of type 'uint32_t', which is incompatible with sizeof operand type 'int'
uint32_t *value_int = malloc(sizeof(int));
~~~~~~~~~~ ^~~~~~ ~~~~~~~~~~~
tools/sdptool.c:980:4: warning: 1st function call argument is an uninitialized value
free(allocArray[i]);
^~~~~~~~~~~~~~~~~~~
tools/sdptool.c:3777:2: warning: Potential leak of memory pointed to by 'si.name'
return add_service(0, &si);
^~~~~~~~~~~~~~~~~~~~~~~~~~
tools/sdptool.c:4112:4: warning: Potential leak of memory pointed to by 'context.svc'
return -1;
^~~~~~~~~
4 warnings generated.
tools/avtest.c:243:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:253:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:262:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:276:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:283:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:290:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:297:5: warning: Value stored to 'len' is never read
len = write(sk, buf,
^ ~~~~~~~~~~~~~~
tools/avtest.c:309:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:313:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:322:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:326:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:335:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:342:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:364:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:368:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:377:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:381:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:394:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 4);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:398:5: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:405:4: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:415:4: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:580:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:588:3: warning: Value stored to 'len' is never read
len = write(sk, buf, invalid ? 2 : 3);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/avtest.c:602:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 4 + media_transport_size);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/avtest.c:615:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:625:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:637:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:652:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:664:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:673:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 3);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:680:3: warning: Value stored to 'len' is never read
len = write(sk, buf, 2);
^ ~~~~~~~~~~~~~~~~~
tools/avtest.c:716:2: warning: Value stored to 'len' is never read
len = write(sk, buf, AVCTP_HEADER_LENGTH + sizeof(play_pressed));
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32 warnings generated.
tools/btproxy.c:836:15: warning: Null pointer passed to 1st parameter expecting 'nonnull'
tcp_port = atoi(optarg);
^~~~~~~~~~~~
tools/btproxy.c:839:8: warning: Null pointer passed to 1st parameter expecting 'nonnull'
if (strlen(optarg) > 3 && !strncmp(optarg, "hci", 3))
^~~~~~~~~~~~~~
2 warnings generated.
tools/create-image.c:76:3: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
tools/create-image.c:84:3: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
tools/create-image.c:92:3: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
tools/create-image.c:105:2: warning: Value stored to 'fd' is never read
fd = -1;
^ ~~
4 warnings generated.
tools/check-selftest.c:42:3: warning: Value stored to 'ptr' is never read
ptr = fgets(result, sizeof(result), fp);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/btgatt-server.c:1204:2: warning: Value stored to 'argv' is never read
argv -= optind;
^ ~~~~~~
1 warning generated.
tools/btgatt-client.c:1822:2: warning: Value stored to 'argv' is never read
argv += optind;
^ ~~~~~~
1 warning generated.
tools/gatt-service.c:294:2: warning: 2nd function call argument is an uninitialized value
chr_write(chr, value, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
tools/obex-server-tool.c:133:13: warning: Null pointer passed to 1st parameter expecting 'nonnull'
data->fd = open(name, O_WRONLY | O_CREAT | O_NOCTTY, 0600);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/obex-server-tool.c:192:13: warning: Null pointer passed to 1st parameter expecting 'nonnull'
data->fd = open(name, O_RDONLY | O_NOCTTY, 0);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
tools/test-runner.c:1370:2: warning: Address of stack memory associated with local variable 'kernel_path' is still referred to by the global variable 'kernel_image' upon returning to the caller. This will be a dangling reference
return EXIT_SUCCESS;
^~~~~~~~~~~~~~~~~~~
1 warning generated.
client/btpclient/btpclientctl.c:402:3: warning: Value stored to 'bit' is never read
bit = 0;
^ ~
client/btpclient/btpclientctl.c:1655:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
memcpy(cp->data, ad_data, ad_len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
src/sdp-client.c:353:14: warning: Access to field 'cb' results in a dereference of a null pointer
(*ctxt)->cb = cb;
~~~~~~~~~~~~^~~~
1 warning generated.
src/sdpd-request.c:209:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint16_t'
pElem = malloc(sizeof(uint16_t));
^~~~~~ ~~~~~~~~~~~~~~~~
src/sdpd-request.c:237:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint32_t'
pElem = malloc(sizeof(uint32_t));
^~~~~~ ~~~~~~~~~~~~~~~~
2 warnings generated.
src/gatt-database.c:1171:10: warning: Value stored to 'bits' during its initialization is never read
uint8_t bits[] = { BT_GATT_CHRC_CLI_FEAT_ROBUST_CACHING,
^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
src/gatt-client.c:1569:2: warning: Use of memory after it is freed
notify_client_unref(client);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
unit/avrcp-lib.c:1968:3: warning: 1st function call argument is an uninitialized value
g_free(text[i]);
^~~~~~~~~~~~~~~
1 warning generated.
unit/avdtp.c:756:25: warning: Use of memory after it is freed
session->prio_queue = g_slist_remove(session->prio_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
unit/avdtp.c:763:24: warning: Use of memory after it is freed
session->req_queue = g_slist_remove(session->req_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
unit/test-util.c:33:8: warning: Potential leak of memory pointed to by 'p1'
p2[0] = 1;
~~~~~~^~~
unit/test-util.c:36:3: warning: Potential leak of memory pointed to by 'p2'
_cleanup_free_ uint8_t *data = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
./src/shared/util.h:134:24: note: expanded from macro '_cleanup_free_'
#define _cleanup_free_ _cleanup_(freep)
^
./src/shared/util.h:132:22: note: expanded from macro '_cleanup_'
#define _cleanup_(f) __attribute__((cleanup(f)))
^
unit/test-util.c:42:3: warning: Potential leak of memory pointed to by 'data'
assert(is_null_too == NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/assert.h:108:11: note: expanded from macro 'assert'
((void) sizeof ((expr) ? 1 : 0), __extension__ ({ \
^~~~~~~~~~~~~~~~~~~~~~~
unit/test-util.c:50:2: warning: Potential leak of memory pointed to by 'data'
assert(is_null == NULL);
^~~~~~~~~~~~~~~~~~~~~~~
/usr/include/assert.h:108:11: note: expanded from macro 'assert'
((void) sizeof ((expr) ? 1 : 0), __extension__ ({ \
^~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.
profiles/audio/avdtp.c:895:25: warning: Use of memory after it is freed
session->prio_queue = g_slist_remove(session->prio_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
profiles/audio/avdtp.c:902:24: warning: Use of memory after it is freed
session->req_queue = g_slist_remove(session->req_queue, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
profiles/audio/a2dp.c:442:8: warning: Use of memory after it is freed
if (!cb->resume_cb)
^~~~~~~~~~~~~
profiles/audio/a2dp.c:3354:20: warning: Access to field 'starting' results in a dereference of a null pointer (loaded from variable 'stream')
stream->starting = TRUE;
~~~~~~ ^
profiles/audio/a2dp.c:3357:8: warning: Access to field 'suspending' results in a dereference of a null pointer (loaded from variable 'stream')
if (!stream->suspending && stream->suspend_timer) {
^~~~~~~~~~~~~~~~~~
profiles/audio/a2dp.c:3417:22: warning: Access to field 'suspending' results in a dereference of a null pointer (loaded from variable 'stream')
stream->suspending = TRUE;
~~~~~~ ^
4 warnings generated.
profiles/audio/avrcp.c:1968:2: warning: Value stored to 'operands' is never read
operands += sizeof(*pdu);
^ ~~~~~~~~~~~~
1 warning generated.
attrib/gatt.c:970:2: warning: Potential leak of memory pointed to by 'long_write'
return prepare_write(long_write);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
src/sdpd-request.c:209:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint16_t'
pElem = malloc(sizeof(uint16_t));
^~~~~~ ~~~~~~~~~~~~~~~~
src/sdpd-request.c:237:13: warning: Result of 'malloc' is converted to a pointer of type 'char', which is incompatible with sizeof operand type 'uint32_t'
pElem = malloc(sizeof(uint32_t));
^~~~~~ ~~~~~~~~~~~~~~~~
2 warnings generated.
src/sdp-client.c:353:14: warning: Access to field 'cb' results in a dereference of a null pointer
(*ctxt)->cb = cb;
~~~~~~~~~~~~^~~~
1 warning generated.
src/gatt-database.c:1171:10: warning: Value stored to 'bits' during its initialization is never read
uint8_t bits[] = { BT_GATT_CHRC_CLI_FEAT_ROBUST_CACHING,
^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
src/sdp-xml.c:126:10: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:306:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
src/sdp-xml.c:344:11: warning: Assigned value is garbage or undefined
buf[1] = data[i + 1];
^ ~~~~~~~~~~~
3 warnings generated.
src/gatt-client.c:1569:2: warning: Use of memory after it is freed
notify_client_unref(client);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gobex/gobex-header.c:95:2: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
memcpy(to, from, count);
^~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
gobex/gobex-transfer.c:423:7: warning: Use of memory after it is freed
if (!g_slist_find(transfers, transfer))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
mesh/main.c:162:3: warning: Value stored to 'optarg' is never read
optarg += strlen("auto");
^ ~~~~~~~~~~~~~~
1 warning generated.
lib/bluetooth/hci.c:93:4: warning: Value stored to 'ptr' is never read
ptr += sprintf(ptr, "%s", m->str);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
client/player.c:2363:8: warning: Null pointer passed to 2nd parameter expecting 'nonnull'
if (!strcmp(ep->path, pattern))
^~~~~~~~~~~~~~~~~~~~~~~~~
client/player.c:3640:16: warning: Null pointer passed to 1st parameter expecting 'nonnull'
codec->name = strdup(name);
^~~~~~~~~~~~
2 warnings generated.
gdbus/watch.c:226:3: warning: Attempt to free released memory
g_free(l->data);
^~~~~~~~~~~~~~~
1 warning generated.
lib/bluetooth/sdp.c:509:17: warning: Dereference of undefined pointer value
uint8_t dtd = *(uint8_t *) dtds[i];
^~~~~~~~~~~~~~~~~~~~
lib/bluetooth/sdp.c:539:17: warning: Dereference of undefined pointer value
uint8_t dtd = *(uint8_t *) dtds[i];
^~~~~~~~~~~~~~~~~~~~
lib/bluetooth/sdp.c:1891:26: warning: Potential leak of memory pointed to by 'ap'
for (; pdlist; pdlist = pdlist->next) {
^~~~~~
lib/bluetooth/sdp.c:1905:6: warning: Potential leak of memory pointed to by 'pds'
ap = sdp_list_append(ap, pds);
~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
lib/bluetooth/sdp.c:1950:10: warning: Potential leak of memory pointed to by 'u'
*seqp = sdp_list_append(*seqp, u);
~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/bluetooth/sdp.c:2055:4: warning: Potential leak of memory pointed to by 'lang'
sdp_list_free(*langSeq, free);
^~~~~~~~~~~~~
lib/bluetooth/sdp.c:2144:9: warning: Potential leak of memory pointed to by 'profDesc'
return 0;
^
lib/bluetooth/sdp.c:3276:8: warning: Potential leak of memory pointed to by 'pSvcRec'
pSeq = sdp_list_append(pSeq, pSvcRec);
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/bluetooth/sdp.c:3277:9: warning: Potential leak of memory pointed to by 'pSeq'
pdata += sizeof(uint32_t);
~~~~~~^~~~~~~~~~~~~~~~~~~
lib/bluetooth/sdp.c:4613:13: warning: Potential leak of memory pointed to by 'rec_list'
} while (scanned < attr_list_len && pdata_len > 0);
^~~~~~~
lib/bluetooth/sdp.c:4909:40: warning: Potential leak of memory pointed to by 'tseq'
for (d = sdpdata->val.dataseq; d; d = d->next) {
^
lib/bluetooth/sdp.c:4945:8: warning: Potential leak of memory pointed to by 'subseq'
tseq = sdp_list_append(tseq, subseq);
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12 warnings generated.
src/shared/gatt-client.c:447:21: warning: Use of memory after it is freed
gatt_db_unregister(op->client->db, op->db_id);
^~~~~~~~~~
src/shared/gatt-client.c:692:2: warning: Use of memory after it is freed
discovery_op_complete(op, false, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:992:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1098:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1292:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1357:2: warning: Use of memory after it is freed
discovery_op_complete(op, success, att_ecode);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1632:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1637:2: warning: Use of memory after it is freed
discover_all(op);
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:1693:56: warning: Use of memory after it is freed
notify_data->chrc->ccc_write_id = notify_data->att_id = att_id;
~~~~~~~~~~~~~~~~~~~ ^
src/shared/gatt-client.c:2146:6: warning: Use of memory after it is freed
if (read_db_hash(op)) {
^~~~~~~~~~~~~~~~
src/shared/gatt-client.c:2154:8: warning: Use of memory after it is freed
discovery_op_ref(op),
^~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3332:2: warning: Use of memory after it is freed
complete_write_long_op(req, success, 0, false);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/shared/gatt-client.c:3354:2: warning: Use of memory after it is freed
request_unref(req);
^~~~~~~~~~~~~~~~~~
13 warnings generated.
src/shared/bap.c:1529:8: warning: Use of memory after it is freed
bap = bt_bap_ref_safe(bap);
^~~~~~~~~~~~~~~~~~~~
src/shared/bap.c:2340:20: warning: Use of memory after it is freed
return queue_find(stream->bap->streams, NULL, stream);
^~~~~~~~~~~~~~~~~~~~
2 warnings generated.
monitor/hwdb.c:59:2: warning: Value stored to 'hwdb' is never read
hwdb = udev_hwdb_unref(hwdb);
^ ~~~~~~~~~~~~~~~~~~~~~
monitor/hwdb.c:64:2: warning: Value stored to 'udev' is never read
udev = udev_unref(udev);
^ ~~~~~~~~~~~~~~~~
monitor/hwdb.c:106:2: warning: Value stored to 'hwdb' is never read
hwdb = udev_hwdb_unref(hwdb);
^ ~~~~~~~~~~~~~~~~~~~~~
monitor/hwdb.c:111:2: warning: Value stored to 'udev' is never read
udev = udev_unref(udev);
^ ~~~~~~~~~~~~~~~~
4 warnings generated.
monitor/l2cap.c:1676:4: warning: Value stored to 'data' is never read
data += len;
^ ~~~
monitor/l2cap.c:1677:4: warning: Value stored to 'size' is never read
size -= len;
^ ~~~
2 warnings generated.
tools/bluemoon.c:1102:8: warning: Null pointer passed to 1st parameter expecting 'nonnull'
if (strlen(optarg) > 3 && !strncmp(optarg, "hci", 3))
^~~~~~~~~~~~~~
1 warning generated.
tools/meshctl.c:326:19: warning: Access to field 'mesh_devices' results in a dereference of a null pointer (loaded from variable 'default_ctrl')
g_list_free_full(default_ctrl->mesh_devices, g_free);
^~~~~~~~~~~~~~~~~~~~~~~~~~
tools/meshctl.c:762:2: warning: 2nd function call argument is an uninitialized value
bt_shell_printf("Attempting to disconnect from %s\n", addr);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tools/meshctl.c:1957:2: warning: Value stored to 'len' is never read
len = len + extra + strlen("local_node.json");
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3 warnings generated.
In file included from tools/mesh-gatt/crypto.c:32:
./src/shared/util.h:291:9: warning: 1st function call argument is an uninitialized value
return be32_to_cpu(get_unaligned((const uint32_t *) ptr));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./src/shared/util.h:41:26: note: expanded from macro 'be32_to_cpu'
#define be32_to_cpu(val) bswap_32(val)
^~~~~~~~~~~~~
/usr/include/byteswap.h:34:21: note: expanded from macro 'bswap_32'
#define bswap_32(x) __bswap_32 (x)
^~~~~~~~~~~~~~
In file included from tools/mesh-gatt/crypto.c:32:
./src/shared/util.h:301:9: warning: 1st function call argument is an uninitialized value
return be64_to_cpu(get_unaligned((const uint64_t *) ptr));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./src/shared/util.h:42:26: note: expanded from macro 'be64_to_cpu'
#define be64_to_cpu(val) bswap_64(val)
^~~~~~~~~~~~~
/usr/include/byteswap.h:37:21: note: expanded from macro 'bswap_64'
#define bswap_64(x) __bswap_64 (x)
^~~~~~~~~~~~~~
2 warnings generated.
ell/util.c:853:8: warning: The left operand of '>' is a garbage value
if (x > UINT8_MAX)
~ ^
ell/util.c:871:8: warning: The left operand of '>' is a garbage value
if (x > UINT16_MAX)
~ ^
2 warnings generated.
ell/pem.c:131:8: warning: Dereference of null pointer (loaded from variable 'eol')
if (*eol == '\r' || *eol == '\n')
^~~~
ell/pem.c:166:18: warning: Dereference of null pointer (loaded from variable 'eol')
if (buf_len && *eol == '\r' && *buf_ptr == '\n') {
^~~~
ell/pem.c:166:34: warning: Dereference of null pointer (loaded from variable 'buf_ptr')
if (buf_len && *eol == '\r' && *buf_ptr == '\n') {
^~~~~~~~
ell/pem.c:304:11: warning: 1st function call argument is an uninitialized value
result = pem_load_buffer(file.data, file.st.st_size,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ell/pem.c:469:9: warning: 1st function call argument is an uninitialized value
list = l_pem_load_certificate_list_from_data(file.data,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5 warnings generated.
ell/cert.c:645:41: warning: Access to field 'asn1_len' results in a dereference of a null pointer (loaded from variable 'cert')
key = l_key_new(L_KEY_RSA, cert->asn1, cert->asn1_len);
^~~~~~~~~~~~~~
1 warning generated.
ell/gvariant-util.c:143:18: warning: The left operand of '>' is a garbage value
if (alignment > max_alignment)
~~~~~~~~~ ^
ell/gvariant-util.c:456:5: warning: Dereference of null pointer
!children[0].fixed_size) {
^~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
emulator/serial.c:150:2: warning: Assigned value is garbage or undefined
enum btdev_type uninitialized_var(type);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/serial.c:150:36: warning: Value stored to 'type' during its initialization is never read
enum btdev_type uninitialized_var(type);
^~~~
emulator/serial.c:36:30: note: expanded from macro 'uninitialized_var'
#define uninitialized_var(x) x = x
^ ~
emulator/serial.c:213:2: warning: Assigned value is garbage or undefined
enum btdev_type uninitialized_var(dev_type);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/serial.c:213:36: warning: Value stored to 'dev_type' during its initialization is never read
enum btdev_type uninitialized_var(dev_type);
^~~~~~~~
emulator/serial.c:36:30: note: expanded from macro 'uninitialized_var'
#define uninitialized_var(x) x = x
^ ~
4 warnings generated.
In file included from emulator/btdev.c:31:
emulator/btdev.c: In function ‘cmd_set_host_feature_v2’:
emulator/btdev.c:7915:32: error: dereferencing pointer to incomplete type ‘const struct bt_hci_cmd_le_set_host_feature_v2’
7915 | uint16_t bit = le16_to_cpu(cmd->bit_number);
| ^~
./src/shared/util.h:34:27: note: in definition of macro ‘le16_to_cpu’
34 | #define le16_to_cpu(val) (val)
| ^~~
emulator/btdev.c:7931:20: error: ‘BT_HCI_CMD_LE_SET_HOST_FEATURE_V2’ undeclared (first use in this function); did you mean ‘BT_HCI_CMD_LE_SET_HOST_FEATURE’?
7931 | cmd_complete(dev, BT_HCI_CMD_LE_SET_HOST_FEATURE_V2, &status,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| BT_HCI_CMD_LE_SET_HOST_FEATURE
emulator/btdev.c:7931:20: note: each undeclared identifier is reported only once for each function it appears in
emulator/btdev.c: At top level:
emulator/btdev.c:7942:6: error: ‘BT_HCI_CMD_LE_SET_HOST_FEATURE_V2’ undeclared here (not in a function); did you mean ‘BT_HCI_CMD_LE_SET_HOST_FEATURE’?
7942 | CMD(BT_HCI_CMD_LE_SET_HOST_FEATURE_V2, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/btdev.c:449:13: note: in definition of macro ‘CMD’
449 | .opcode = _opcode, \
| ^~~~~~~
emulator/btdev.c:7954:2: note: in expansion of macro ‘CMD_LE_60’
7954 | CMD_LE_60,
| ^~~~~~~~~
make[1]: *** [Makefile:7058: emulator/btdev.o] Error 1
make[1]: *** Waiting for unfinished jobs....
ell/ecc-external.c:77:11: warning: Assigned value is garbage or undefined
dest[i] = src[i];
^ ~~~~~~
ell/ecc-external.c:160:18: warning: The right operand of '-' is a garbage value
diff = left[i] - right[i] - borrow;
^ ~~~~~~~~
ell/ecc-external.c:227:14: warning: 2nd function call argument is an uninitialized value
product = mul_64_64(left[i], right[k - i]);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ell/ecc-external.c:408:9: warning: Assigned value is garbage or undefined
tmp[1] = product[3];
^ ~~~~~~~~~~
ell/ecc-external.c:435:22: warning: The left operand of '&' is a garbage value
tmp[1] = product[3] & 0xffffffff00000000ull;
~~~~~~~~~~ ^
ell/ecc-external.c:483:22: warning: The left operand of '&' is a garbage value
tmp[1] = product[5] & 0xffffffff00000000ull;
~~~~~~~~~~ ^
ell/ecc-external.c:688:28: warning: The left operand of '>>' is a garbage value
tmp[i] = (product[8 + i] >> 9) | (product[9 + i] << 55);
~~~~~~~~~~~~~~ ^
7 warnings generated.
emulator/server.c:230:2: warning: Assigned value is garbage or undefined
enum btdev_type uninitialized_var(type);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/server.c:230:36: warning: Value stored to 'type' during its initialization is never read
enum btdev_type uninitialized_var(type);
^~~~
emulator/server.c:36:30: note: expanded from macro 'uninitialized_var'
#define uninitialized_var(x) x = x
^ ~
2 warnings generated.
make: *** [Makefile:4172: all] Error 2
https://github.com/bluez/bluez/pull/2154
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: [v1] Bluetooth: hci_sync: Add support for HCI_LE_Set_Host_Feature [v2]
From: bluez.test.bot @ 2026-05-26 18:15 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260526170341.3529825-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101148
---Test result---
Test Summary:
CheckPatch PASS 0.99 seconds
VerifyFixes PASS 0.13 seconds
VerifySignedoff PASS 0.14 seconds
GitLint PASS 0.33 seconds
SubjectPrefix PASS 0.17 seconds
BuildKernel PASS 25.82 seconds
CheckAllWarning PASS 28.25 seconds
CheckSparse PASS 27.01 seconds
BuildKernel32 PASS 24.90 seconds
TestRunnerSetup PASS 530.10 seconds
TestRunner_l2cap-tester PASS 61.24 seconds
TestRunner_iso-tester PASS 79.43 seconds
TestRunner_bnep-tester PASS 19.32 seconds
TestRunner_mgmt-tester FAIL 211.47 seconds
TestRunner_rfcomm-tester PASS 25.26 seconds
TestRunner_sco-tester PASS 32.76 seconds
TestRunner_ioctl-tester PASS 26.30 seconds
TestRunner_mesh-tester FAIL 26.01 seconds
TestRunner_smp-tester PASS 23.28 seconds
TestRunner_userchan-tester PASS 20.37 seconds
TestRunner_6lowpan-tester PASS 23.07 seconds
IncrementalBuild PASS 24.29 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.281 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.204 seconds
Mesh - Send cancel - 2 Timed out 1.990 seconds
https://github.com/bluez/bluetooth-next/pull/246
---
Regards,
Linux Bluetooth
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox