Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH 4/7] dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
From: Dmitry Baryshkov @ 2026-06-01  9:46 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>

WCN6851 is an earlier version of WCN6855 WiFi/BT chip, compatible with
it. Add a device-specific compat string with the fallback to WCN6855
one.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
 .../devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml        | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml
index 0beda26ae8bb..ec766f40a042 100644
--- a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml
+++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml
@@ -13,8 +13,12 @@ maintainers:
 
 properties:
   compatible:
-    enum:
-      - qcom,wcn6855-bt
+    oneOf:
+      - items:
+          - const: qcom,wcn6851-bt
+          - const: qcom,wcn6855-bt
+      - enum:
+          - qcom,wcn6855-bt
 
   enable-gpios:
     maxItems: 1

-- 
2.47.3


^ permalink raw reply related

* [PATCH 3/7] regulator: dt-bindings: qcom,qca6390-pmu: document WCN6851
From: Dmitry Baryshkov @ 2026-06-01  9:46 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>

WCN6851 is an earlier version of WCN6855 WiFi/BT chip, compatible with
it. Add a device-specific compat string with the fallback to WCN6855
one.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
 Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml b/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml
index 105174df7df2..3d3c6fa7ecbc 100644
--- a/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml
+++ b/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml
@@ -21,6 +21,10 @@ properties:
           - enum:
               - qcom,wcn6755-pmu
           - const: qcom,wcn6750-pmu
+      - items:
+          - enum:
+              - qcom,wcn6851-pmu
+          - const: qcom,wcn6855-pmu
 
       - enum:
           - qcom,qca6390-pmu

-- 
2.47.3


^ permalink raw reply related

* [PATCH 2/7] wifi: ath11k: enable support for WCN6851
From: Dmitry Baryshkov @ 2026-06-01  9:46 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>

The WCN6851, found e.g. on SM8350 platforms, is an earlier version of
WCN6855 platform. It identifies itself as hw1.1. Copy WCN6855 hw 2.0
configuration to support hw1.1 version.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath11k/core.c | 92 ++++++++++++++++++++++++++++++++++
 drivers/net/wireless/ath/ath11k/core.h |  1 +
 drivers/net/wireless/ath/ath11k/mhi.c  |  1 +
 drivers/net/wireless/ath/ath11k/pci.c  |  9 ++++
 drivers/net/wireless/ath/ath11k/pcic.c | 11 ++++
 5 files changed, 114 insertions(+)

diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 3f6f4db5b7ee..7e997016cf6e 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -393,6 +393,98 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
 		.cfr_num_stream_bufs = 0,
 		.cfr_stream_buf_size = 0,
 	},
+	{
+		.name = "wcn6855 hw1.1",
+		.hw_rev = ATH11K_HW_WCN6855_HW11,
+		.fw = {
+			.dir = "WCN6855/hw1.1",
+			.board_size = 256 * 1024,
+			.cal_offset = 128 * 1024,
+		},
+		.max_radios = 3,
+		.bdf_addr = 0x4B0C0000,
+		.hw_ops = &wcn6855_ops,
+		.ring_mask = &ath11k_hw_ring_mask_qca6390,
+		.internal_sleep_clock = true,
+		.regs = &wcn6855_regs,
+		.qmi_service_ins_id = ATH11K_QMI_WLFW_SERVICE_INS_ID_V01_QCA6390,
+		.host_ce_config = ath11k_host_ce_config_qca6390,
+		.ce_count = 9,
+		.target_ce_config = ath11k_target_ce_config_wlan_qca6390,
+		.target_ce_count = 9,
+		.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qca6390,
+		.svc_to_ce_map_len = 14,
+		.ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
+		.single_pdev_only = true,
+		.rxdma1_enable = false,
+		.num_rxdma_per_pdev = 2,
+		.rx_mac_buf_ring = true,
+		.vdev_start_delay = true,
+		.htt_peer_map_v2 = false,
+
+		.spectral = {
+			.fft_sz = 0,
+			.fft_pad_sz = 0,
+			.summary_pad_sz = 0,
+			.fft_hdr_len = 0,
+			.max_fft_bins = 0,
+			.fragment_160mhz = false,
+		},
+
+		.interface_modes = BIT(NL80211_IFTYPE_STATION) |
+					BIT(NL80211_IFTYPE_AP) |
+					BIT(NL80211_IFTYPE_P2P_DEVICE) |
+					BIT(NL80211_IFTYPE_P2P_CLIENT) |
+					BIT(NL80211_IFTYPE_P2P_GO),
+		.supports_monitor = false,
+		.full_monitor_mode = false,
+		.supports_shadow_regs = true,
+		.idle_ps = true,
+		.supports_sta_ps = true,
+		.coldboot_cal_mm = false,
+		.coldboot_cal_ftm = false,
+		.cbcal_restart_fw = false,
+		.fw_mem_mode = 0,
+		.num_vdevs = 2 + 1,
+		.num_peers = 512,
+		.supports_suspend = true,
+		.hal_desc_sz = sizeof(struct hal_rx_desc_wcn6855),
+		.supports_regdb = true,
+		.fix_l1ss = false,
+		.credit_flow = true,
+		.hal_params = &ath11k_hw_hal_params_qca6390,
+		.supports_dynamic_smps_6ghz = false,
+		.alloc_cacheable_memory = false,
+		.supports_rssi_stats = true,
+		.fw_wmi_diag_event = true,
+		.current_cc_support = true,
+		.dbr_debug_support = false,
+		.global_reset = true,
+		.bios_sar_capa = &ath11k_hw_sar_capa_wcn6855,
+		.m3_fw_support = true,
+		.fixed_bdf_addr = false,
+		.fixed_mem_region = false,
+		.static_window_map = false,
+		.hybrid_bus_type = false,
+		.fixed_fw_mem = false,
+		.support_off_channel_tx = true,
+		.supports_multi_bssid = true,
+
+		.sram_dump = {
+			.start = 0x01400000,
+			.end = 0x0177ffff,
+		},
+
+		.tcl_ring_retry = true,
+		.tx_ring_size = DP_TCL_DATA_RING_SIZE,
+		.smp2p_wow_exit = false,
+		.support_fw_mac_sequence = true,
+		.support_dual_stations = true,
+		.pdev_suspend = false,
+		.cfr_support = false,
+		.cfr_num_stream_bufs = 0,
+		.cfr_stream_buf_size = 0,
+	},
 	{
 		.name = "wcn6855 hw2.0",
 		.hw_rev = ATH11K_HW_WCN6855_HW20,
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index a0d725923ef2..29727ee94bfc 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -147,6 +147,7 @@ enum ath11k_hw_rev {
 	ATH11K_HW_QCA6390_HW20,
 	ATH11K_HW_IPQ6018_HW10,
 	ATH11K_HW_QCN9074_HW10,
+	ATH11K_HW_WCN6855_HW11,
 	ATH11K_HW_WCN6855_HW20,
 	ATH11K_HW_WCN6855_HW21,
 	ATH11K_HW_WCN6750_HW10,
diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c
index a6c9ff112c68..c94546c367a7 100644
--- a/drivers/net/wireless/ath/ath11k/mhi.c
+++ b/drivers/net/wireless/ath/ath11k/mhi.c
@@ -393,6 +393,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
 		ath11k_mhi_config = &ath11k_mhi_config_qcn9074;
 		break;
 	case ATH11K_HW_QCA6390_HW20:
+	case ATH11K_HW_WCN6855_HW11:
 	case ATH11K_HW_WCN6855_HW20:
 	case ATH11K_HW_WCN6855_HW21:
 	case ATH11K_HW_QCA2066_HW21:
diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
index 35bb9e7a63a2..dc1dfd219d88 100644
--- a/drivers/net/wireless/ath/ath11k/pci.c
+++ b/drivers/net/wireless/ath/ath11k/pci.c
@@ -1031,6 +1031,15 @@ static int ath11k_pci_probe(struct pci_dev *pdev,
 		ath11k_pci_read_hw_version(ab, &soc_hw_version_major,
 					   &soc_hw_version_minor);
 		switch (soc_hw_version_major) {
+		case 1:
+			switch (soc_hw_version_minor) {
+			case 0x10:
+				ab->hw_rev = ATH11K_HW_WCN6855_HW11;
+				break;
+			default:
+				goto unsupported_wcn6855_soc;
+			}
+			break;
 		case 2:
 			switch (soc_hw_version_minor) {
 			case 0x00:
diff --git a/drivers/net/wireless/ath/ath11k/pcic.c b/drivers/net/wireless/ath/ath11k/pcic.c
index fc6e7da05c60..0f4dc05cc5b5 100644
--- a/drivers/net/wireless/ath/ath11k/pcic.c
+++ b/drivers/net/wireless/ath/ath11k/pcic.c
@@ -86,6 +86,17 @@ static const struct ath11k_msi_config ath11k_msi_config[] = {
 		},
 		.hw_rev = ATH11K_HW_QCN9074_HW10,
 	},
+	{
+		.total_vectors = 32,
+		.total_users = 4,
+		.users = (struct ath11k_msi_user[]) {
+			{ .name = "MHI", .num_vectors = 3, .base_vector = 0 },
+			{ .name = "CE", .num_vectors = 10, .base_vector = 3 },
+			{ .name = "WAKE", .num_vectors = 1, .base_vector = 13 },
+			{ .name = "DP", .num_vectors = 18, .base_vector = 14 },
+		},
+		.hw_rev = ATH11K_HW_WCN6855_HW11,
+	},
 	{
 		.total_vectors = 32,
 		.total_users = 4,

-- 
2.47.3


^ permalink raw reply related

* [PATCH 1/7] PCI: qcom: fix parsing of PERST# in the legacy case
From: Dmitry Baryshkov @ 2026-06-01  9:46 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>

Commit deed8aec62dc ("PCI: qcom: Handle mixed PERST#/PHY DT
configuration") fixed support for the "mixed" platforms which declare
PERST# pin the RC node and the PHY in the RP node, however it also broke
support for a majority of existing platforms, which declare both PERST#
and PHY in the RC node, because now PERST# is first acquired in
qcom_pcie_parse_ports(), which then returns -ENODEV (as there are no
PHYs in the RP nodes). Later qcom_pcie_parse_legacy_binding() tries to
acquire the PERST# GPIO again and fails with -EBUSY (as the GPIO has
already been requested).

Move parsing of RC's perst-gpios to qcom_pcie_probe(), making it obvious
that it's shared for both cases and skip parsing it in both functions.

Fixes: deed8aec62dc ("PCI: qcom: Handle mixed PERST#/PHY DT configuration")
Closes: https://lore.kernel.org/r/gieaybsg2ckxpctvqj77nlwu7utama2yeyvebkonmexsxrra3v@v3fobqasxnmy/
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
 drivers/pci/controller/dwc/pcie-qcom.c | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
index 11fc60489892..7664c7c28c0e 100644
--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
@@ -1907,15 +1907,6 @@ static int qcom_pcie_parse_ports(struct qcom_pcie *pcie)
 	struct device *dev = pcie->pci->dev;
 	int ret = -ENODEV;
 
-	if (of_find_property(dev->of_node, "perst-gpios", NULL)) {
-		pcie->reset = devm_gpiod_get_optional(dev, "perst",
-						      GPIOD_OUT_HIGH);
-		if (IS_ERR(pcie->reset))
-			return PTR_ERR(pcie->reset);
-
-		dev_warn(dev, "Reusing PERST# from Root Complex node. DT needs to be fixed!\n");
-	}
-
 	for_each_available_child_of_node_scoped(dev->of_node, of_port) {
 		if (!of_node_is_type(of_port, "pci"))
 			continue;
@@ -1942,7 +1933,6 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
 	struct device *dev = pcie->pci->dev;
 	struct qcom_pcie_perst *perst;
 	struct qcom_pcie_port *port;
-	struct gpio_desc *reset;
 	struct phy *phy;
 	int ret;
 
@@ -1950,10 +1940,6 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
 	if (IS_ERR(phy))
 		return PTR_ERR(phy);
 
-	reset = devm_gpiod_get_optional(dev, "perst", GPIOD_OUT_HIGH);
-	if (IS_ERR(reset))
-		return PTR_ERR(reset);
-
 	ret = phy_init(phy);
 	if (ret)
 		return ret;
@@ -1970,7 +1956,7 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
 	INIT_LIST_HEAD(&port->list);
 	list_add_tail(&port->list, &pcie->ports);
 
-	perst->desc = reset;
+	perst->desc = pcie->reset;
 	INIT_LIST_HEAD(&port->perst);
 	INIT_LIST_HEAD(&perst->list);
 	list_add_tail(&perst->list, &port->perst);
@@ -2107,6 +2093,15 @@ static int qcom_pcie_probe(struct platform_device *pdev)
 
 	pp->ops = &qcom_pcie_dw_ops;
 
+	if (of_find_property(dev->of_node, "perst-gpios", NULL)) {
+		pcie->reset = devm_gpiod_get_optional(dev, "perst",
+						      GPIOD_OUT_HIGH);
+		if (IS_ERR(pcie->reset))
+			return PTR_ERR(pcie->reset);
+
+		dev_warn(dev, "Reusing PERST# from Root Complex node. DT needs to be updated!\n");
+	}
+
 	ret = qcom_pcie_parse_ports(pcie);
 	if (ret) {
 		if (ret != -ENODEV) {

-- 
2.47.3


^ permalink raw reply related

* [PATCH 0/7] arm64: dts: qcom: enable WiFi/BT on SM8350 HDK
From: Dmitry Baryshkov @ 2026-06-01  9:46 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth

The SM8350 HDK has an onboard WCN6851 WiFi/BT chip, which for a long
time was not supported. Bring up different pieces required to enable
this SoC.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Dmitry Baryshkov (7):
      PCI: qcom: fix parsing of PERST# in the legacy case
      wifi: ath11k: enable support for WCN6851
      regulator: dt-bindings: qcom,qca6390-pmu: document WCN6851
      dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
      arm64: dts: qcom: sm8350: expand UART18 to 4 pins config
      arm64: dts: qcom: sm8350: modernize PCIe entries
      arm64: dts: qcom: sm8350-hdk: describe WiFi/BT chip

 .../bindings/net/bluetooth/qcom,wcn6855-bt.yaml    |   8 +-
 .../bindings/regulator/qcom,qca6390-pmu.yaml       |   4 +
 arch/arm64/boot/dts/qcom/sm8350-hdk.dts            | 142 ++++++++++++++++++++-
 arch/arm64/boot/dts/qcom/sm8350.dtsi               |  14 +-
 drivers/net/wireless/ath/ath11k/core.c             |  92 +++++++++++++
 drivers/net/wireless/ath/ath11k/core.h             |   1 +
 drivers/net/wireless/ath/ath11k/mhi.c              |   1 +
 drivers/net/wireless/ath/ath11k/pci.c              |   9 ++
 drivers/net/wireless/ath/ath11k/pcic.c             |  11 ++
 drivers/pci/controller/dwc/pcie-qcom.c             |  25 ++--
 10 files changed, 275 insertions(+), 32 deletions(-)
---
base-commit: 7da7f07112610a520567421dd2ffcb51beaefbcc
change-id: 20260531-sm8350-wifi-3b0659bc183a

Best regards,
--  
With best wishes
Dmitry


^ permalink raw reply

* Re: [PATCH 4/4] Bluetooth: qca: combine NVM and calibration data for QCC2072
From: Yepuri Siddu @ 2026-06-01  9:42 UTC (permalink / raw)
  To: Bartosz Golaszewski
  Cc: quic_mohamull, quic_hbandi, rahul.samana, harshitha.reddy,
	dishank.garg, linux-arm-msm, linux-bluetooth, linux-kernel,
	Marcel Holtmann, Luiz Augusto von Dentz, Rob Herring,
	Krzysztof Kozlowski, Conor Dooley, Bjorn Andersson, Konrad Dybcio,
	Balakrishna Godavarthi, Rocky Liao
In-Reply-To: <CAMRc=MeMm2rmeMOg-HcFY4ONvNbrS7qN=ioyAezRhurL_9Vt1Q@mail.gmail.com>



On 6/1/2026 1:59 PM, Bartosz Golaszewski wrote:
> On Fri, 29 May 2026 20:04:31 +0200, Yepuri Siddu
> <yepuri.siddu@oss.qualcomm.com> said:
>> QCC2072 requires the NVM and calibration data to be delivered to the
>> controller bundled together in an outer TLV of type 4. After loading
>> the NVM file, load the calibration file (qca/ornbcscal<ver>.bin) and
>> combine both into a single buffer with the outer TLV header before
>> passing it to qca_tlv_check_data().
>>
>> The outer TLV header encodes the combined payload length in the high
>> 24 bits and type 4 in the low 8 bits of the type_len field.
>>
>> If the calibration file is unavailable, fall back to downloading the
>> NVM alone.
>>
>> Signed-off-by: Yepuri Siddu <yepuri.siddu@oss.qualcomm.com>
>> ---
>>   drivers/bluetooth/btqca.c | 47 +++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 47 insertions(+)
>>
>> diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
>> index 0ef7546e7c7a..37db1cd9e8cf 100644
>> --- a/drivers/bluetooth/btqca.c
>> +++ b/drivers/bluetooth/btqca.c
>> @@ -612,6 +612,53 @@ static int qca_download_firmware(struct hci_dev *hdev,
>>   	memcpy(data, fw->data, size);
>>   	release_firmware(fw);
>>
>> +	/* For QCC2072, combine the NVM (type 2) with the calibration file
>> +	 * into a single TLV of outer type 4.
>> +	 */
>> +	if (soc_type == QCA_QCC2072 && config->type == TLV_TYPE_NVM) {
>> +		const struct firmware *calib_fw = NULL;
>> +		char calib_name[32];
>> +		u8 *combined_data = NULL;
>> +		size_t inner_len, combined_size;
>> +		struct tlv_type_hdr *outer_hdr;
>> +		int err;
>> +
>> +		snprintf(calib_name, sizeof(calib_name),
>> +			 "qca/ornbcscal%02x.bin", rom_ver);
>> +		err = request_firmware(&calib_fw, calib_name, &hdev->dev);
>> +		if (err) {
>> +			bt_dev_err(hdev, "QCA Failed to request file: %s (%d)",
>> +				   calib_name, err);
>> +			goto skip_combination;
> 
> How about providing a separate function to handle it and avoiding the
> objectively ugly label?

Thank you for the suggestion. Will send a v2 with this addressed.
> 
>> +		}
>> +
>> +		bt_dev_info(hdev, "QCA Downloading %s", calib_name);
>> +
>> +		inner_len = size + calib_fw->size;
>> +		combined_size = sizeof(*outer_hdr) + inner_len;
>> +		combined_data = vmalloc(combined_size);
>> +		if (!combined_data) {
>> +			bt_dev_warn(hdev,
>> +				   "QCA Failed to allocate memory for file: %s",
>> +				   calib_name);
>> +			release_firmware(calib_fw);
>> +			goto skip_combination;
>> +		}
>> +
>> +		outer_hdr = (struct tlv_type_hdr *)combined_data;
>> +		/* high 24 bits = payload length, low 8 bits = type */
>> +		outer_hdr->type_len = cpu_to_le32((inner_len << 8) | 4);
>> +		memcpy(combined_data + sizeof(*outer_hdr), data, size);
>> +		memcpy(combined_data + sizeof(*outer_hdr) + size,
>> +		       calib_fw->data, calib_fw->size);
>> +		release_firmware(calib_fw);
>> +		vfree(data);
>> +		data = combined_data;
>> +		size = combined_size;
> 
> Otherwise it looks ok to me.
> 
> Bartosz
> 
>> +skip_combination:
>> +		;
>> +	}
>> +
>>   	ret = qca_tlv_check_data(hdev, config, data, size, soc_type);
>>   	if (ret)
>>   		goto out;
>> --
>> 2.34.1
>>
>>


^ permalink raw reply

* Re: [PATCH 4/4] Bluetooth: qca: combine NVM and calibration data for QCC2072
From: Bartosz Golaszewski @ 2026-06-01  8:29 UTC (permalink / raw)
  To: Yepuri Siddu
  Cc: quic_mohamull, quic_hbandi, rahul.samana, harshitha.reddy,
	dishank.garg, linux-arm-msm, linux-bluetooth, linux-kernel,
	Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley, Bjorn Andersson,
	Konrad Dybcio, Balakrishna Godavarthi, Rocky Liao
In-Reply-To: <20260529180431.3373856-1-yepuri.siddu@oss.qualcomm.com>

On Fri, 29 May 2026 20:04:31 +0200, Yepuri Siddu
<yepuri.siddu@oss.qualcomm.com> said:
> QCC2072 requires the NVM and calibration data to be delivered to the
> controller bundled together in an outer TLV of type 4. After loading
> the NVM file, load the calibration file (qca/ornbcscal<ver>.bin) and
> combine both into a single buffer with the outer TLV header before
> passing it to qca_tlv_check_data().
>
> The outer TLV header encodes the combined payload length in the high
> 24 bits and type 4 in the low 8 bits of the type_len field.
>
> If the calibration file is unavailable, fall back to downloading the
> NVM alone.
>
> Signed-off-by: Yepuri Siddu <yepuri.siddu@oss.qualcomm.com>
> ---
>  drivers/bluetooth/btqca.c | 47 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 47 insertions(+)
>
> diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
> index 0ef7546e7c7a..37db1cd9e8cf 100644
> --- a/drivers/bluetooth/btqca.c
> +++ b/drivers/bluetooth/btqca.c
> @@ -612,6 +612,53 @@ static int qca_download_firmware(struct hci_dev *hdev,
>  	memcpy(data, fw->data, size);
>  	release_firmware(fw);
>
> +	/* For QCC2072, combine the NVM (type 2) with the calibration file
> +	 * into a single TLV of outer type 4.
> +	 */
> +	if (soc_type == QCA_QCC2072 && config->type == TLV_TYPE_NVM) {
> +		const struct firmware *calib_fw = NULL;
> +		char calib_name[32];
> +		u8 *combined_data = NULL;
> +		size_t inner_len, combined_size;
> +		struct tlv_type_hdr *outer_hdr;
> +		int err;
> +
> +		snprintf(calib_name, sizeof(calib_name),
> +			 "qca/ornbcscal%02x.bin", rom_ver);
> +		err = request_firmware(&calib_fw, calib_name, &hdev->dev);
> +		if (err) {
> +			bt_dev_err(hdev, "QCA Failed to request file: %s (%d)",
> +				   calib_name, err);
> +			goto skip_combination;

How about providing a separate function to handle it and avoiding the
objectively ugly label?

> +		}
> +
> +		bt_dev_info(hdev, "QCA Downloading %s", calib_name);
> +
> +		inner_len = size + calib_fw->size;
> +		combined_size = sizeof(*outer_hdr) + inner_len;
> +		combined_data = vmalloc(combined_size);
> +		if (!combined_data) {
> +			bt_dev_warn(hdev,
> +				   "QCA Failed to allocate memory for file: %s",
> +				   calib_name);
> +			release_firmware(calib_fw);
> +			goto skip_combination;
> +		}
> +
> +		outer_hdr = (struct tlv_type_hdr *)combined_data;
> +		/* high 24 bits = payload length, low 8 bits = type */
> +		outer_hdr->type_len = cpu_to_le32((inner_len << 8) | 4);
> +		memcpy(combined_data + sizeof(*outer_hdr), data, size);
> +		memcpy(combined_data + sizeof(*outer_hdr) + size,
> +		       calib_fw->data, calib_fw->size);
> +		release_firmware(calib_fw);
> +		vfree(data);
> +		data = combined_data;
> +		size = combined_size;

Otherwise it looks ok to me.

Bartosz

> +skip_combination:
> +		;
> +	}
> +
>  	ret = qca_tlv_check_data(hdev, config, data, size, soc_type);
>  	if (ret)
>  		goto out;
> --
> 2.34.1
>
>

^ permalink raw reply

* Re: [PATCH 2/4] Bluetooth: qca: add QCC2072 support
From: Bartosz Golaszewski @ 2026-06-01  8:27 UTC (permalink / raw)
  To: Yepuri Siddu
  Cc: Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley, Bjorn Andersson,
	Konrad Dybcio, Balakrishna Godavarthi, Rocky Liao, quic_mohamull,
	quic_hbandi, rahul.samana, harshitha.reddy, dishank.garg,
	linux-arm-msm, linux-bluetooth, linux-kernel
In-Reply-To: <20260529175822.3366535-1-yepuri.siddu@oss.qualcomm.com>

On Fri, 29 May 2026 19:58:22 +0200, Yepuri Siddu
<yepuri.siddu@oss.qualcomm.com> said:
> QCC2072 is a BT/WiFi combo SoC that uses different firmware
> filenames and requires no external voltage regulators, so add
> it as a new SoC type.
>
> The chip supports the wideband speech and valid LE states
> capabilities. Its firmware is named using the "orn" prefix and
> follows the standard rom-version-based scheme:
>     - qca/ornbtfw<ver>.tlv
>     - qca/ornnv<ver>.bin
>
> These firmware files are already present in the linux-firmware
> repository.
>
> Signed-off-by: Yepuri Siddu <yepuri.siddu@oss.qualcomm.com>
> ---
>  drivers/bluetooth/btqca.c   |  9 +++++++++
>  drivers/bluetooth/btqca.h   |  1 +
>  drivers/bluetooth/hci_qca.c | 24 ++++++++++++++++++++++++
>  3 files changed, 34 insertions(+)
>
> diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
> index dda76365726f..0ef7546e7c7a 100644
> --- a/drivers/bluetooth/btqca.c
> +++ b/drivers/bluetooth/btqca.c
> @@ -843,6 +843,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
>  			snprintf(config.fwname, sizeof(config.fwname),
>  				 "qca/hmtbtfw%02x.tlv", rom_ver);
>  			break;
> +		case QCA_QCC2072:
> +			snprintf(config.fwname, sizeof(config.fwname),
> +				 "qca/ornbtfw%02x.tlv", rom_ver);
> +			break;
>  		default:
>  			snprintf(config.fwname, sizeof(config.fwname),
>  				 "qca/rampatch_%08x.bin", soc_ver);
> @@ -937,6 +941,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
>  			qca_get_nvm_name_by_board(config.fwname, sizeof(config.fwname),
>  				 "hmtnv", soc_type, ver, rom_ver, boardid);
>  			break;
> +		case QCA_QCC2072:
> +			snprintf(config.fwname, sizeof(config.fwname),
> +				 "qca/ornnv%02x.bin", rom_ver);
> +			break;
>  		default:
>  			snprintf(config.fwname, sizeof(config.fwname),
>  				 "qca/nvm_%08x.bin", soc_ver);
> @@ -999,6 +1007,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
>  	case QCA_WCN6750:
>  	case QCA_WCN6855:
>  	case QCA_WCN7850:
> +	case QCA_QCC2072:
>  		/* get fw build info */
>  		err = qca_read_fw_build_info(hdev);
>  		if (err < 0)
> diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
> index 8f3c1b1c77b3..a175ac31e7b2 100644
> --- a/drivers/bluetooth/btqca.h
> +++ b/drivers/bluetooth/btqca.h
> @@ -158,6 +158,7 @@ enum qca_btsoc_type {
>  	QCA_WCN6750,
>  	QCA_WCN6855,
>  	QCA_WCN7850,
> +	QCA_QCC2072,
>  };
>
>  #if IS_ENABLED(CONFIG_BT_QCA)
> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
> index ed280399bf47..fc67ba0e4984 100644
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -1372,6 +1372,7 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
>
>  	/* Give the controller time to process the request */
>  	switch (qca_soc_type(hu)) {
> +	case QCA_QCC2072:
>  	case QCA_WCN3950:
>  	case QCA_WCN3988:
>  	case QCA_WCN3990:
> @@ -1459,6 +1460,7 @@ static unsigned int qca_get_speed(struct hci_uart *hu,
>  static int qca_check_speeds(struct hci_uart *hu)
>  {
>  	switch (qca_soc_type(hu)) {
> +	case QCA_QCC2072:
>  	case QCA_WCN3950:
>  	case QCA_WCN3988:
>  	case QCA_WCN3990:
> @@ -1510,6 +1512,7 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
>  		case QCA_WCN6750:
>  		case QCA_WCN6855:
>  		case QCA_WCN7850:
> +		case QCA_QCC2072:
>  			hci_uart_set_flow_control(hu, true);
>  			break;
>
> @@ -1545,6 +1548,7 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
>  		case QCA_WCN6750:
>  		case QCA_WCN6855:
>  		case QCA_WCN7850:
> +		case QCA_QCC2072:
>  			hci_uart_set_flow_control(hu, false);
>  			break;
>
> @@ -1861,6 +1865,7 @@ static int qca_power_on(struct hci_dev *hdev)
>  	case QCA_WCN6750:
>  	case QCA_WCN6855:
>  	case QCA_WCN7850:
> +	case QCA_QCC2072:
>  		ret = qca_regulator_init(hu);
>  		break;
>
> @@ -1957,6 +1962,10 @@ static int qca_setup(struct hci_uart *hu)
>  		soc_name = "wcn7850";
>  		break;
>
> +	case QCA_QCC2072:
> +		soc_name = "qcc2072";
> +		break;
> +
>  	default:
>  		soc_name = "ROME/QCA6390";
>  	}
> @@ -1980,6 +1989,7 @@ static int qca_setup(struct hci_uart *hu)
>  	case QCA_WCN6750:
>  	case QCA_WCN6855:
>  	case QCA_WCN7850:
> +	case QCA_QCC2072:
>  		if (qcadev->bdaddr_property_broken)
>  			hci_set_quirk(hdev, HCI_QUIRK_BDADDR_PROPERTY_BROKEN);
>
> @@ -2013,6 +2023,7 @@ static int qca_setup(struct hci_uart *hu)
>  	case QCA_WCN6750:
>  	case QCA_WCN6855:
>  	case QCA_WCN7850:
> +	case QCA_QCC2072:
>  		break;
>
>  	default:
> @@ -2166,6 +2177,12 @@ static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = {
>  	.num_vregs = 4,
>  };
>
> +static const struct qca_device_data qca_soc_data_qcc2072 __maybe_unused = {
> +	.soc_type = QCA_QCC2072,
> +	.num_vregs = 0,
> +	.capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES,
> +};
> +
>  static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = {
>  	.soc_type = QCA_WCN6750,
>  	.vregs = (struct qca_vreg []) {
> @@ -2268,6 +2285,7 @@ static void qca_power_off(struct hci_uart *hu)
>
>  	case QCA_WCN6750:
>  	case QCA_WCN6855:
> +	case QCA_QCC2072:
>  		gpiod_set_value_cansleep(qcadev->bt_en, 0);
>  		msleep(100);
>  		qca_regulator_disable(qcadev);
> @@ -2414,6 +2432,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
>  		qcadev->btsoc_type = QCA_ROME;
>
>  	switch (qcadev->btsoc_type) {
> +	case QCA_QCC2072:
>  	case QCA_QCA6390:
>  	case QCA_WCN3950:
>  	case QCA_WCN3988:
> @@ -2434,6 +2453,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
>  	}
>
>  	switch (qcadev->btsoc_type) {
> +	case QCA_QCC2072:
>  	case QCA_WCN3950:
>  	case QCA_WCN3988:
>  	case QCA_WCN3990:
> @@ -2484,6 +2504,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
>  		if (!qcadev->bt_en &&
>  		    (data->soc_type == QCA_WCN6750 ||
>  		     data->soc_type == QCA_WCN6855 ||
> +		     data->soc_type == QCA_QCC2072 ||

Looking at the bindings: this chip cannot have an enable GPIO, so it probably
should have its own if branch that unconditionally sets power_ctrl_enabled to
false?

>  		     data->soc_type == QCA_WCN7850))
>  			power_ctrl_enabled = false;
>
> @@ -2492,6 +2513,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
>  		if (IS_ERR(qcadev->sw_ctrl) &&
>  		    (data->soc_type == QCA_WCN6750 ||
>  		     data->soc_type == QCA_WCN6855 ||
> +		     data->soc_type == QCA_QCC2072 ||

Same here.

Bart

>  		     data->soc_type == QCA_WCN7850)) {
>  			dev_err(&serdev->dev, "failed to acquire SW_CTRL gpio\n");
>  			return PTR_ERR(qcadev->sw_ctrl);
> @@ -2570,6 +2592,7 @@ static void qca_serdev_remove(struct serdev_device *serdev)
>  	struct qca_power *power = qcadev->bt_power;
>
>  	switch (qcadev->btsoc_type) {
> +	case QCA_QCC2072:
>  	case QCA_WCN3988:
>  	case QCA_WCN3990:
>  	case QCA_WCN3991:
> @@ -2779,6 +2802,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = {
>  	{ .compatible = "qcom,wcn6750-bt", .data = &qca_soc_data_wcn6750},
>  	{ .compatible = "qcom,wcn6855-bt", .data = &qca_soc_data_wcn6855},
>  	{ .compatible = "qcom,wcn7850-bt", .data = &qca_soc_data_wcn7850},
> +	{ .compatible = "qcom,qcc2072-bt", .data = &qca_soc_data_qcc2072},
>  	{ /* sentinel */ }
>  };
>  MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match);
> --
> 2.34.1
>
>

^ permalink raw reply

* Re: [PATCH 1/4] dt-bindings: bluetooth: qcom,qcc2072-bt: add bindings for QCC2072
From: Krzysztof Kozlowski @ 2026-06-01  8:19 UTC (permalink / raw)
  To: Dmitry Baryshkov, Yepuri Siddu
  Cc: Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley, Bjorn Andersson,
	Konrad Dybcio, Balakrishna Godavarthi, Rocky Liao, quic_mohamull,
	quic_hbandi, rahul.samana, harshitha.reddy, dishank.garg,
	linux-arm-msm, linux-bluetooth, devicetree, linux-kernel
In-Reply-To: <mcn4ysrxrfqo36tr7khsxnjase3priskimkgxuacgma7jcpa46@bgla2znqhyfl>

On 01/06/2026 09:52, Dmitry Baryshkov wrote:
> On Mon, Jun 01, 2026 at 12:50:00PM +0530, Yepuri Siddu wrote:
>>
>>
>> On 5/30/2026 6:04 PM, Krzysztof Kozlowski wrote:
>>> On Fri, May 29, 2026 at 11:23:42PM +0530, Yepuri Siddu wrote:
>>>> Document the YAML binding schema for the Qualcomm QCC2072 UART-based
>>>> Bluetooth controller.
>>>
>>> Where is the rest?
>>>

I repeat the question.


>>>> +properties:
>>>> +  compatible:
>>>> +    enum:
>>>> +      - qcom,qcc2072-bt
>>>> +
>>>> +required:
>>>> +  - compatible
>>>> +
>>>
>>> Looks heavily incomplete. Devices do not work without power for example.
>>
>> The module receives power through the M.2 edge connector and manages its
>> own power sequencing internally. Unlike bare Qualcomm Bluetooth SoCs, it
>> requires no external voltage regulators, enable GPIOs, or clock supply
>> from the host, so no power-related properties are needed in the binding.
> 
> If this is a purely M.2 device, then it should not be a part of DT.
> 

Exactly. And even PCI devices need power sequencing, unless this is a
simple (BT only) device.

Best regards,
Krzysztof

^ permalink raw reply

* Re: [PATCH 1/4] dt-bindings: bluetooth: qcom,qcc2072-bt: add bindings for QCC2072
From: Dmitry Baryshkov @ 2026-06-01  7:52 UTC (permalink / raw)
  To: Yepuri Siddu
  Cc: Krzysztof Kozlowski, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz, Rob Herring, Krzysztof Kozlowski,
	Conor Dooley, Bjorn Andersson, Konrad Dybcio,
	Balakrishna Godavarthi, Rocky Liao, quic_mohamull, quic_hbandi,
	rahul.samana, harshitha.reddy, dishank.garg, linux-arm-msm,
	linux-bluetooth, devicetree, linux-kernel
In-Reply-To: <6c06e372-85b4-4207-9bb6-270bd654c287@oss.qualcomm.com>

On Mon, Jun 01, 2026 at 12:50:00PM +0530, Yepuri Siddu wrote:
> 
> 
> On 5/30/2026 6:04 PM, Krzysztof Kozlowski wrote:
> > On Fri, May 29, 2026 at 11:23:42PM +0530, Yepuri Siddu wrote:
> > > Document the YAML binding schema for the Qualcomm QCC2072 UART-based
> > > Bluetooth controller.
> > 
> > Where is the rest?
> > 
> > Also:
> > A nit, subject: drop second/last, redundant "bindings for". The
> > "dt-bindings" prefix is already stating that these are bindings.
> > See also:
> > https://elixir.bootlin.com/linux/v6.17-rc3/source/Documentation/devicetree/bindings/submitting-patches.rst#L18
> > 
> Thanks,  I will update this accordingly and send a v2 with the fixes.
> > > 
> > > Unlike other Qualcomm Bluetooth chips, QCC2072 requires no external
> > > voltage regulators. The schema inherits common Qualcomm Bluetooth
> > > properties via qcom,bluetooth-common.yaml and serial peripheral
> > > interface properties for the UART link.
> > > 
> > > Signed-off-by: Yepuri Siddu <yepuri.siddu@oss.qualcomm.com>
> > > ---
> > >   .../net/bluetooth/qcom,qcc2072-bt.yaml        | 38 +++++++++++++++++++
> > >   1 file changed, 38 insertions(+)
> > >   create mode 100644 Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml
> > > 
> > > diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml
> > > new file mode 100644
> > > index 000000000000..8e2f15a75d62
> > > --- /dev/null
> > > +++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml
> > > @@ -0,0 +1,38 @@
> > > +# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
> > > +%YAML 1.2
> > > +---
> > > +$id: http://devicetree.org/schemas/net/bluetooth/qcom,qcc2072-bt.yaml#
> > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > +
> > > +title: Qualcomm QCC2072 Bluetooth
> > > +
> > > +maintainers:
> > > +  - Balakrishna Godavarthi <quic_bgodavar@quicinc.com>
> > > +  - Rocky Liao <quic_rjliao@quicinc.com>
> > > +
> > > +description:
> > > +  Qualcomm QCC2072 is a UART-based Bluetooth controller.
> > > +
> > > +properties:
> > > +  compatible:
> > > +    enum:
> > > +      - qcom,qcc2072-bt
> > > +
> > > +required:
> > > +  - compatible
> > > +
> > 
> > Looks heavily incomplete. Devices do not work without power for example.
> 
> The module receives power through the M.2 edge connector and manages its
> own power sequencing internally. Unlike bare Qualcomm Bluetooth SoCs, it
> requires no external voltage regulators, enable GPIOs, or clock supply
> from the host, so no power-related properties are needed in the binding.

If this is a purely M.2 device, then it should not be a part of DT.

-- 
With best wishes
Dmitry

^ permalink raw reply

* Re: [PATCH 1/4] dt-bindings: bluetooth: qcom,qcc2072-bt: add bindings for QCC2072
From: Yepuri Siddu @ 2026-06-01  7:20 UTC (permalink / raw)
  To: Krzysztof Kozlowski
  Cc: Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz,
	Rob Herring, Krzysztof Kozlowski, Conor Dooley, Bjorn Andersson,
	Konrad Dybcio, Balakrishna Godavarthi, Rocky Liao, quic_mohamull,
	quic_hbandi, rahul.samana, harshitha.reddy, dishank.garg,
	linux-arm-msm, linux-bluetooth, devicetree, linux-kernel
In-Reply-To: <20260530-funky-mackerel-of-current-878e2a@quoll>



On 5/30/2026 6:04 PM, Krzysztof Kozlowski wrote:
> On Fri, May 29, 2026 at 11:23:42PM +0530, Yepuri Siddu wrote:
>> Document the YAML binding schema for the Qualcomm QCC2072 UART-based
>> Bluetooth controller.
> 
> Where is the rest?
> 
> Also:
> A nit, subject: drop second/last, redundant "bindings for". The
> "dt-bindings" prefix is already stating that these are bindings.
> See also:
> https://elixir.bootlin.com/linux/v6.17-rc3/source/Documentation/devicetree/bindings/submitting-patches.rst#L18
> 
Thanks,  I will update this accordingly and send a v2 with the fixes.
>>
>> Unlike other Qualcomm Bluetooth chips, QCC2072 requires no external
>> voltage regulators. The schema inherits common Qualcomm Bluetooth
>> properties via qcom,bluetooth-common.yaml and serial peripheral
>> interface properties for the UART link.
>>
>> Signed-off-by: Yepuri Siddu <yepuri.siddu@oss.qualcomm.com>
>> ---
>>   .../net/bluetooth/qcom,qcc2072-bt.yaml        | 38 +++++++++++++++++++
>>   1 file changed, 38 insertions(+)
>>   create mode 100644 Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml
>>
>> diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml
>> new file mode 100644
>> index 000000000000..8e2f15a75d62
>> --- /dev/null
>> +++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,qcc2072-bt.yaml
>> @@ -0,0 +1,38 @@
>> +# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
>> +%YAML 1.2
>> +---
>> +$id: http://devicetree.org/schemas/net/bluetooth/qcom,qcc2072-bt.yaml#
>> +$schema: http://devicetree.org/meta-schemas/core.yaml#
>> +
>> +title: Qualcomm QCC2072 Bluetooth
>> +
>> +maintainers:
>> +  - Balakrishna Godavarthi <quic_bgodavar@quicinc.com>
>> +  - Rocky Liao <quic_rjliao@quicinc.com>
>> +
>> +description:
>> +  Qualcomm QCC2072 is a UART-based Bluetooth controller.
>> +
>> +properties:
>> +  compatible:
>> +    enum:
>> +      - qcom,qcc2072-bt
>> +
>> +required:
>> +  - compatible
>> +
> 
> Looks heavily incomplete. Devices do not work without power for example.

The module receives power through the M.2 edge connector and manages its
own power sequencing internally. Unlike bare Qualcomm Bluetooth SoCs, it
requires no external voltage regulators, enable GPIOs, or clock supply
from the host, so no power-related properties are needed in the binding.
> 
>> +allOf:
>> +  - $ref: bluetooth-controller.yaml#
>> +  - $ref: qcom,bluetooth-common.yaml#
>> +  - $ref: /schemas/serial/serial-peripheral-props.yaml#
>> +
>> +unevaluatedProperties: false
>> +
>> +examples:
>> +  - |
>> +    serial {
>> +        bluetooth {
>> +            compatible = "qcom,qcc2072-bt";
>> +            max-speed = <3200000>;
> 
> Also incomplete.
> 
> Best regards,
> Krzysztof
> 


^ permalink raw reply

* RE: [v5] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: bluez.test.bot @ 2026-06-01  7:11 UTC (permalink / raw)
  To: linux-bluetooth, kbreddy.rpbc
In-Reply-To: <20260601032426.119034-1-kbreddy.rpbc@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103734

---Test result---

Test Summary:
CheckPatch                    PASS      0.59 seconds
VerifyFixes                   PASS      0.09 seconds
VerifySignedoff               PASS      0.09 seconds
GitLint                       PASS      0.26 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      26.23 seconds
CheckAllWarning               PASS      29.19 seconds
CheckSparse                   PASS      27.87 seconds
BuildKernel32                 PASS      25.89 seconds
TestRunnerSetup               PASS      575.48 seconds
TestRunner_l2cap-tester       PASS      62.40 seconds
TestRunner_iso-tester         PASS      86.46 seconds
TestRunner_bnep-tester        PASS      20.30 seconds
TestRunner_mgmt-tester        FAIL      219.12 seconds
TestRunner_rfcomm-tester      PASS      25.38 seconds
TestRunner_sco-tester         PASS      32.48 seconds
TestRunner_ioctl-tester       PASS      26.31 seconds
TestRunner_mesh-tester        FAIL      25.89 seconds
TestRunner_smp-tester         PASS      23.69 seconds
TestRunner_userchan-tester    PASS      21.00 seconds
TestRunner_6lowpan-tester     PASS      23.35 seconds
IncrementalBuild              PASS      24.81 seconds

Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.260 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.005 seconds
Mesh - Send cancel - 2                               Timed out    1.989 seconds


https://github.com/bluez/bluetooth-next/pull/263

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH v5] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: Bharath Reddy @ 2026-06-01  3:24 UTC (permalink / raw)
  To: marcel, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, syzkaller-bugs, Bharath Reddy,
	syzbot+535ecc844591e50588a5

Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.

When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
---
Changes in v5:
 - Removed trailing whitespace in the version history to fix GitLint error

Changes in v4:
 - Included patch version history

Changes in v3:
 - Added missing curly braces to the if/else block in bt_host_release()
   to resolve a checkpatch.pl warning
 - Added Fixes and Closes tags

Changes in v2:
 - Fixed a NULL pointer dereference caused by v1
 - Moved cleanup_srcu_struct() to the fallback (unregistered) branch
   of bt_host_release() instead of unconditionally calling hci_release_dev()

Changes in v1:
- Initial patch (failed because it bypassed the HCI_UNREGISTER check)

 net/bluetooth/hci_sysfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..8957ce7c21b7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,12 @@ static void bt_host_release(struct device *dev)
 {
 	struct hci_dev *hdev = to_hci_dev(dev);
 
-	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
 		hci_release_dev(hdev);
-	else
+	} else {
+		cleanup_srcu_struct(&hdev->srcu);
 		kfree(hdev);
+	}
 	module_put(THIS_MODULE);
 }
 
-- 
2.34.1


^ permalink raw reply related

* RE: Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING
From: bluez.test.bot @ 2026-06-01  2:13 UTC (permalink / raw)
  To: linux-bluetooth, liujiajia
In-Reply-To: <20260601012620.11764-1-liujiajia@kylinos.cn>

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103706

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
VerifyFixes                   PASS      0.13 seconds
VerifySignedoff               PASS      0.13 seconds
GitLint                       PASS      0.32 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      26.47 seconds
CheckAllWarning               PASS      28.43 seconds
CheckSparse                   PASS      28.92 seconds
BuildKernel32                 PASS      24.87 seconds
TestRunnerSetup               PASS      535.30 seconds
TestRunner_l2cap-tester       PASS      59.65 seconds
TestRunner_iso-tester         PASS      77.77 seconds
TestRunner_bnep-tester        PASS      19.01 seconds
TestRunner_mgmt-tester        FAIL      210.17 seconds
TestRunner_rfcomm-tester      PASS      25.71 seconds
TestRunner_sco-tester         PASS      32.80 seconds
TestRunner_ioctl-tester       PASS      26.19 seconds
TestRunner_mesh-tester        FAIL      25.96 seconds
TestRunner_smp-tester         PASS      23.25 seconds
TestRunner_userchan-tester    PASS      20.24 seconds
TestRunner_6lowpan-tester     PASS      22.78 seconds
IncrementalBuild              PASS      24.64 seconds

Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.247 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.344 seconds
Mesh - Send cancel - 2                               Timed out    1.992 seconds


https://github.com/bluez/bluetooth-next/pull/262

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING
From: Jiajia Liu @ 2026-06-01  1:26 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz, Brian Gix
  Cc: linux-bluetooth, linux-kernel, Jiajia Liu

When hci_inquiry_complete_evt is called between le_scan_disable and
le_set_scan_enable_complete and no remote name needs to be resolved,
the interleaved discovery with SIMULTANEOUS quirk gets stuck in
DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
state. No one sets DISCOVERY_STOPPED in this process.

  < HCI Command: LE Set Extended Scan Enable  #1764 [hci0] 608.610392
          Extended scan: Disabled (0x00)
          Filter duplicates: Disabled (0x00)
          Duration: 0 msec (0x0000)
          Period: 0.00 sec (0x0000)
  > HCI Event: Inquiry Complete (0x01)        #1765 [hci0] 608.610548
          Status: Success (0x00)
  > HCI Event: Command Complete (0x0e)        #1766 [hci0] 608.611589
        LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
          Status: Success (0x00)

Add scan_disable_complete to check state and stop discovery if stuck.
Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.

  [4517.963204] hci0: state 0 -> 1
  [4518.096858] hci0: state 1 -> 2
  [4528.353765] hci0: state 2 -> 0
  [4528.353776] hci0: state finding to stopped
  [4533.966844] hci0: state 0 -> 1
  [4534.097702] hci0: state 1 -> 2
  [4544.478600] hci0: state 2 -> 0

Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
---
 net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index aff8562a8690..4cb1c82cc3f0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
 	return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
 }
 
+static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
+{
+	if (err)
+		return;
+
+	hci_dev_lock(hdev);
+
+	if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
+		goto unlock;
+
+	if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
+		if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
+		    hdev->discovery.state == DISCOVERY_FINDING) {
+			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+			bt_dev_dbg(hdev, "state finding to stopped");
+		}
+	}
+
+unlock:
+	hci_dev_unlock(hdev);
+}
+
 static void le_scan_disable(struct work_struct *work)
 {
 	struct hci_dev *hdev = container_of(work, struct hci_dev,
@@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
 		goto _return;
 
-	status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
+	status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
+				    scan_disable_complete);
 	if (status) {
 		bt_dev_err(hdev, "failed to disable LE scan: %d", status);
 		goto _return;
-- 
2.53.0


^ permalink raw reply related

* Re: [PATCH net] 6lowpan: fix off-by-one in multicast context address compression
From: Alexander Aring @ 2026-05-31 22:41 UTC (permalink / raw)
  To: Yizhou Zhao
  Cc: netdev, Alexander Aring, David S . Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, linux-bluetooth,
	linux-wpan, linux-kernel, Yuxiang Yang, Ao Wang, Xuewei Feng,
	Qi Li, Ke Xu
In-Reply-To: <20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn>

Hi,

On Wed, May 27, 2026 at 4:19 AM Yizhou Zhao
<zhaoyz24@mails.tsinghua.edu.cn> wrote:
>
> The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
> &data[1] as destination and &ipaddr->s6_addr[11] as source, but
> both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
> respectively.
>
> This off-by-one has two consequences:
> 1. data[1] is overwritten with s6_addr[11], corrupting the RIID
>    field in the compressed multicast address
> 2. data[5] is never written, so uninitialized kernel stack memory
>    is transmitted over the network via lowpan_push_hc_data(),
>    leaking kernel stack contents
>
> The correct inline data layout must match what the decompression
> function lowpan_uncompress_multicast_ctx_daddr() expects:
>   data[0..1] = s6_addr[1..2]  (flags/scope + RIID)
>   data[2..5] = s6_addr[12..15] (group ID)
>
> Also zero-initialize the data array as a defensive measure against
> similar bugs in the future.
>
> Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
> Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
> Reported-by: Ao Wang <wangao@seu.edu.cn>
> Reported-by: Xuewei Feng <fengxw06@126.com>
> Reported-by: Qi Li <qli01@tsinghua.edu.cn>
> Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
> Assisted-by: GLM:GLM-5.1
> Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
> ---
> diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
> index e116d30..37eaff3 100644
> --- a/net/6lowpan/iphc.c
> +++ b/net/6lowpan/iphc.c
> @@ -1086,12 +1086,12 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
>                                               const struct lowpan_iphc_ctx *ctx,
>                                               const struct in6_addr *ipaddr)
>  {
> -       u8 data[6];
> +       u8 data[6] = {};
>
>         /* flags/scope, reserved (RIID) */
>         memcpy(data, &ipaddr->s6_addr[1], 2);
>         /* group ID */
> -       memcpy(&data[1], &ipaddr->s6_addr[11], 4);
> +       memcpy(&data[2], &ipaddr->s6_addr[12], 4);
>         lowpan_push_hc_data(hc_ptr, data, 6);
>
>         return LOWPAN_IPHC_DAM_00;

Looks good to me.

Acked-by: Alexander Aring <aahringo@redhat.com>

Thanks.

- Alex


^ permalink raw reply

* RE: [v4] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: bluez.test.bot @ 2026-05-31 19:32 UTC (permalink / raw)
  To: linux-bluetooth, kbreddy.rpbc
In-Reply-To: <20260531185339.107188-1-kbreddy.rpbc@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2659 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103659

---Test result---

Test Summary:
CheckPatch                    PASS      0.75 seconds
VerifyFixes                   PASS      0.14 seconds
VerifySignedoff               PASS      0.14 seconds
GitLint                       FAIL      0.34 seconds
SubjectPrefix                 PASS      0.14 seconds
BuildKernel                   PASS      24.71 seconds
CheckAllWarning               PASS      27.34 seconds
CheckSparse                   PASS      26.77 seconds
BuildKernel32                 PASS      24.39 seconds
TestRunnerSetup               PASS      521.61 seconds
TestRunner_l2cap-tester       PASS      58.27 seconds
TestRunner_iso-tester         PASS      71.09 seconds
TestRunner_bnep-tester        PASS      19.01 seconds
TestRunner_mgmt-tester        FAIL      210.04 seconds
TestRunner_rfcomm-tester      PASS      25.47 seconds
TestRunner_sco-tester         PASS      32.52 seconds
TestRunner_ioctl-tester       PASS      25.65 seconds
TestRunner_mesh-tester        FAIL      25.96 seconds
TestRunner_smp-tester         PASS      23.39 seconds
TestRunner_userchan-tester    PASS      19.79 seconds
TestRunner_6lowpan-tester     PASS      22.57 seconds
IncrementalBuild              PASS      23.69 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v4] Bluetooth: fix memory leak in error path of hci_alloc_dev()

27: B2 Line has trailing whitespace: " - Added missing curly braces to the if/else block in bt_host_release() "
32: B2 Line has trailing whitespace: " - Fixed a NULL pointer dereference caused by v1. "
33: B2 Line has trailing whitespace: " - Moved cleanup_srcu_struct() to the fallback (unregistered) branch "
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.246 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.303 seconds
Mesh - Send cancel - 2                               Timed out    1.995 seconds


https://github.com/bluez/bluetooth-next/pull/261

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH v4] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: Bharath Reddy @ 2026-05-31 18:53 UTC (permalink / raw)
  To: marcel, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, syzkaller-bugs, Bharath Reddy,
	syzbot+535ecc844591e50588a5

Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.

When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
---
Changes in v4:
 - Include patch version history.

Changes in v3:
 - Added missing curly braces to the if/else block in bt_host_release() 
   to resolve a checkpatch.pl warning.
 - Added Fixes and Closes tags.

Changes in v2:
 - Fixed a NULL pointer dereference caused by v1. 
 - Moved cleanup_srcu_struct() to the fallback (unregistered) branch 
   of bt_host_release() instead of unconditionally calling hci_release_dev().

Changes in v1:
 - Initial patch (failed because it bypassed the HCI_UNREGISTER check).

 net/bluetooth/hci_sysfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..8957ce7c21b7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,12 @@ static void bt_host_release(struct device *dev)
 {
 	struct hci_dev *hdev = to_hci_dev(dev);
 
-	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
 		hci_release_dev(hdev);
-	else
+	} else {
+		cleanup_srcu_struct(&hdev->srcu);
 		kfree(hdev);
+	}
 	module_put(THIS_MODULE);
 }
 
-- 
2.34.1


^ permalink raw reply related

* Re: [PATCH v2] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: Markus Elfring @ 2026-05-31 18:13 UTC (permalink / raw)
  To: Bharath Reddy, linux-bluetooth, Luiz Von Dentz, Marcel Holtmann
  Cc: syzbot+535ecc844591e50588a5, LKML
In-Reply-To: <20260531163032.102728-1-kbreddy.rpbc@gmail.com>

…
> Fix the leak by explicitly calling cleanup_srcu_struct() in the
> fallback (unregistered) branch of bt_host_release() before freeing
> the device.
> ---
>  net/bluetooth/hci_sysfs.c | 4 +++-

Some contributors would appreciate patch version descriptions.
https://lore.kernel.org/all/?q=%22This+looks+like+a+new+version+of+a+previously+submitted+patch%22
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v7.1-rc5#n310

Regards,
Markus

^ permalink raw reply

* [PATCH v3] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: Bharath Reddy @ 2026-05-31 18:12 UTC (permalink / raw)
  To: marcel, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, syzkaller-bugs, Bharath Reddy,
	syzbot+535ecc844591e50588a5

Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.

When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
---
 net/bluetooth/hci_sysfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..8957ce7c21b7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,12 @@ static void bt_host_release(struct device *dev)
 {
 	struct hci_dev *hdev = to_hci_dev(dev);
 
-	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
 		hci_release_dev(hdev);
-	else
+	} else {
+		cleanup_srcu_struct(&hdev->srcu);
 		kfree(hdev);
+	}
 	module_put(THIS_MODULE);
 }
 
-- 
2.34.1


^ permalink raw reply related

* [PATCH] Bluetooth: btmtk: Fix MT7925 WMT command timeout due to sleep protection
From: Danny Messina @ 2026-05-31 18:07 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: peter.tsao, marcel, Luiz Augusto von Dentz

  The MediaTek MT7925 USB Bluetooth device (0e8d:0717) fails to initialize
  with repeated "Execution of wmt command timed out" errors:

    Bluetooth: hci0: Execution of wmt command timed out
    Bluetooth: hci0: Failed to send wmt patch dwnld (-110)
    Bluetooth: hci0: Failed to set up firmware (-110)

  USB capture (usbmon) confirms WMT commands reach the device — the
  Control OUT transfer completes with status 0 — but the device never
  responds on any endpoint. The control IN polling URB returns zero bytes
  indefinitely until HCI_INIT_TIMEOUT expires.

  The root cause is the MT7925 BT core's sleep protection register
  (0x18011100, bit 1 = SLPPROT_BYPASS). When SLPPROT is active the BT
  processor ignores incoming WMT commands.

  Two additional issues compound this:

  1. After repeated driver load/unload cycles without a hardware reset,
     the BT subsystem's WMT state machine becomes stuck. A subsystem
     reset via btmtk_usb_subsys_reset() restores it to a workable state.

  2. After btmtk_setup_firmware_79xx() activates the downloaded firmware
     (which ends with a 100ms activation delay), the chip re-enables
     SLPPROT. The subsequent FUNC_CTRL WMT command therefore also times
     out unless SLPPROT is bypassed again.

  Fix this for dev_id 0x7925 in btmtk_usb_setup():
    1. Call btmtk_usb_subsys_reset() to clear any stuck WMT state.
    2. Set 0x18011100 |= BIT(1) before firmware download.
    3. Set 0x18011100 |= BIT(1) again before FUNC_CTRL.

  Tested on a System76 Thelio desktop with MT7925 PCIe combo card,
  USB ID 0e8d:0717, kernel 6.18.7.

  Signed-off-by: Danny Messina <messinadm@gmail.com>
  ---
   drivers/bluetooth/btmtk.c | 33 +++++++++++++++++++++++++++++++++
   1 file changed, 33 insertions(+)

  diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
  --- a/drivers/bluetooth/btmtk.c
  +++ b/drivers/bluetooth/btmtk.c
  @@ -1326,6 +1326,24 @@
        case 0x7922:
        case 0x7925:
        case 0x7961:
  +             if (dev_id == 0x7925) {
  +                     u32 val = 0;
  +
  +                     /* Reset BT subsystem to clear any stuck WMT state */
  +                     err = btmtk_usb_subsys_reset(hdev, dev_id);
  +                     if (err < 0)
  +                             bt_dev_warn(hdev, "BT subsys reset
failed (%d), continuing", err);
  +
  +                     /* Bypass sleep protection so WMT commands
reach the BT core */
  +                     err = btmtk_usb_uhw_reg_read(hdev, 0x18011100, &val);
  +                     if (err < 0)
  +                             return err;
  +                     val |= BIT(1);
  +                     err = btmtk_usb_uhw_reg_write(hdev, 0x18011100, val);
  +                     if (err < 0)
  +                             return err;
  +             }
  +
                btmtk_fw_get_filename(fw_bin_name, sizeof(fw_bin_name), dev_id,
                                      fw_version, fw_flavor);

  @@ -1342,6 +1360,19 @@
                if (err < 0)
                        return err;

  +             /* Re-bypass sleep protection after firmware
activation for MT7925 */
  +             if (dev_id == 0x7925) {
  +                     u32 val = 0;
  +
  +                     err = btmtk_usb_uhw_reg_read(hdev, 0x18011100, &val);
  +                     if (err < 0)
  +                             return err;
  +                     val |= BIT(1);
  +                     err = btmtk_usb_uhw_reg_write(hdev, 0x18011100, val);
  +                     if (err < 0)
  +                             return err;
  +             }
  +
                /* Enable Bluetooth protocol */
                param = 1;
                wmt_params.op = BTMTK_WMT_FUNC_CTRL;

^ permalink raw reply

* RE: [v2] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: bluez.test.bot @ 2026-05-31 17:23 UTC (permalink / raw)
  To: linux-bluetooth, kbreddy.rpbc
In-Reply-To: <20260531163032.102728-1-kbreddy.rpbc@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3229 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103634

---Test result---

Test Summary:
CheckPatch                    FAIL      0.60 seconds
VerifyFixes                   PASS      0.09 seconds
VerifySignedoff               PASS      0.11 seconds
GitLint                       PASS      0.24 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      24.95 seconds
CheckAllWarning               PASS      27.43 seconds
CheckSparse                   PASS      26.70 seconds
BuildKernel32                 PASS      24.35 seconds
TestRunnerSetup               PASS      520.47 seconds
TestRunner_l2cap-tester       PASS      57.78 seconds
TestRunner_iso-tester         PASS      74.71 seconds
TestRunner_bnep-tester        PASS      19.35 seconds
TestRunner_mgmt-tester        FAIL      210.09 seconds
TestRunner_rfcomm-tester      PASS      25.18 seconds
TestRunner_sco-tester         PASS      32.15 seconds
TestRunner_ioctl-tester       PASS      26.43 seconds
TestRunner_mesh-tester        FAIL      25.90 seconds
TestRunner_smp-tester         PASS      23.34 seconds
TestRunner_userchan-tester    PASS      20.13 seconds
TestRunner_6lowpan-tester     PASS      22.82 seconds
IncrementalBuild              PASS      23.50 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2] Bluetooth: fix memory leak in error path of hci_alloc_dev()
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#116: 
Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com

CHECK: Unbalanced braces around else statement
#132: FILE: net/bluetooth/hci_sysfs.c:88:
+	else {

WARNING: The commit message has 'syzkaller', perhaps it also needs a 'Fixes:' tag?

total: 0 errors, 2 warnings, 1 checks, 11 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14603853.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.236 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.331 seconds
Mesh - Send cancel - 2                               Timed out    1.991 seconds


https://github.com/bluez/bluetooth-next/pull/260

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH v2] Bluetooth: fix memory leak in error path of hci_alloc_dev()
From: Bharath Reddy @ 2026-05-31 16:30 UTC (permalink / raw)
  To: marcel, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, Bharath Reddy,
	syzbot+535ecc844591e50588a5

Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.

When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).

Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.

Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
---
 net/bluetooth/hci_sysfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..74131f2c3be6 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -85,8 +85,10 @@ static void bt_host_release(struct device *dev)
 
 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
 		hci_release_dev(hdev);
-	else
+	else {
+		cleanup_srcu_struct(&hdev->srcu);
 		kfree(hdev);
+	}
 	module_put(THIS_MODULE);
 }
 
-- 
2.34.1


^ permalink raw reply related

* RE: advertising: add property with advertisement Instance
From: bluez.test.bot @ 2026-05-31 11:33 UTC (permalink / raw)
  To: linux-bluetooth, michal.dzik
In-Reply-To: <20260531101754.3325247-2-michal.dzik@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 1356 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103543

---Test result---

Test Summary:
CheckPatch                    PASS      0.67 seconds
GitLint                       PASS      0.42 seconds
BuildEll                      PASS      20.32 seconds
BluezMake                     PASS      665.53 seconds
MakeCheck                     PASS      18.40 seconds
MakeDistcheck                 PASS      248.36 seconds
CheckValgrind                 PASS      295.58 seconds
CheckSmatch                   WARNING   351.80 seconds
bluezmakeextell               PASS      181.90 seconds
IncrementalBuild              PASS      650.96 seconds
ScanBuild                     PASS      1039.64 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/advertising.c: note: in included file:./src/shared/mgmt.h:95:25: error: redefinition of unsigned int enum mgmt_io_capabilitysrc/advertising.c: note: in included file:./src/shared/mgmt.h:95:25: error: redefinition of unsigned int enum mgmt_io_capability


https://github.com/bluez/bluez/pull/2161

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [bluez/bluez] 365197: advertising: add property with advertisement Instance
From: mdzik-sue @ 2026-05-31 10:35 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1103543
  Home:   https://github.com/bluez/bluez
  Commit: 3651970e944775553e3cf9d08094c93ea7fe24a7
      https://github.com/bluez/bluez/commit/3651970e944775553e3cf9d08094c93ea7fe24a7
  Author: Michal Dzik <michal.dzik@streamunlimited.com>
  Date:   2026-05-31 (Sun, 31 May 2026)

  Changed paths:
    M doc/org.bluez.LEAdvertisement.rst
    M src/advertising.c

  Log Message:
  -----------
  advertising: add property with advertisement Instance

Instance is an internal value, but it must be exposed to client app if
client app wants to use a advertisement in BAP broadcast.


  Commit: c8e847f563925610f7642c63662f201ca0dc239f
      https://github.com/bluez/bluez/commit/c8e847f563925610f7642c63662f201ca0dc239f
  Author: Michal Dzik <michal.dzik@streamunlimited.com>
  Date:   2026-05-31 (Sun, 31 May 2026)

  Changed paths:
    M client/advertising.c
    M client/advertising.h
    M client/main.c

  Log Message:
  -----------
  client: add advertisement instance support


Compare: https://github.com/bluez/bluez/compare/3651970e9447%5E...c8e847f56392

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox