Linux bluetooth development
 help / color / mirror / Atom feed
* Re: [PATCH BlueZ v2] profiles/ranging: Read measured_freq_offset field-16 bit as per Core Spec
From: Bastien Nocera @ 2026-06-04 11:22 UTC (permalink / raw)
  To: Prathibha Madugonde, linux-bluetooth
  Cc: luiz.dentz, quic_mohamull, quic_hbandi, quic_anubhavg
In-Reply-To: <20260604100233.4193077-1-prathm@qti.qualcomm.com>

On Thu, 2026-06-04 at 15:32 +0530, Prathibha Madugonde wrote:
> From: Prathibha Madugonde <prathibha.madugonde@oss.qualcomm.com>

Could you please add a reference in the commit message to the part of
the Core spec that's relevant?

> 
> Fix in V2:
> Fixed compilation issue.

This should appear under the "---", so that it doesn't get into the
commit message itself when the patch gets applied.

> ---
>  profiles/ranging/rap_hci.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/profiles/ranging/rap_hci.c b/profiles/ranging/rap_hci.c
> index 8e65e5ef8..febe23384 100644
> --- a/profiles/ranging/rap_hci.c
> +++ b/profiles/ranging/rap_hci.c
> @@ -601,7 +601,7 @@ static void parse_mode_zero_data(struct iovec
> *iov,
>  				 struct cs_mode_zero_data
> *mode_data,
>  				 uint8_t cs_role)
>  {
> -	uint32_t freq_offset;
> +	uint16_t freq_offset;
>  
>  	if (iov->iov_len < 3) {
>  		DBG("Mode 0: too short (<3)");
> @@ -614,7 +614,7 @@ static void parse_mode_zero_data(struct iovec
> *iov,
>  	DBG("CS Step mode 0");
>  
>  	if (cs_role == CS_INITIATOR && iov->iov_len >= 4) {
> -		util_iov_pull_le32(iov, &freq_offset);
> +		util_iov_pull_le16(iov, &freq_offset);
>  		mode_data->init_measured_freq_offset = freq_offset;
>  	}
>  }

^ permalink raw reply

* [bluez/bluez] 0b64d6: shared/rap: Add client ranging registration and no...
From: prathibhamadugonde @ 2026-06-04 11:24 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1105806
  Home:   https://github.com/bluez/bluez
  Commit: 0b64d66091079975c6b59586bd299d12ca19f809
      https://github.com/bluez/bluez/commit/0b64d66091079975c6b59586bd299d12ca19f809
  Author: Prathibha Madugonde <prathibha.madugonde@oss.qualcomm.com>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M src/shared/rap.c
    M src/shared/rap.h

  Log Message:
  -----------
  shared/rap: Add client ranging registration and notification parsing

Read the RAS Features characteristic to determine whether the remote
device supports real-time ranging. If supported, register for real-time
characteristic notifications using the reqtracker for the CS initiator
role.

Parse incoming segmented RAS ranging data notifications by accumulating
segments via iovec and parsing complete subevent headers and CS mode 0-3
step data, including IQ/tone PCT samples, once the last segment arrives.

Changes in v2:
Removed unneccsary DBG logs and unused variables.
Use helper functions for readablitiy and code indentation.

Changes in v5:
Fix use-after-scope in read_ras_features where a stack-local padded
buffer was referenced after leaving its scope via iov. Use get_le32
on a properly scoped buffer instead.

Add null checks for resptracker and reqtracker in HCI subevent
callbacks to prevent crashes when config complete has not yet been
received.

Fix Mode 0 frequency offset parsing: the Measured Frequency Offset
field is 16 bits per the CS spec, not 32 bits. Update
CS_MODE_ZERO_WIRE_INIT_SIZE from 7 to 5 accordingly.

Fix step mode extraction mask from 0x7F to 0x03 since CS mode is
only 2 bits (modes 0-3).

Refactor parse_mode_three to call parse_mode_one and parse_mode_two
directly, eliminating duplicated code. Similarly refactor
get_mode_three_length to use get_mode_one_length + get_mode_two_length.

Fix typo 'reflecter' to 'reflector' in comments.

Fix DBG format specifiers: use %u for uint16_t length parameters.

Remove double blank line in fill_initiator_data_from_cs_subevent_result
and add TODO comments to stub functions.



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] f47761: profile: Set L2CAP IMTU for OBEX profile listeners
From: github-actions[bot] @ 2026-06-04 11:25 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1105837
  Home:   https://github.com/bluez/bluez
  Commit: f47761fdd48ec82c2b5d232c1bd10235b360ab8c
      https://github.com/bluez/bluez/commit/f47761fdd48ec82c2b5d232c1bd10235b360ab8c
  Author: Wei Deng <wei.deng@oss.qualcomm.com>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M src/profile.c

  Log Message:
  -----------
  profile: Set L2CAP IMTU for OBEX profile listeners

The default_settings entries for OBEX profiles (OPP, FTP, PBAP, MAS,
MNS) have no imtu field, so ext_start_servers() creates the L2CAP
listening socket without an explicit IMTU. This causes the socket to
advertise the L2CAP minimum of 672 bytes in L2CAP_CONFIGURATION_RSP,
limiting the peer's outgoing PDU size and degrading Rx throughput.

Add an imtu field to default_settings and set it to 32767 for all
OBEX profiles that use L2CAP. Copy the value in ext_set_defaults()
and apply it to the listening socket via bt_io_set() after
bt_io_listen() succeeds.

Signed-off-by: Wei Deng <wei.deng@oss.qualcomm.com>



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] d02777: build: Support libical 4.0
From: fundawang @ 2026-06-04 11:25 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1105842
  Home:   https://github.com/bluez/bluez
  Commit: d02777b690980cce8cc761b1ab040ba58e704c5e
      https://github.com/bluez/bluez/commit/d02777b690980cce8cc761b1ab040ba58e704c5e
  Author: Funda Wang <fundawang@yeah.net>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M configure.ac

  Log Message:
  -----------
  build: Support libical 4.0

libical 4.0 split off some vcal related functions to a separate shared
library, libicalvcal. As libicalvcal depends on libical itself, first
check for libicalvcal being available, and if it fails, check for
just libical.

Closes: https://github.com/bluez/bluez/issues/2090

Tested-by: Bastien Nocera <hadess@hadess.net>



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] db3304: profiles/ranging: Read measured_freq_offset field-...
From: prathibhamadugonde @ 2026-06-04 11:25 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1105853
  Home:   https://github.com/bluez/bluez
  Commit: db3304369a708b9189777e2ad89026a3d384e010
      https://github.com/bluez/bluez/commit/db3304369a708b9189777e2ad89026a3d384e010
  Author: Prathibha Madugonde <prathibha.madugonde@oss.qualcomm.com>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M profiles/ranging/rap_hci.c

  Log Message:
  -----------
  profiles/ranging: Read measured_freq_offset field-16 bit as per Core Spec

Fix in V2:
Fixed compilation issue.



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-04 11:25 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1098678
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-04 11:25 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1089833
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* Re: [PATCH v2] Bluetooth: Add SPDX id lines to some source files
From: Bastien Nocera @ 2026-06-04 11:32 UTC (permalink / raw)
  To: Tim Bird, marcel, luiz.dentz, jannh, kuba, kiran.k, chharry,
	gustavo, prameela.j04cs, salvatore.benedetto, maxk
  Cc: linux-bluetooth, linux-spdx, linux-kernel
In-Reply-To: <20260604004125.715884-1-tim.bird@sony.com>

Hello Tim,

On Wed, 2026-06-03 at 18:41 -0600, Tim Bird wrote:
> Many bluetooth source files are missing SPDX-License-Identifier
> lines. Add appropriate IDs to these files, and remove other
> license lines from the headers.

I think it would be useful to separate the changes in drivers/bluetooth
and the ones in {include/,}net/bluetooth.

Why do some of the id lines use C-style comments and others C++-style
comments? (/* */ vs. //) ?

> Leave the warranty disclaimer in files where the license ID is
> GPL-2.0 but the wording of the disclaimer is slightly different
> from that of the GPL v2 disclaimer.
> 
> It is not different enough to cause licensing conflicts, but is
> kept to honor the original contributors' legal intent.

Good job doing this, do you know if there's a plan to automate this
somehow? It would be great to be able to re-run a script on top of a
codebase to verify that no sources were missed, and that we got the
same license ID assigned for the same license verbiage in the source
headers.

Cheers

^ permalink raw reply

* [PATCH] Bluetooth: btmtk: fix URB leak in alloc_mtk_intr_urb error path
From: Zhao Dongdong @ 2026-06-04 11:46 UTC (permalink / raw)
  To: matthias.bgg, angelogioacchino.delregno
  Cc: linux-bluetooth, linux-kernel, Zhao Dongdong

From: Zhao Dongdong <zhaodongdong@kylinos.cn>

When btmtk_isopkt_pad() fails, the previously allocated URB is not freed,
leaking the urb structure. Add usb_free_urb() before returning the error.

Fixes: ceac1cb0259d ("Bluetooth: btusb: mediatek: add ISO data transmission functions")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
---
 drivers/bluetooth/btmtk.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 8ff66b276af0..c29e1841b2b3 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -1074,8 +1074,10 @@ struct urb *alloc_mtk_intr_urb(struct hci_dev *hdev, struct sk_buff *skb,
 	if (!urb)
 		return ERR_PTR(-ENOMEM);
 
-	if (btmtk_isopkt_pad(hdev, skb))
+	if (btmtk_isopkt_pad(hdev, skb)) {
+		usb_free_urb(urb);
 		return ERR_PTR(-EINVAL);
+	}
 
 	pipe = usb_sndintpipe(btmtk_data->udev,
 			      btmtk_data->isopkt_tx_ep->bEndpointAddress);
-- 
2.25.1


^ permalink raw reply related

* RE: [BlueZ,v2] profiles/ranging: Read measured_freq_offset field-16 bit as per Core Spec
From: bluez.test.bot @ 2026-06-04 12:00 UTC (permalink / raw)
  To: linux-bluetooth, prathibha.madugonde
In-Reply-To: <20260604100233.4193077-1-prathm@qti.qualcomm.com>

[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105853

---Test result---

Test Summary:
CheckPatch                    PASS      0.39 seconds
GitLint                       FAIL      0.28 seconds
BuildEll                      PASS      15.92 seconds
BluezMake                     PASS      493.79 seconds
CheckSmatch                   PASS      252.60 seconds
bluezmakeextell               PASS      128.51 seconds
IncrementalBuild              PASS      486.66 seconds
ScanBuild                     PASS      713.49 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v2] profiles/ranging: Read measured_freq_offset field-16 bit as per Core Spec

1: T1 Title exceeds max length (84>80): "[BlueZ,v2] profiles/ranging: Read measured_freq_offset field-16 bit as per Core Spec"


https://github.com/bluez/bluez/pull/2178

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] shared/rap: Add client ranging registration and notification parsing
From: bluez.test.bot @ 2026-06-04 12:06 UTC (permalink / raw)
  To: linux-bluetooth, prathibha.madugonde
In-Reply-To: <20260604085205.4135084-1-prathm@qti.qualcomm.com>

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105806

---Test result---

Test Summary:
CheckPatch                    PASS      0.67 seconds
GitLint                       PASS      0.19 seconds
BuildEll                      PASS      16.38 seconds
BluezMake                     PASS      497.78 seconds
MakeCheck                     PASS      0.76 seconds
MakeDistcheck                 PASS      184.57 seconds
CheckValgrind                 PASS      157.05 seconds
CheckSmatch                   PASS      250.35 seconds
bluezmakeextell               PASS      128.31 seconds
IncrementalBuild              PASS      502.61 seconds
ScanBuild                     PASS      727.00 seconds



https://github.com/bluez/bluez/pull/2175

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [v3] profile: Set L2CAP IMTU for OBEX profile listeners
From: bluez.test.bot @ 2026-06-04 12:09 UTC (permalink / raw)
  To: linux-bluetooth, wei.deng
In-Reply-To: <20260604093024.3594022-1-wei.deng@oss.qualcomm.com>

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105837

---Test result---

Test Summary:
CheckPatch                    PASS      0.36 seconds
GitLint                       PASS      0.23 seconds
BuildEll                      PASS      17.80 seconds
BluezMake                     PASS      634.83 seconds
CheckSmatch                   PASS      311.82 seconds
bluezmakeextell               PASS      166.60 seconds
IncrementalBuild              PASS      599.14 seconds
ScanBuild                     PASS      913.59 seconds



https://github.com/bluez/bluez/pull/2176

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] build: Support libical 4.0
From: bluez.test.bot @ 2026-06-04 12:18 UTC (permalink / raw)
  To: linux-bluetooth, hadess
In-Reply-To: <20260604080139.1264222-1-hadess@hadess.net>

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105842

---Test result---

Test Summary:
CheckPatch                    PASS      0.39 seconds
GitLint                       PASS      0.30 seconds
BuildEll                      PASS      19.99 seconds
BluezMake                     PASS      598.14 seconds
MakeCheck                     PASS      18.48 seconds
MakeDistcheck                 PASS      232.81 seconds
CheckValgrind                 PASS      271.14 seconds
CheckSmatch                   PASS      321.22 seconds
bluezmakeextell               PASS      164.77 seconds
IncrementalBuild              PASS      603.55 seconds
ScanBuild                     PASS      906.29 seconds



https://github.com/bluez/bluez/pull/2177

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: Bluetooth: btmtk: fix URB leak in alloc_mtk_intr_urb error path
From: bluez.test.bot @ 2026-06-04 12:35 UTC (permalink / raw)
  To: linux-bluetooth, winter91
In-Reply-To: <tencent_DDA5BDF30EAC58E68647B4C37D20A3C7A505@qq.com>

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105907

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
VerifyFixes                   PASS      0.14 seconds
VerifySignedoff               PASS      0.14 seconds
GitLint                       PASS      0.34 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      25.20 seconds
CheckAllWarning               PASS      27.98 seconds
CheckSparse                   PASS      26.29 seconds
BuildKernel32                 PASS      24.45 seconds
TestRunnerSetup               PASS      527.05 seconds
IncrementalBuild              PASS      24.45 seconds



https://github.com/bluez/bluetooth-next/pull/287

---
Regards,
Linux Bluetooth


^ permalink raw reply

* Re: [PATCH] Bluetooth: L2CAP: Fix UAF in l2cap_chan_timeout
From: Marco Elver @ 2026-06-04 12:45 UTC (permalink / raw)
  To: Luiz Augusto von Dentz
  Cc: Marcel Holtmann, linux-bluetooth, linux-kernel, kasan-dev, stable,
	Siwei Zhang, Luiz Augusto von Dentz
In-Reply-To: <CABBYNZL9tH1Tc+jbc6fJ-Y1EtX+_QUk_P3ghDmdOaXY0gdqtnQ@mail.gmail.com>

On Wed, Jun 03, 2026 at 01:31PM -0400, Luiz Augusto von Dentz wrote:
> Hi Marco,
> 
> On Wed, Jun 3, 2026 at 9:16 AM Marco Elver <elver@google.com> wrote:
> >
> > On Wed, 3 Jun 2026 at 14:31, Marco Elver <elver@google.com> wrote:
> > >
> > > l2cap_chan_timeout() accesses chan->conn without holding a reference to
> > > the connection object. If l2cap_conn_del() races and tears down the
> > > connection while the timer is waiting for locks, it can result in a
> > > use-after-free when the timer wakes up and attempts to acquire
> > > conn->lock:
> > >
> > > | BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > | BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > | BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > | BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > | Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
> > > |
> > > | CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
> > > | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > > | Workqueue: events l2cap_chan_timeout
> > > | Call Trace:
> > > |  <TASK>
> > > |  instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > |  atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > |  __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > |  mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > |  l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
> > > |  process_one_work kernel/workqueue.c:3326 [inline]
> > > |  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > |  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > |  kthread+0x346/0x430 kernel/kthread.c:436
> > > |  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > |  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > |  </TASK>
> > > |
> > > | Allocated by task 320:
> > > |  l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
> > > |  l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
> > > |  hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > |  hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > |  hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > |  hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > |  hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > |  process_one_work kernel/workqueue.c:3326 [inline]
> > > |  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > |  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > |  kthread+0x346/0x430 kernel/kthread.c:436
> > > |  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > |  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > |
> > > | Freed by task 322:
> > > |  hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
> > > |  hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> > > |  hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> > > |  hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> > > |  hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> > > |  vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> > > |  __fput+0x369/0x890 fs/file_table.c:510
> > > |  task_work_run+0x160/0x1d0 kernel/task_work.c:233
> > > |  get_signal+0xf5b/0x1120 kernel/signal.c:2810
> > > |  arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> > > |  __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> > > |  exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> > > |  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
> > > |  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
> > > |  syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> > > |  do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> > > |  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > |
> > > | Last potentially related work creation:
> > > |  hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > |  hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > |  hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > |  hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > |  hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > |  process_one_work kernel/workqueue.c:3326 [inline]
> > > |  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > |  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > |  kthread+0x346/0x430 kernel/kthread.c:436
> > > |  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > |  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > |
> > > | The buggy address belongs to the object at ffff8881298d9400
> > > |  which belongs to the cache kmalloc-512 of size 512
> > > | The buggy address is located 336 bytes inside of
> > > |  freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
> > >
> > > Fix it by holding a reference to the connection when the channel timer
> > > is scheduled, and releasing it when the timer is either canceled or
> > > executes to completion.
> > >
> > > Since l2cap_chan_del() nullifies chan->conn to disassociate the channel
> > > during teardown, the timer handler might read NULL from chan->conn even
> > > if it held a reference. To address this, introduce a `timer_conn` field
> > > to `struct l2cap_chan` to store the connection pointer associated with
> > > the active timer. The timer handler uses this field to acquire locks and
> > > release the connection reference, and skips channel closing operations
> > > if chan->conn has already been nullified by teardown.
> > >
> > > Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
> > > Cc: <stable@vger.kernel.org>
> > > Cc: Siwei Zhang <oss@fourdim.xyz>
> > > Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > Assisted-by: Gemini:gemini-3.1-pro-preview
> > > Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
> > > Signed-off-by: Marco Elver <elver@google.com>
> >
> > Sigh, Sashiko points out more problems here:
> > https://sashiko.dev/#/patchset/20260603123111.2334409-1-elver%40google.com
> >
> > > Can this lockless read of chan->timer_conn cause a use-after-free or double
> > > free if another thread re-arms the timer concurrently?
> >
> > I haven't analyzed this further yet, so consider this patch a
> > bug-report-only. If anyone finds a better fix sooner, please go ahead.
> 
> I was thinking or something like the following:

I tested that and my repro didn't trigger the UAF here, but I still
think it has the same fundamental issue:

If the timer worker is preempted immediately after reading chan->conn
but before entering l2cap_conn_hold_unless_zero(), l2cap_conn_del() can
complete concurrently.

When the timer worker resumes, l2cap_conn_hold_unless_zero(conn) will
attempt to read conn->ref that has already been freed, resulting in
another UAF.

^ permalink raw reply

* Re: [PATCH] Bluetooth: L2CAP: Fix UAF in l2cap_chan_timeout
From: Luiz Augusto von Dentz @ 2026-06-04 14:10 UTC (permalink / raw)
  To: Marco Elver
  Cc: Marcel Holtmann, linux-bluetooth, linux-kernel, kasan-dev, stable,
	Siwei Zhang, Luiz Augusto von Dentz
In-Reply-To: <aiFzWTYs1ppHhnNS@elver.google.com>

Hi Marco,

On Thu, Jun 4, 2026 at 8:45 AM Marco Elver <elver@google.com> wrote:
>
> On Wed, Jun 03, 2026 at 01:31PM -0400, Luiz Augusto von Dentz wrote:
> > Hi Marco,
> >
> > On Wed, Jun 3, 2026 at 9:16 AM Marco Elver <elver@google.com> wrote:
> > >
> > > On Wed, 3 Jun 2026 at 14:31, Marco Elver <elver@google.com> wrote:
> > > >
> > > > l2cap_chan_timeout() accesses chan->conn without holding a reference to
> > > > the connection object. If l2cap_conn_del() races and tears down the
> > > > connection while the timer is waiting for locks, it can result in a
> > > > use-after-free when the timer wakes up and attempts to acquire
> > > > conn->lock:
> > > >
> > > > | BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > > | BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > > | BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > > | BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > > | Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
> > > > |
> > > > | CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
> > > > | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
> > > > | Workqueue: events l2cap_chan_timeout
> > > > | Call Trace:
> > > > |  <TASK>
> > > > |  instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
> > > > |  atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
> > > > |  __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
> > > > |  mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
> > > > |  l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
> > > > |  process_one_work kernel/workqueue.c:3326 [inline]
> > > > |  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > |  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > |  kthread+0x346/0x430 kernel/kthread.c:436
> > > > |  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > |  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > |  </TASK>
> > > > |
> > > > | Allocated by task 320:
> > > > |  l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
> > > > |  l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
> > > > |  hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > > |  hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > > |  hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > > |  hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > > |  hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > > |  process_one_work kernel/workqueue.c:3326 [inline]
> > > > |  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > |  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > |  kthread+0x346/0x430 kernel/kthread.c:436
> > > > |  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > |  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > |
> > > > | Freed by task 322:
> > > > |  hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
> > > > |  hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
> > > > |  hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
> > > > |  hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
> > > > |  hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
> > > > |  vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
> > > > |  __fput+0x369/0x890 fs/file_table.c:510
> > > > |  task_work_run+0x160/0x1d0 kernel/task_work.c:233
> > > > |  get_signal+0xf5b/0x1120 kernel/signal.c:2810
> > > > |  arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
> > > > |  __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> > > > |  exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
> > > > |  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
> > > > |  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
> > > > |  syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
> > > > |  do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
> > > > |  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > > > |
> > > > | Last potentially related work creation:
> > > > |  hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
> > > > |  hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
> > > > |  hci_event_func net/bluetooth/hci_event.c:7796 [inline]
> > > > |  hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
> > > > |  hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
> > > > |  process_one_work kernel/workqueue.c:3326 [inline]
> > > > |  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
> > > > |  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
> > > > |  kthread+0x346/0x430 kernel/kthread.c:436
> > > > |  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
> > > > |  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> > > > |
> > > > | The buggy address belongs to the object at ffff8881298d9400
> > > > |  which belongs to the cache kmalloc-512 of size 512
> > > > | The buggy address is located 336 bytes inside of
> > > > |  freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
> > > >
> > > > Fix it by holding a reference to the connection when the channel timer
> > > > is scheduled, and releasing it when the timer is either canceled or
> > > > executes to completion.
> > > >
> > > > Since l2cap_chan_del() nullifies chan->conn to disassociate the channel
> > > > during teardown, the timer handler might read NULL from chan->conn even
> > > > if it held a reference. To address this, introduce a `timer_conn` field
> > > > to `struct l2cap_chan` to store the connection pointer associated with
> > > > the active timer. The timer handler uses this field to acquire locks and
> > > > release the connection reference, and skips channel closing operations
> > > > if chan->conn has already been nullified by teardown.
> > > >
> > > > Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
> > > > Cc: <stable@vger.kernel.org>
> > > > Cc: Siwei Zhang <oss@fourdim.xyz>
> > > > Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > > Assisted-by: Gemini:gemini-3.1-pro-preview
> > > > Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
> > > > Signed-off-by: Marco Elver <elver@google.com>
> > >
> > > Sigh, Sashiko points out more problems here:
> > > https://sashiko.dev/#/patchset/20260603123111.2334409-1-elver%40google.com
> > >
> > > > Can this lockless read of chan->timer_conn cause a use-after-free or double
> > > > free if another thread re-arms the timer concurrently?
> > >
> > > I haven't analyzed this further yet, so consider this patch a
> > > bug-report-only. If anyone finds a better fix sooner, please go ahead.
> >
> > I was thinking or something like the following:
>
> I tested that and my repro didn't trigger the UAF here, but I still
> think it has the same fundamental issue:
>
> If the timer worker is preempted immediately after reading chan->conn
> but before entering l2cap_conn_hold_unless_zero(), l2cap_conn_del() can
> complete concurrently.
>
> When the timer worker resumes, l2cap_conn_hold_unless_zero(conn) will
> attempt to read conn->ref that has already been freed, resulting in
> another UAF.

I see. The window is very narrow but it is perhaps still triggerable
somehow. The only thing that comes to mind is that we would need to
take a reference of l2cap_conn with the likes of l2cap_set_timer then,
which means l2cap_chan_timeout needs to drop not only l2cap_chan but
also l2cap_conn when done, otherwise there will always be the risk of
l2cap_conn_del running while l2cap_chan_timeout is pending.

-- 
Luiz Augusto von Dentz

^ permalink raw reply

* Re: [BlueZ,v2] profiles/ranging: Read measured_freq_offset field-16 bit as per Core Spec
From: Bastien Nocera @ 2026-06-04 14:36 UTC (permalink / raw)
  To: linux-bluetooth, prathibha.madugonde
In-Reply-To: <6a2168f8.a4791f72.24ac8d.29ee@mx.google.com>

On Thu, 2026-06-04 at 05:00 -0700, bluez.test.bot@gmail.com wrote:
> This is automated email and please do not reply to this email!
> 
> Dear submitter,
> 
> Thank you for submitting the patches to the linux bluetooth mailing
> list.
> This is a CI test results with your patch series:
> PW
> Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1105
> 853
> 
> ---Test result---
> 
> Test Summary:
> CheckPatch                    PASS      0.39 seconds
> GitLint                       FAIL      0.28 seconds
> BuildEll                      PASS      15.92 seconds
> BluezMake                     PASS      493.79 seconds
> CheckSmatch                   PASS      252.60 seconds
> bluezmakeextell               PASS      128.51 seconds
> IncrementalBuild              PASS      486.66 seconds
> ScanBuild                     PASS      713.49 seconds
> 
> Details
> ##############################
> Test: GitLint - FAIL
> Desc: Run gitlint
> Output:
> [BlueZ,v2] profiles/ranging: Read measured_freq_offset field-16 bit
> as per Core Spec
> 
> 1: T1 Title exceeds max length (84>80): "[BlueZ,v2] profiles/ranging:
> Read measured_freq_offset field-16 bit as per Core Spec"

I think that this gitlint error is wrong, and filed:
https://github.com/jorisroovers/gitlint/issues/566

Cheers

> 
> 
> https://github.com/bluez/bluez/pull/2178
> 
> ---
> Regards,
> Linux Bluetooth

^ permalink raw reply

* Re: [BlueZ PATCH v2 1/1] shared/bap: add ASE Control Point error responses
From: Luiz Augusto von Dentz @ 2026-06-04 14:56 UTC (permalink / raw)
  To: raghu447; +Cc: linux-bluetooth
In-Reply-To: <20260604052052.10667-2-raghavendra.rao@collabora.com>

Hi Raghu,

On Thu, Jun 4, 2026 at 1:21 AM raghu447 <raghavendra.rao@collabora.com> wrote:
>
> From: raghavendra <raghavendra.rao@collabora.com>
>
> Add SPE unit tests.
> These changes are required to Pass BAP/USR/SPE/BI-01[5]-C tests.
> ---
>  src/shared/bap.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++--
>  unit/test-bap.c  | 64 ++++++++++++++++++++++++++++++++++

Please split these into 2 separate commits, one for shared/bap and
another for the test-bap and add the tests in the commit description
of the second.

>  2 files changed, 152 insertions(+), 2 deletions(-)
>
> diff --git a/src/shared/bap.c b/src/shared/bap.c
> index 8fc2fb14d..edb84efca 100644
> --- a/src/shared/bap.c
> +++ b/src/shared/bap.c
> @@ -57,6 +57,11 @@
>                 (1<<BAP_DURATION_LTV_TYPE)|\
>                 (1<<BAP_FRAME_LEN_LTV_TYPE))
>
> +#define BAP_METADATA_PREF_CONTEXT_LTV_TYPE     0x01
> +#define BAP_METADATA_CONTEXT_LTV_TYPE          0x02
> +#define BAP_METADATA_PROGRAM_INFO_LTV_TYPE     0x03
> +#define BAP_METADATA_LANGUAGE_LTV_TYPE         0x04
> +
>  struct bt_bap_pac_changed {
>         unsigned int id;
>         bt_bap_pac_func_t added;
> @@ -3304,6 +3309,40 @@ static uint8_t stream_enable(struct bt_bap_stream *stream, struct iovec *meta,
>         return 0;
>  }
>
> +static bool ascs_metadata_rsp(struct bt_bap_endpoint *ep, struct iovec *meta,
> +                                                       struct iovec *rsp)
> +{
> +       struct bt_ltv *ltv;
> +       uint16_t supported_context = 0;
> +       uint16_t context;
> +
> +       if (ep->stream && ep->stream->lpac)
> +               supported_context = ep->stream->lpac->qos.supported_context;
> +
> +       ltv = meta->iov_base;
> +       if (meta->iov_len >= sizeof(*ltv) &&
> +                       (ltv->type < BAP_METADATA_PREF_CONTEXT_LTV_TYPE ||
> +                       ltv->type > BAP_METADATA_LANGUAGE_LTV_TYPE)) {
> +               ascs_ase_rsp_add(rsp, ep->id,
> +                               BT_ASCS_RSP_METADATA_UNSUPPORTED, ltv->type);
> +               return true;
> +       }
> +
> +       if (meta->iov_len >= sizeof(*ltv) + sizeof(context) &&
> +                       ltv->type == BAP_METADATA_CONTEXT_LTV_TYPE &&
> +                       ltv->len == sizeof(context) + 1) {
> +               context = get_le16(ltv->value);
> +               if (!context || (context & ~supported_context)) {
> +                       ascs_ase_rsp_add(rsp, ep->id,
> +                                       BT_ASCS_RSP_METADATA_INVALID,
> +                                       ltv->type);
> +                       return true;
> +               }
> +       }
> +
> +       return false;
> +}
> +
>  static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
>                         struct bt_ascs_enable *req, struct iovec *iov,
>                         struct iovec *rsp)
> @@ -3335,6 +3374,9 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
>                 return 0;
>         }
>
> +       if (ascs_metadata_rsp(ep, &meta, rsp))
> +               return 0;
> +
>         if (!ep->stream) {
>                 DBG(bap, "No stream found");
>                 ascs_ase_rsp_add(rsp, ep->id,
> @@ -3568,6 +3610,9 @@ static uint8_t ep_metadata(struct bt_bap_endpoint *ep,
>         meta.iov_base = util_iov_pull_mem(iov, req->len);
>         meta.iov_len = req->len;
>
> +       if (ascs_metadata_rsp(ep, &meta, rsp))
> +               return 0;
> +
>         return stream_metadata(ep->stream, &meta, rsp);
>  }
>
> @@ -3673,6 +3718,23 @@ static struct iovec *ascs_ase_cp_rsp_new(uint8_t op)
>         return iov;
>  }
>
> +static void ascs_ase_cp_rsp_add_truncated(struct iovec *rsp)
> +{
> +       ascs_ase_rsp_add_errno(rsp, 0x00, -ENOMSG);
> +}
> +
> +static bool ascs_ase_cp_rsp_invalid_len(uint8_t op, size_t len, uint8_t num)
> +{
> +       switch (op) {
> +       case BT_ASCS_METADATA:
> +               return len == num;
> +       case BT_ASCS_RELEASE:
> +               return true;
> +       default:
> +               return false;
> +       }
> +}
> +
>  static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
>                                 unsigned int id, uint16_t offset,
>                                 const uint8_t *value, size_t len,
> @@ -3697,7 +3759,7 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
>                 return;
>         }
>
> -       if (len < sizeof(*hdr)) {
> +       if (!len) {
>                 DBG(bap, "invalid len %u < %u sizeof(*hdr)", len,
>                                                         sizeof(*hdr));
>                 gatt_db_attribute_write_result(attrib, id,
> @@ -3705,9 +3767,26 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
>                 return;
>         }
>
> +       if (len < sizeof(*hdr)) {
> +               DBG(bap, "invalid len %u < %u sizeof(*hdr)", len,
> +                                                       sizeof(*hdr));
> +
> +               rsp = ascs_ase_cp_rsp_new(value[0]);
> +               ascs_ase_cp_rsp_add_truncated(rsp);
> +               ret = 0;
> +               goto respond;
> +       }
> +
>         hdr = util_iov_pull_mem(&iov, sizeof(*hdr));
>         rsp = ascs_ase_cp_rsp_new(hdr->op);
>
> +       if (!hdr->num) {
> +               DBG(bap, "invalid Number_of_ASEs 0");
> +               ascs_ase_cp_rsp_add_truncated(rsp);
> +               ret = 0;
> +               goto respond;
> +       }
> +
>         for (handler = handlers; handler && handler->str; handler++) {
>                 if (handler->op != hdr->op)
>                         continue;
> @@ -3716,7 +3795,14 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
>                         DBG(bap, "invalid len %u < %u "
>                                   "hdr->num * handler->size", len,
>                                   hdr->num * handler->size);
> -                       ret = BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
> +
> +                       if (ascs_ase_cp_rsp_invalid_len(hdr->op, iov.iov_len,
> +                                                               hdr->num)) {
> +                               ascs_ase_cp_rsp_add_truncated(rsp);
> +                               ret = 0;
> +                       } else
> +                               ret = BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
> +
>                         goto respond;
>                 }
>
> diff --git a/unit/test-bap.c b/unit/test-bap.c
> index 3a67e7016..e43d1d2ef 100644
> --- a/unit/test-bap.c
> +++ b/unit/test-bap.c
> @@ -4349,6 +4349,69 @@ static void test_scc_metadata(void)
>         test_usr_scc_metadata();
>  }
>
> +#define ASE_CP_RSP(_op, _ase, _code, _reason) \
> +       IOV_DATA(0x1b, CP_HND, _op, 0x01, _ase, _code, _reason)
> +
> +#define ASE_CP_RSP_TRUNCATED(_op) \
> +       IOV_DATA(0x1b, CP_HND, _op, 0xff, 0x00, 0x02, 0x00)
> +
> +#define SPE_CP_TRUNCATED(_op) \
> +       IOV_DATA(0x52, CP_HND, _op), \
> +       ASE_CP_RSP_TRUNCATED(_op)
> +
> +#define SPE_CP_ZERO_ASES(_op) \
> +       IOV_DATA(0x52, CP_HND, _op, 0x00), \
> +       ASE_CP_RSP_TRUNCATED(_op)
> +
> +#define SPE_METADATA_TRUNCATED(_ase) \
> +       IOV_DATA(0x52, CP_HND, 0x07, 0x01, _ase), \
> +       ASE_CP_RSP_TRUNCATED(0x07)
> +
> +#define SPE_METADATA_UNSUPPORTED(_ase) \
> +       SCC_SRC_ENABLE, \
> +       IOV_DATA(0x52, CP_HND, 0x07, 0x01, _ase, 0x02, 0x01, 0xfc), \
> +       ASE_CP_RSP(0x07, _ase, 0x0a, 0xfc)
> +
> +#define SPE_METADATA_INVALID_CONTEXT(_ase) \
> +       SCC_SRC_ENABLE, \
> +       IOV_DATA(0x52, CP_HND, 0x07, 0x01, _ase, 0x04, 0x03, 0x02, \
> +                       0x00, 0x10), \
> +       ASE_CP_RSP(0x07, _ase, 0x0c, 0x02)
> +
> +/* Unicast Server Rejects Invalid ASE Control Point Procedures
> + *
> + * Test Purpose:
> + * Verify the behavior of a Unicast Server IUT when a Unicast Client writes
> + * invalid ASE Control Point parameters.
> + *
> + * Pass verdict:
> + * The IUT sends a notification of the ASE Control Point characteristic with
> + * the expected Response_Code and Reason values.
> + */
> +static void test_usr_spe(void)
> +{
> +       define_test("BAP/USR/SPE/BI-01-C [USR ASE Control Point truncated]",
> +                       test_setup_server, test_server, NULL,
> +                       SPE_CP_TRUNCATED(0x03));
> +       define_test("BAP/USR/SPE/BI-02-C [USR ASE Control Point zero ASEs]",
> +                       test_setup_server, test_server, NULL,
> +                       SPE_CP_ZERO_ASES(0x03));
> +       define_test("BAP/USR/SPE/BI-03-C [USR Update Metadata truncated]",
> +                       test_setup_server, test_server, NULL,
> +                       SPE_METADATA_TRUNCATED(SRC_ID(0)));
> +       define_test("BAP/USR/SPE/BI-04-C [USR Update Metadata unsupported]",
> +                       test_setup_server, test_server, &cfg_src_enable,
> +                       SPE_METADATA_UNSUPPORTED(SRC_ID(0)));
> +       define_test("BAP/USR/SPE/BI-05-C [USR Update Metadata invalid context]",
> +                       test_setup_server, test_server, &cfg_src_enable,
> +                       SPE_METADATA_INVALID_CONTEXT(SRC_ID(0)));
> +}
> +
> +static void test_spe(void)
> +{
> +       test_usr_spe();
> +}
> +
>  #define SNK_ENABLE \
>         IOV_DATA(0x52, 0x22, 0x00, 0x03, 0x01, 0x01, 0x04, 0x03, 0x02, 0x01, \
>                         00), \
> @@ -10259,6 +10322,7 @@ int main(int argc, char *argv[])
>         tester_init(&argc, &argv);
>
>         test_disc();
> +       test_spe();
>         test_scc();
>         test_bsrc_scc();
>         test_bsnk_scc();
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply

* Re: [PATCH v2] Bluetooth: Add SPDX id lines to some source files
From: Luiz Augusto von Dentz @ 2026-06-04 15:16 UTC (permalink / raw)
  To: Bastien Nocera
  Cc: Tim Bird, marcel, jannh, kuba, kiran.k, chharry, gustavo,
	prameela.j04cs, salvatore.benedetto, maxk, linux-bluetooth,
	linux-spdx, linux-kernel
In-Reply-To: <1b4540a3814b2e6106f48435df8692beaf177f8a.camel@hadess.net>

Hi Bastien,

On Thu, Jun 4, 2026 at 7:32 AM Bastien Nocera <hadess@hadess.net> wrote:
>
> Hello Tim,
>
> On Wed, 2026-06-03 at 18:41 -0600, Tim Bird wrote:
> > Many bluetooth source files are missing SPDX-License-Identifier
> > lines. Add appropriate IDs to these files, and remove other
> > license lines from the headers.
>
> I think it would be useful to separate the changes in drivers/bluetooth
> and the ones in {include/,}net/bluetooth.
>
> Why do some of the id lines use C-style comments and others C++-style
> comments? (/* */ vs. //) ?

It seems to be a common practice where on *.c it uses // and on *.h /*
*/ is used, it is consistent across other subsystems and the BlueZ
userspace tree as well.

> > Leave the warranty disclaimer in files where the license ID is
> > GPL-2.0 but the wording of the disclaimer is slightly different
> > from that of the GPL v2 disclaimer.
> >
> > It is not different enough to cause licensing conflicts, but is
> > kept to honor the original contributors' legal intent.
>
> Good job doing this, do you know if there's a plan to automate this
> somehow? It would be great to be able to re-run a script on top of a
> codebase to verify that no sources were missed, and that we got the
> same license ID assigned for the same license verbiage in the source
> headers.
>
> Cheers



-- 
Luiz Augusto von Dentz

^ permalink raw reply

* Re: [PATCH v2] Bluetooth: Add SPDX id lines to some source files
From: Luiz Augusto von Dentz @ 2026-06-04 15:28 UTC (permalink / raw)
  To: Tim Bird
  Cc: marcel, jannh, kuba, kiran.k, chharry, gustavo, prameela.j04cs,
	salvatore.benedetto, maxk, linux-bluetooth, linux-spdx,
	linux-kernel
In-Reply-To: <20260604004125.715884-1-tim.bird@sony.com>

Hi Tim,

On Wed, Jun 3, 2026 at 8:44 PM Tim Bird <tim.bird@sony.com> wrote:
>
> Many bluetooth source files are missing SPDX-License-Identifier
> lines. Add appropriate IDs to these files, and remove other
> license lines from the headers.
>
> Leave the warranty disclaimer in files where the license ID is
> GPL-2.0 but the wording of the disclaimer is slightly different
> from that of the GPL v2 disclaimer.
>
> It is not different enough to cause licensing conflicts, but is
> kept to honor the original contributors' legal intent.
>
> ---
> V1 -> V2:
>  - Leave different warranty disclaimers (which is most them)
>  - Remove files recently removed from drivers/bluetooth from the patch
>
> Signed-off-by: Tim Bird <tim.bird@sony.com>

`git am` doesn't pick up your Signed-off-by because it is after ---`,
it seems to be considered a comment.

> ---
>  drivers/bluetooth/btrsi.c         | 12 +-----------
>  include/net/bluetooth/bluetooth.h |  5 +----
>  include/net/bluetooth/hci.h       |  5 +----
>  include/net/bluetooth/hci_core.h  |  5 +----
>  include/net/bluetooth/hci_mon.h   |  5 +----
>  include/net/bluetooth/hci_sock.h  |  5 +----
>  include/net/bluetooth/l2cap.h     |  5 +----
>  include/net/bluetooth/mgmt.h      |  5 +----
>  include/net/bluetooth/rfcomm.h    |  5 +----
>  include/net/bluetooth/sco.h       |  5 +----
>  net/bluetooth/af_bluetooth.c      |  5 +----
>  net/bluetooth/bnep/core.c         |  5 +----
>  net/bluetooth/bnep/netdev.c       |  5 +----
>  net/bluetooth/bnep/sock.c         |  5 +----
>  net/bluetooth/ecdh_helper.c       |  5 +----
>  net/bluetooth/ecdh_helper.h       |  5 +----
>  net/bluetooth/hci_conn.c          |  5 +----
>  net/bluetooth/hci_core.c          |  5 +----
>  net/bluetooth/hci_debugfs.c       |  5 +----
>  net/bluetooth/hci_debugfs.h       |  5 +----
>  net/bluetooth/hci_event.c         |  5 +----
>  net/bluetooth/hci_sock.c          |  5 +----
>  net/bluetooth/hidp/core.c         |  5 +----
>  net/bluetooth/hidp/hidp.h         |  5 +----
>  net/bluetooth/hidp/sock.c         |  5 +----
>  net/bluetooth/l2cap_core.c        |  5 +----
>  net/bluetooth/l2cap_sock.c        |  5 +----
>  net/bluetooth/lib.c               |  5 +----
>  net/bluetooth/mgmt.c              |  5 +----
>  net/bluetooth/mgmt_util.c         |  5 +----
>  net/bluetooth/mgmt_util.h         |  5 +----
>  net/bluetooth/rfcomm/core.c       |  5 +----
>  net/bluetooth/rfcomm/sock.c       |  5 +----
>  net/bluetooth/rfcomm/tty.c        |  5 +----
>  net/bluetooth/sco.c               |  5 +----
>  net/bluetooth/selftest.c          |  5 +----
>  net/bluetooth/selftest.h          |  5 +----
>  net/bluetooth/smp.c               |  5 +----
>  net/bluetooth/smp.h               |  5 +----
>  39 files changed, 39 insertions(+), 163 deletions(-)
>
> diff --git a/drivers/bluetooth/btrsi.c b/drivers/bluetooth/btrsi.c
> index c68dd2fba01c..59ad0b9b14c3 100644
> --- a/drivers/bluetooth/btrsi.c
> +++ b/drivers/bluetooth/btrsi.c
> @@ -1,17 +1,7 @@
> +// SPDX-License-Identifier: ISC
>  /*
>   * Copyright (c) 2017 Redpine Signals Inc.
>   *
> - * Permission to use, copy, modify, and/or distribute this software for any
> - * purpose with or without fee is hereby granted, provided that the above
> - * copyright notice and this permission notice appear in all copies.
> - *
> - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
>   */
>  #include <linux/module.h>
>  #include <linux/kernel.h>
> diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
> index 3faea66b1979..b624da5026f5 100644
> --- a/include/net/bluetooth/bluetooth.h
> +++ b/include/net/bluetooth/bluetooth.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
> @@ -5,10 +6,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
> index 572b1c620c5d..a8b2e8781054 100644
> --- a/include/net/bluetooth/hci.h
> +++ b/include/net/bluetooth/hci.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
> @@ -5,10 +6,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> index aa600fbf9a53..7e15da47fe3a 100644
> --- a/include/net/bluetooth/hci_core.h
> +++ b/include/net/bluetooth/hci_core.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
> @@ -5,10 +6,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/hci_mon.h b/include/net/bluetooth/hci_mon.h
> index bbd752494ef9..4b2a0af4ed58 100644
> --- a/include/net/bluetooth/hci_mon.h
> +++ b/include/net/bluetooth/hci_mon.h
> @@ -1,12 +1,9 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>
>     Copyright (C) 2011-2012  Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/hci_sock.h b/include/net/bluetooth/hci_sock.h
> index 13e8cd4414a1..16f150b861be 100644
> --- a/include/net/bluetooth/hci_sock.h
> +++ b/include/net/bluetooth/hci_sock.h
> @@ -1,13 +1,10 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index 5172afee5494..b1039ebdf06f 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
> @@ -6,10 +7,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h
> index 8234915854b6..08daed7a96d5 100644
> --- a/include/net/bluetooth/mgmt.h
> +++ b/include/net/bluetooth/mgmt.h
> @@ -1,13 +1,10 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>
>     Copyright (C) 2010  Nokia Corporation
>     Copyright (C) 2011-2012  Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
> index c05882476900..feb6b3ae5e69 100644
> --- a/include/net/bluetooth/rfcomm.h
> +++ b/include/net/bluetooth/rfcomm.h
> @@ -1,12 +1,9 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     RFCOMM implementation for Linux Bluetooth stack (BlueZ)
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>     Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/include/net/bluetooth/sco.h b/include/net/bluetooth/sco.h
> index f40ddb4264fc..214409527b35 100644
> --- a/include/net/bluetooth/sco.h
> +++ b/include/net/bluetooth/sco.h
> @@ -1,13 +1,10 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index 1a6aa3f8d4d6..bcbc11c9cb15 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -1,13 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
> index 0de5df690bd0..b18e1cf28bb4 100644
> --- a/net/bluetooth/bnep/core.c
> +++ b/net/bluetooth/bnep/core.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BNEP implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2001-2002 Inventel Systemes
> @@ -7,10 +8,6 @@
>
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/bnep/netdev.c b/net/bluetooth/bnep/netdev.c
> index cc1cff63194f..ee1e39a3daff 100644
> --- a/net/bluetooth/bnep/netdev.c
> +++ b/net/bluetooth/bnep/netdev.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BNEP implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2001-2002 Inventel Systemes
> @@ -7,10 +8,6 @@
>
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
> index 00d47bcf4d7d..f3fe818d0e4c 100644
> --- a/net/bluetooth/bnep/sock.c
> +++ b/net/bluetooth/bnep/sock.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BNEP implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2001-2002 Inventel Systemes
> @@ -6,10 +7,6 @@
>
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/ecdh_helper.c b/net/bluetooth/ecdh_helper.c
> index 0efc93fdae8a..1938e5559d88 100644
> --- a/net/bluetooth/ecdh_helper.c
> +++ b/net/bluetooth/ecdh_helper.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>   * ECDH helper functions - KPP wrappings
>   *
>   * Copyright (C) 2017 Intel Corporation
>   *
> - * This program is free software; you can redistribute it and/or modify
> - * it under the terms of the GNU General Public License version 2 as
> - * published by the Free Software Foundation;
> - *
>   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>   * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/ecdh_helper.h b/net/bluetooth/ecdh_helper.h
> index 830723971cf8..9d787d3c8797 100644
> --- a/net/bluetooth/ecdh_helper.h
> +++ b/net/bluetooth/ecdh_helper.h
> @@ -1,12 +1,9 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>   * ECDH helper functions - KPP wrappings
>   *
>   * Copyright (C) 2017 Intel Corporation
>   *
> - * This program is free software; you can redistribute it and/or modify
> - * it under the terms of the GNU General Public License version 2 as
> - * published by the Free Software Foundation;
> - *
>   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>   * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index 54eabaa46960..c335372e4062 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
> @@ -5,10 +6,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 28d7929dc593..243d01069a91 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
> @@ -5,10 +6,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hci_debugfs.c b/net/bluetooth/hci_debugfs.c
> index 99e2e9fc70e8..0635e4641db4 100644
> --- a/net/bluetooth/hci_debugfs.c
> +++ b/net/bluetooth/hci_debugfs.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>
>     Copyright (C) 2014 Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hci_debugfs.h b/net/bluetooth/hci_debugfs.h
> index 9a8a7c93bb12..92365cbc922a 100644
> --- a/net/bluetooth/hci_debugfs.h
> +++ b/net/bluetooth/hci_debugfs.h
> @@ -1,11 +1,8 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2014 Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index eea2f810aafa..e588c744ce36 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
> @@ -5,10 +6,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
> index 0290dea081f6..c81852411250 100644
> --- a/net/bluetooth/hci_sock.c
> +++ b/net/bluetooth/hci_sock.c
> @@ -1,13 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
> index 70344bd3248a..0e24c5e2955e 100644
> --- a/net/bluetooth/hidp/core.c
> +++ b/net/bluetooth/hidp/core.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     HIDP implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
>     Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
> index 6ef88d0a1919..959b745bb770 100644
> --- a/net/bluetooth/hidp/hidp.h
> +++ b/net/bluetooth/hidp/hidp.h
> @@ -1,11 +1,8 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     HIDP implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
> index c93aaeb3a3fa..b75bea3cf422 100644
> --- a/net/bluetooth/hidp/sock.c
> +++ b/net/bluetooth/hidp/sock.c
> @@ -1,11 +1,8 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     HIDP implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 45b175399e8d..ad2f26d935ca 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
> @@ -8,10 +9,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index c138aa4ae266..e3eda309f1b3 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -1,3 +1,4 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
> @@ -7,10 +8,6 @@
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
> index 305044a84478..cea21a4c49a0 100644
> --- a/net/bluetooth/lib.c
> +++ b/net/bluetooth/lib.c
> @@ -1,13 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index de5bd6b637b2..a732b586979d 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -1,13 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>
>     Copyright (C) 2010  Nokia Corporation
>     Copyright (C) 2011-2012 Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
> index 4f19654d41a9..6ea107c0e054 100644
> --- a/net/bluetooth/mgmt_util.c
> +++ b/net/bluetooth/mgmt_util.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>
>     Copyright (C) 2015  Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
> index bcba8c9d8952..20810cf06e81 100644
> --- a/net/bluetooth/mgmt_util.h
> +++ b/net/bluetooth/mgmt_util.h
> @@ -1,11 +1,8 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2015  Intel Coropration
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index d11bd5337d57..593583c694a7 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     RFCOMM implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>     Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> index bd7d959c6e9e..bb7cf98f85cf 100644
> --- a/net/bluetooth/rfcomm/sock.c
> +++ b/net/bluetooth/rfcomm/sock.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     RFCOMM implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>     Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
> index 91bf5274262e..4b9a699ec59b 100644
> --- a/net/bluetooth/rfcomm/tty.c
> +++ b/net/bluetooth/rfcomm/tty.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     RFCOMM implementation for Linux Bluetooth stack (BlueZ).
>     Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
>     Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
> index f1799c6a6f87..be5614a6c5ee 100644
> --- a/net/bluetooth/sco.c
> +++ b/net/bluetooth/sco.c
> @@ -1,13 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2000-2001 Qualcomm Incorporated
>
>     Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/selftest.c b/net/bluetooth/selftest.c
> index f49604d44b87..ae5b44bb9d3d 100644
> --- a/net/bluetooth/selftest.c
> +++ b/net/bluetooth/selftest.c
> @@ -1,12 +1,9 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>
>     Copyright (C) 2014 Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/selftest.h b/net/bluetooth/selftest.h
> index 2aa0a346a913..34d684ee84fd 100644
> --- a/net/bluetooth/selftest.h
> +++ b/net/bluetooth/selftest.h
> @@ -1,11 +1,8 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2014 Intel Corporation
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
> index 98f1da4f5f55..ef464568b9c7 100644
> --- a/net/bluetooth/smp.c
> +++ b/net/bluetooth/smp.c
> @@ -1,11 +1,8 @@
> +// SPDX-License-Identifier: GPL-2.0
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
> index c5da53dfab04..eac27bd541bb 100644
> --- a/net/bluetooth/smp.h
> +++ b/net/bluetooth/smp.h
> @@ -1,11 +1,8 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
>  /*
>     BlueZ - Bluetooth protocol stack for Linux
>     Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
>
> -   This program is free software; you can redistribute it and/or modify
> -   it under the terms of the GNU General Public License version 2 as
> -   published by the Free Software Foundation;
> -
>     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
>     OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
>     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
> --
> 2.43.0
>
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply

* Re: [PATCH v4 0/5] Bluetooth: btusb: fix wakeup irq devres lifetime
From: patchwork-bot+bluetooth @ 2026-06-04 15:52 UTC (permalink / raw)
  To: Johan Hovold; +Cc: luiz.dentz, marcel, linux-bluetooth, linux-kernel
In-Reply-To: <20260604063740.2595260-1-johan@kernel.org>

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu,  4 Jun 2026 08:37:35 +0200 you wrote:
> This series fixes a couple of use-after-free issues and a wakeup source
> leak on probe failure and a (currently benign) OOB wakeup interrupt
> devres lifetime issue.
> 
> Included is also a related cleanup.
> 
> Johan
> 
> [...]

Here is the summary with links:
  - [v4,1/5] Bluetooth: btusb: fix use-after-free on registration failure
    https://git.kernel.org/bluetooth/bluetooth-next/c/5cb8a65f22ed
  - [v4,2/5] Bluetooth: btusb: fix use-after-free on marvell probe failure
    https://git.kernel.org/bluetooth/bluetooth-next/c/71b6d1520ffe
  - [v4,3/5] Bluetooth: btusb: fix wakeup source leak on probe failure
    https://git.kernel.org/bluetooth/bluetooth-next/c/8c23d7dd662d
  - [v4,4/5] Bluetooth: btusb: fix wakeup irq devres lifetime
    https://git.kernel.org/bluetooth/bluetooth-next/c/4415cdce0ba4
  - [v4,5/5] Bluetooth: btusb: clean up probe error handling
    https://git.kernel.org/bluetooth/bluetooth-next/c/e8b3e4c62d8d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH v2] Bluetooth: btintel_pcie: Add support for smart trigger dump
From: patchwork-bot+bluetooth @ 2026-06-04 15:52 UTC (permalink / raw)
  To: Kiran K
  Cc: linux-bluetooth, ravishankar.srivatsa, chethan.tumkur.narayan,
	chandrashekar.devegowda
In-Reply-To: <20260603155415.50855-1-kiran.k@intel.com>

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed,  3 Jun 2026 21:24:15 +0530 you wrote:
> Based on the debug configuration, firmware can raise MSI-X interrupt with
> firmware trigger cause bit set on specific events like Disconnection,
> Connection Timeout, Page Timeout etc.
> 
> Upon receiving an MSI-X interrupt with the firmware trigger cause bit
> set, the driver performs the following actions:
> 
> [...]

Here is the summary with links:
  - [v2] Bluetooth: btintel_pcie: Add support for smart trigger dump
    https://git.kernel.org/bluetooth/bluetooth-next/c/b08dac7cce62

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH] Bluetooth: btmtk: fix URB leak in alloc_mtk_intr_urb error path
From: patchwork-bot+bluetooth @ 2026-06-04 15:52 UTC (permalink / raw)
  To: Zhao Dongdong
  Cc: matthias.bgg, angelogioacchino.delregno, linux-bluetooth,
	linux-kernel, zhaodongdong
In-Reply-To: <tencent_DDA5BDF30EAC58E68647B4C37D20A3C7A505@qq.com>

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu,  4 Jun 2026 19:46:40 +0800 you wrote:
> From: Zhao Dongdong <zhaodongdong@kylinos.cn>
> 
> When btmtk_isopkt_pad() fails, the previously allocated URB is not freed,
> leaking the urb structure. Add usb_free_urb() before returning the error.
> 
> Fixes: ceac1cb0259d ("Bluetooth: btusb: mediatek: add ISO data transmission functions")
> Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
> 
> [...]

Here is the summary with links:
  - Bluetooth: btmtk: fix URB leak in alloc_mtk_intr_urb error path
    https://git.kernel.org/bluetooth/bluetooth-next/c/c583e1de7ede

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH] Bluetooth: hci_h5: reset hci_uart::priv in the close() method
From: patchwork-bot+bluetooth @ 2026-06-04 15:52 UTC (permalink / raw)
  To: Sergey Shtylyov; +Cc: marcel, luiz.dentz, linux-bluetooth
In-Reply-To: <4f997f21-786e-4745-80c1-0d6da94c0d48@auroraos.dev>

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 1 Jun 2026 23:21:30 +0300 you wrote:
> Unlike the other HCI UART drivers, the 3-wire UART driver doesn't reset
> hci_uart::priv in its close() method -- this shouldn't pose a problem as
> all the methods in *struct* hci_uart_proto should only be called after the
> open() method that sets up hci_uart::priv properly. However, it seems wise
> to be more consistent and provide for the *struct* hci_uart_proto methods
> the same state that exists before the first open() method call (so that
> they rather crash than dereference a stale hci_uart::priv pointer)...
> 
> [...]

Here is the summary with links:
  - Bluetooth: hci_h5: reset hci_uart::priv in the close() method
    https://git.kernel.org/bluetooth/bluetooth-next/c/745b685608eb

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply

* Re: [PATCH v9 1/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: Siwei Zhang @ 2026-06-04 15:52 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <CABBYNZ+zZCTDqoJo4X9oqo-8gGkEXv6-Y=50oU-CVXmTztAsAA@mail.gmail.com>

Hi Luiz,

On Wed, Jun 3, 2026, at 2:17 PM, Luiz Augusto von Dentz wrote:
> Hi Siwei,
>
> On Wed, Jun 3, 2026 at 11:09 AM Siwei Zhang <oss@fourdim.xyz> wrote:
>>
>> l2cap_sock_new_connection_cb() accesses l2cap_pi(sk)->chan after
>> release_sock(parent). Once the parent lock is released, the child
>> socket sk can be freed by another task.
>>
>> Allocate the channel outside the func to prevent this.
>>
>> Fixes: 8ffb929098a5 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
>> Cc: stable@kernel.org
>> Assisted-by: Claude:claude-opus-4-8
>> Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
>> ---
>>  include/net/bluetooth/l2cap.h | 10 +++--
>>  net/bluetooth/6lowpan.c       | 31 +++++++------
>>  net/bluetooth/l2cap_core.c    | 41 ++++++++++++-----
>>  net/bluetooth/l2cap_sock.c    | 83 +++++++++++++++++++++--------------
>>  net/bluetooth/smp.c           | 17 ++++---
>>  5 files changed, 113 insertions(+), 69 deletions(-)
>>
>> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
>> index e0a1f2293679..7f5e4647f6e0 100644
>> --- a/include/net/bluetooth/l2cap.h
>> +++ b/include/net/bluetooth/l2cap.h
>> @@ -620,7 +620,9 @@ struct l2cap_chan {
>>  struct l2cap_ops {
>>         char                    *name;
>>
>> -       struct l2cap_chan       *(*new_connection) (struct l2cap_chan *chan);
>> +       int                     (*new_connection)(struct l2cap_conn *conn,
>> +                                                 struct l2cap_chan *chan,
>> +                                                 struct l2cap_chan *new_chan);
>>         int                     (*recv) (struct l2cap_chan * chan,
>>                                          struct sk_buff *skb);
>>         void                    (*teardown) (struct l2cap_chan *chan, int err);
>> @@ -884,9 +886,11 @@ static inline __u16 __next_seq(struct l2cap_chan *chan, __u16 seq)
>>         return (seq + 1) % (chan->tx_win_max + 1);
>>  }
>>
>> -static inline struct l2cap_chan *l2cap_chan_no_new_connection(struct l2cap_chan *chan)
>> +static inline int l2cap_chan_no_new_connection(struct l2cap_conn *conn,
>> +                                              struct l2cap_chan *chan,
>> +                                              struct l2cap_chan *new_chan)
>>  {
>> -       return NULL;
>> +       return -EOPNOTSUPP;
>>  }
>>
>>  static inline int l2cap_chan_no_recv(struct l2cap_chan *chan, struct sk_buff *skb)
>> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
>> index cb1e329d66fd..94863af97a44 100644
>> --- a/net/bluetooth/6lowpan.c
>> +++ b/net/bluetooth/6lowpan.c
>> @@ -624,6 +624,15 @@ static bool is_bt_6lowpan(struct hci_conn *hcon)
>>         return true;
>>  }
>>
>> +static void chan_init(struct l2cap_chan *chan)
>> +{
>> +       l2cap_chan_set_defaults(chan);
>> +
>> +       chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
>> +       chan->mode = L2CAP_MODE_LE_FLOWCTL;
>> +       chan->imtu = 1280;
>> +}
>> +
>>  static struct l2cap_chan *chan_create(void)
>>  {
>>         struct l2cap_chan *chan;
>> @@ -632,11 +641,7 @@ static struct l2cap_chan *chan_create(void)
>>         if (!chan)
>>                 return NULL;
>>
>> -       l2cap_chan_set_defaults(chan);
>> -
>> -       chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
>> -       chan->mode = L2CAP_MODE_LE_FLOWCTL;
>> -       chan->imtu = 1280;
>> +       chan_init(chan);
>>
>>         return chan;
>>  }
>> @@ -745,19 +750,19 @@ static inline void chan_ready_cb(struct l2cap_chan *chan)
>>         ifup(dev->netdev);
>>  }
>>
>> -static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
>> +static inline int chan_new_conn_cb(struct l2cap_conn *conn,
>> +                                  struct l2cap_chan *pchan,
>> +                                  struct l2cap_chan *chan)
>>  {
>> -       struct l2cap_chan *chan;
>> -
>> -       chan = chan_create();
>> -       if (!chan)
>> -               return NULL;
>> -
>> +       chan_init(chan);
>>         chan->ops = pchan->ops;
>>
>> +       /* Take the conn list reference; see l2cap_new_connection(). */
>> +       __l2cap_chan_add(conn, chan);
>> +
>>         BT_DBG("chan %p pchan %p", chan, pchan);
>>
>> -       return chan;
>> +       return 0;
>>  }
>>
>>  static void unregister_dev(struct lowpan_btle_dev *dev)
>> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
>> index c4ccfbda9d78..62acf90837fb 100644
>> --- a/net/bluetooth/l2cap_core.c
>> +++ b/net/bluetooth/l2cap_core.c
>> @@ -4007,6 +4007,31 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn,
>>         return 0;
>>  }
>>
>> +/* Allocate and initialise a channel for an incoming connection.
>> + *
>> + * ->new_connection() initialises the channel and links it into @conn with
>> + * __l2cap_chan_add(). The l2cap_chan_create() reference becomes the one owned
>> + * by the parent subsystem (l2cap_pi(sk)->chan, conn->smp or peer->chan) and is
>> + * released by its teardown callback; the conn list reference is released by
>> + * l2cap_chan_del().
>> + */
>> +static struct l2cap_chan *l2cap_new_connection(struct l2cap_conn *conn,
>> +                                              struct l2cap_chan *pchan)
>> +{
>> +       struct l2cap_chan *chan;
>> +
>> +       chan = l2cap_chan_create();
>> +       if (!chan)
>> +               return NULL;
>> +
>> +       if (pchan->ops->new_connection(conn, pchan, chan) < 0) {
>> +               l2cap_chan_put(chan);
>> +               return NULL;
>> +       }
>
> I don't quite get why we can't just place __l2cap_chan_add here
> instead of having it called by new_connection callbacks?
>

It's specifically the l2cap_sock_new_connection_cb() case - the very
use-after-free this patch fixes. The __l2cap_chan_add() has to happen while
the parent lock is still held, and only the callback holds that lock.

The reference counting on the new child chan starts at one ref, 
owned by the new socket:

	/* l2cap_new_connection() */
	chan = l2cap_chan_create();		/* refcount = 1 */
	if (!chan)
		return NULL;

	pchan->ops->new_connection(conn, pchan, chan);

and inside the socket callback:

	/* l2cap_sock_new_connection_cb() */
	lock_sock(parent);
	...
	sk = l2cap_sock_alloc(..., new_chan);	/* sk owns the chan_create ref */
	...
	l2cap_sock_init(sk, parent);

	__l2cap_chan_add(conn, new_chan);	/* (A) conn list takes a ref */
	bt_accept_enqueue(parent, sk, false);	/* (B) sk now on accept queue */

	release_sock(parent);			/* (C) parent lock dropped */
	return 0;

The moment we hit (C), sk is reachable through the parent's accept queue, so
another task can grab and tear it down:

	accept() -> l2cap_sock_kill() -> l2cap_sock_put_chan()
		chan->data = NULL;
		l2cap_chan_put(chan);		/* drops the sk's chan ref */

If __l2cap_chan_add() at (A) hadn't already taken the conn list reference,
that put would drop the last ref and free new_chan. Control then returns up
to l2cap_new_connection(), which hands the now-freed chan back to
l2cap_connect():

	/* l2cap_connect() - runs after the callback returns */
	chan = l2cap_new_connection(conn, pchan);
	if (!chan)
		goto response;
	...
	bacpy(&chan->src, &conn->hcon->src);	/* <-- UAF on freed chan */
	chan->psm  = psm;
	chan->dcid = scid;

The conn list reference taken at (A), before (C), is what keeps new_chan
alive across the release_sock() window so l2cap_connect() can keep using it.

So __l2cap_chan_add() can't move out to l2cap_new_connection(): by the time
the callback returns, the parent lock is already dropped and chan may already
be freed - which is exactly the race. It has to be taken inside the callback,
under the parent lock, before the socket is exposed.

The other callbacks (6lowpan, smp) have no equivalent lock-drop window.
 I kept __l2cap_chan_add() inside all of the ->new_connection() callbacks
just to keep the "callback links the channel into conn" contract uniform.

>> +
>> +       return chan;
>> +}
>> +
>>  static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
>>                           u8 *data, u8 rsp_code)
>>  {
>> @@ -4053,7 +4078,7 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
>>                 goto response;
>>         }
>>
>> -       chan = pchan->ops->new_connection(pchan);
>> +       chan = l2cap_new_connection(conn, pchan);
>>         if (!chan)
>>                 goto response;
>>
>> @@ -4071,8 +4096,6 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
>>         chan->psm  = psm;
>>         chan->dcid = scid;
>>
>> -       __l2cap_chan_add(conn, chan);
>> -
>>         dcid = chan->scid;
>>
>>         __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
>> @@ -4955,7 +4978,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>>                 goto response_unlock;
>>         }
>>
>> -       chan = pchan->ops->new_connection(pchan);
>> +       chan = l2cap_new_connection(conn, pchan);
>>         if (!chan) {
>>                 result = L2CAP_CR_LE_NO_MEM;
>>                 goto response_unlock;
>> @@ -4970,8 +4993,6 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
>>         chan->omtu = mtu;
>>         chan->remote_mps = mps;
>>
>> -       __l2cap_chan_add(conn, chan);
>> -
>>         l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
>>
>>         dcid = chan->scid;
>> @@ -5179,7 +5200,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
>>                         continue;
>>                 }
>>
>> -               chan = pchan->ops->new_connection(pchan);
>> +               chan = l2cap_new_connection(conn, pchan);
>>                 if (!chan) {
>>                         result = L2CAP_CR_LE_NO_MEM;
>>                         continue;
>> @@ -5194,8 +5215,6 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
>>                 chan->omtu = mtu;
>>                 chan->remote_mps = mps;
>>
>> -               __l2cap_chan_add(conn, chan);
>> -
>>                 l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
>>
>>                 /* Init response */
>> @@ -7470,14 +7489,12 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
>>                         goto next;
>>
>>                 l2cap_chan_lock(pchan);
>> -               chan = pchan->ops->new_connection(pchan);
>> +               chan = l2cap_new_connection(conn, pchan);
>>                 if (chan) {
>>                         bacpy(&chan->src, &hcon->src);
>>                         bacpy(&chan->dst, &hcon->dst);
>>                         chan->src_type = bdaddr_src_type(hcon);
>>                         chan->dst_type = dst_type;
>> -
>> -                       __l2cap_chan_add(conn, chan);
>>                 }
>>
>>                 l2cap_chan_unlock(pchan);
>> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
>> index 025329636353..87f4c0db5c0c 100644
>> --- a/net/bluetooth/l2cap_sock.c
>> +++ b/net/bluetooth/l2cap_sock.c
>> @@ -46,7 +46,8 @@ static struct bt_sock_list l2cap_sk_list = {
>>  static const struct proto_ops l2cap_sock_ops;
>>  static void l2cap_sock_init(struct sock *sk, struct sock *parent);
>>  static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>> -                                    int proto, gfp_t prio, int kern);
>> +                                    int proto, gfp_t prio, int kern,
>> +                                    struct l2cap_chan *chan);
>>  static void l2cap_sock_cleanup_listen(struct sock *parent);
>>
>>  bool l2cap_is_socket(struct socket *sock)
>> @@ -1287,6 +1288,23 @@ static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
>>         return err;
>>  }
>>
>> +/* Release the sock's ref on chan and clear the pointer so that the ref is
>> + * dropped exactly once even if both l2cap_sock_kill() and
>> + * l2cap_sock_destruct() run. Setting chan->data to NULL first stops any other
>> + * task from dereferencing the now-dead sock pointer.
>> + */
>> +static void l2cap_sock_put_chan(struct sock *sk)
>> +{
>> +       struct l2cap_chan *chan = l2cap_pi(sk)->chan;
>> +
>> +       if (!chan)
>> +               return;
>> +
>> +       chan->data = NULL;
>> +       l2cap_pi(sk)->chan = NULL;
>> +       l2cap_chan_put(chan);
>> +}
>> +
>>  /* Kill socket (only if zapped and orphan)
>>   * Must be called on unlocked socket, with l2cap channel lock.
>>   */
>> @@ -1297,13 +1315,9 @@ static void l2cap_sock_kill(struct sock *sk)
>>
>>         BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
>>
>> -       /* Sock is dead, so set chan data to NULL, avoid other task use invalid
>> -        * sock pointer.
>> -        */
>> -       l2cap_pi(sk)->chan->data = NULL;
>> -       /* Kill poor orphan */
>> +       l2cap_sock_put_chan(sk);
>>
>> -       l2cap_chan_put(l2cap_pi(sk)->chan);
>> +       /* Kill poor orphan */
>>         sock_set_flag(sk, SOCK_DEAD);
>>         sock_put(sk);
>>  }
>> @@ -1546,12 +1560,14 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
>>         }
>>  }
>>
>> -static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>> +static int l2cap_sock_new_connection_cb(struct l2cap_conn *conn,
>> +                                       struct l2cap_chan *chan,
>> +                                       struct l2cap_chan *new_chan)
>>  {
>>         struct sock *sk, *parent = chan->data;
>>
>>         if (!parent)
>> -               return NULL;
>> +               return -EINVAL;
>>
>>         lock_sock(parent);
>>
>> @@ -1559,25 +1575,33 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
>>         if (sk_acceptq_is_full(parent)) {
>>                 BT_DBG("backlog full %d", parent->sk_ack_backlog);
>>                 release_sock(parent);
>> -               return NULL;
>> +               return -ENOBUFS;
>>         }
>>
>>         sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
>> -                             GFP_ATOMIC, 0);
>> +                             GFP_ATOMIC, 0, new_chan);
>>         if (!sk) {
>>                 release_sock(parent);
>> -               return NULL;
>> -        }
>> +               return -ENOMEM;
>> +       }
>>
>>         bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
>>
>>         l2cap_sock_init(sk, parent);
>>
>> +       /* Link the channel into conn before exposing the new socket via the
>> +        * accept queue. Once release_sock() below drops the parent lock the
>> +        * socket may be freed by another task, dropping its reference on
>> +        * new_chan; the conn list reference taken here keeps new_chan alive so
>> +        * the caller can safely use it after ->new_connection() returns.
>> +        */
>> +       __l2cap_chan_add(conn, new_chan);
>> +
>>         bt_accept_enqueue(parent, sk, false);
>>
>>         release_sock(parent);
>>
>> -       return l2cap_pi(sk)->chan;
>> +       return 0;
>>  }
>>
>>  static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
>> @@ -1874,10 +1898,7 @@ static void l2cap_sock_destruct(struct sock *sk)
>>
>>         BT_DBG("sk %p", sk);
>>
>> -       if (l2cap_pi(sk)->chan) {
>> -               l2cap_pi(sk)->chan->data = NULL;
>> -               l2cap_chan_put(l2cap_pi(sk)->chan);
>> -       }
>> +       l2cap_sock_put_chan(sk);
>>
>>         list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
>>                 kfree_skb(rx_busy->skb);
>> @@ -1978,10 +1999,10 @@ static struct proto l2cap_proto = {
>>  };
>>
>>  static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>> -                                    int proto, gfp_t prio, int kern)
>> +                                    int proto, gfp_t prio, int kern,
>> +                                    struct l2cap_chan *chan)
>>  {
>>         struct sock *sk;
>> -       struct l2cap_chan *chan;
>>
>>         sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
>>         if (!sk)
>> @@ -1992,16 +2013,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
>>
>>         INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
>>
>> -       chan = l2cap_chan_create();
>> -       if (!chan) {
>> -               sk_free(sk);
>> -               if (sock)
>> -                       sock->sk = NULL;
>> -               return NULL;
>> -       }
>> -
>> -       l2cap_chan_hold(chan);
>> -
>> +       /* The sock takes ownership of the caller's reference on chan. */
>>         l2cap_pi(sk)->chan = chan;
>>
>>         return sk;
>> @@ -2011,6 +2023,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
>>                              int kern)
>>  {
>>         struct sock *sk;
>> +       struct l2cap_chan *chan;
>>
>>         BT_DBG("sock %p", sock);
>>
>> @@ -2025,10 +2038,16 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
>>
>>         sock->ops = &l2cap_sock_ops;
>>
>> -       sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
>> -       if (!sk)
>> +       chan = l2cap_chan_create();
>> +       if (!chan)
>>                 return -ENOMEM;
>>
>> +       sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern, chan);
>> +       if (!sk) {
>> +               l2cap_chan_put(chan);
>> +               return -ENOMEM;
>> +       }
>> +
>>         l2cap_sock_init(sk, NULL);
>>         bt_sock_link(&l2cap_sk_list, sk);
>>         return 0;
>> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
>> index 1739c1989dbd..2d31c3c7bbc0 100644
>> --- a/net/bluetooth/smp.c
>> +++ b/net/bluetooth/smp.c
>> @@ -3204,16 +3204,12 @@ static const struct l2cap_ops smp_chan_ops = {
>>         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
>>  };
>>
>> -static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
>> +static inline int smp_new_conn_cb(struct l2cap_conn *conn,
>> +                                 struct l2cap_chan *pchan,
>> +                                 struct l2cap_chan *chan)
>>  {
>> -       struct l2cap_chan *chan;
>> -
>>         BT_DBG("pchan %p", pchan);
>>
>> -       chan = l2cap_chan_create();
>> -       if (!chan)
>> -               return NULL;
>> -
>>         chan->chan_type = pchan->chan_type;
>>         chan->ops       = &smp_chan_ops;
>>         chan->scid      = pchan->scid;
>> @@ -3229,9 +3225,12 @@ static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
>>          */
>>         atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
>>
>> -       BT_DBG("created chan %p", chan);
>> +       /* Take the conn list reference; see l2cap_new_connection(). */
>> +       __l2cap_chan_add(conn, chan);
>>
>> -       return chan;
>> +       BT_DBG("initialised chan %p", chan);
>> +
>> +       return 0;
>>  }
>>
>>  static const struct l2cap_ops smp_root_chan_ops = {
>> --
>> 2.54.0
>>
>
>
> -- 
> Luiz Augusto von Dentz

Best,
Siwei

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox