Linux bluetooth development
 help / color / mirror / Atom feed
* [PATCH v2 2/7] wifi: ath11k: enable support for WCN6851
From: Dmitry Baryshkov @ 2026-06-08  6:59 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth,
	Bartosz Golaszewski
In-Reply-To: <20260608-sm8350-wifi-v2-0-efb68f1ff04c@oss.qualcomm.com>

The WCN6851, found e.g. on SM8350 platforms, is an earlier version of
WCN6855 platform. It identifies itself as hw1.1. Copy WCN6855 hw 2.0
configuration to support hw1.1 version.

Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath11k/core.c | 92 ++++++++++++++++++++++++++++++++++
 drivers/net/wireless/ath/ath11k/core.h |  1 +
 drivers/net/wireless/ath/ath11k/mhi.c  |  1 +
 drivers/net/wireless/ath/ath11k/pci.c  |  9 ++++
 drivers/net/wireless/ath/ath11k/pcic.c | 11 ++++
 5 files changed, 114 insertions(+)

diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 8dacc878c006..78a226ca081c 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -393,6 +393,98 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
 		.cfr_num_stream_bufs = 0,
 		.cfr_stream_buf_size = 0,
 	},
+	{
+		.name = "wcn6855 hw1.1",
+		.hw_rev = ATH11K_HW_WCN6855_HW11,
+		.fw = {
+			.dir = "WCN6855/hw1.1",
+			.board_size = 256 * 1024,
+			.cal_offset = 128 * 1024,
+		},
+		.max_radios = 3,
+		.bdf_addr = 0x4B0C0000,
+		.hw_ops = &wcn6855_ops,
+		.ring_mask = &ath11k_hw_ring_mask_qca6390,
+		.internal_sleep_clock = true,
+		.regs = &wcn6855_regs,
+		.qmi_service_ins_id = ATH11K_QMI_WLFW_SERVICE_INS_ID_V01_QCA6390,
+		.host_ce_config = ath11k_host_ce_config_qca6390,
+		.ce_count = 9,
+		.target_ce_config = ath11k_target_ce_config_wlan_qca6390,
+		.target_ce_count = 9,
+		.svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qca6390,
+		.svc_to_ce_map_len = 14,
+		.ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
+		.single_pdev_only = true,
+		.rxdma1_enable = false,
+		.num_rxdma_per_pdev = 2,
+		.rx_mac_buf_ring = true,
+		.vdev_start_delay = true,
+		.htt_peer_map_v2 = false,
+
+		.spectral = {
+			.fft_sz = 0,
+			.fft_pad_sz = 0,
+			.summary_pad_sz = 0,
+			.fft_hdr_len = 0,
+			.max_fft_bins = 0,
+			.fragment_160mhz = false,
+		},
+
+		.interface_modes = BIT(NL80211_IFTYPE_STATION) |
+					BIT(NL80211_IFTYPE_AP) |
+					BIT(NL80211_IFTYPE_P2P_DEVICE) |
+					BIT(NL80211_IFTYPE_P2P_CLIENT) |
+					BIT(NL80211_IFTYPE_P2P_GO),
+		.supports_monitor = false,
+		.full_monitor_mode = false,
+		.supports_shadow_regs = true,
+		.idle_ps = true,
+		.supports_sta_ps = true,
+		.coldboot_cal_mm = false,
+		.coldboot_cal_ftm = false,
+		.cbcal_restart_fw = false,
+		.fw_mem_mode = 0,
+		.num_vdevs = 4,
+		.num_peers = 512,
+		.supports_suspend = true,
+		.hal_desc_sz = sizeof(struct hal_rx_desc_wcn6855),
+		.supports_regdb = true,
+		.fix_l1ss = false,
+		.credit_flow = true,
+		.hal_params = &ath11k_hw_hal_params_qca6390,
+		.supports_dynamic_smps_6ghz = false,
+		.alloc_cacheable_memory = false,
+		.supports_rssi_stats = true,
+		.fw_wmi_diag_event = true,
+		.current_cc_support = true,
+		.dbr_debug_support = false,
+		.global_reset = true,
+		.bios_sar_capa = &ath11k_hw_sar_capa_wcn6855,
+		.m3_fw_support = true,
+		.fixed_bdf_addr = false,
+		.fixed_mem_region = false,
+		.static_window_map = false,
+		.hybrid_bus_type = false,
+		.fixed_fw_mem = false,
+		.support_off_channel_tx = true,
+		.supports_multi_bssid = true,
+
+		.sram_dump = {
+			.start = 0x01400000,
+			.end = 0x0177ffff,
+		},
+
+		.tcl_ring_retry = true,
+		.tx_ring_size = DP_TCL_DATA_RING_SIZE,
+		.smp2p_wow_exit = false,
+		.support_fw_mac_sequence = true,
+		.support_dual_stations = true,
+		.pdev_suspend = false,
+		.cfr_support = false,
+		.cfr_num_stream_bufs = 0,
+		.cfr_stream_buf_size = 0,
+	},
 	{
 		.name = "wcn6855 hw2.0",
 		.hw_rev = ATH11K_HW_WCN6855_HW20,
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index a0d725923ef2..29727ee94bfc 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -147,6 +147,7 @@ enum ath11k_hw_rev {
 	ATH11K_HW_QCA6390_HW20,
 	ATH11K_HW_IPQ6018_HW10,
 	ATH11K_HW_QCN9074_HW10,
+	ATH11K_HW_WCN6855_HW11,
 	ATH11K_HW_WCN6855_HW20,
 	ATH11K_HW_WCN6855_HW21,
 	ATH11K_HW_WCN6750_HW10,
diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c
index a6c9ff112c68..c94546c367a7 100644
--- a/drivers/net/wireless/ath/ath11k/mhi.c
+++ b/drivers/net/wireless/ath/ath11k/mhi.c
@@ -393,6 +393,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
 		ath11k_mhi_config = &ath11k_mhi_config_qcn9074;
 		break;
 	case ATH11K_HW_QCA6390_HW20:
+	case ATH11K_HW_WCN6855_HW11:
 	case ATH11K_HW_WCN6855_HW20:
 	case ATH11K_HW_WCN6855_HW21:
 	case ATH11K_HW_QCA2066_HW21:
diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
index 35bb9e7a63a2..dc1dfd219d88 100644
--- a/drivers/net/wireless/ath/ath11k/pci.c
+++ b/drivers/net/wireless/ath/ath11k/pci.c
@@ -1031,6 +1031,15 @@ static int ath11k_pci_probe(struct pci_dev *pdev,
 		ath11k_pci_read_hw_version(ab, &soc_hw_version_major,
 					   &soc_hw_version_minor);
 		switch (soc_hw_version_major) {
+		case 1:
+			switch (soc_hw_version_minor) {
+			case 0x10:
+				ab->hw_rev = ATH11K_HW_WCN6855_HW11;
+				break;
+			default:
+				goto unsupported_wcn6855_soc;
+			}
+			break;
 		case 2:
 			switch (soc_hw_version_minor) {
 			case 0x00:
diff --git a/drivers/net/wireless/ath/ath11k/pcic.c b/drivers/net/wireless/ath/ath11k/pcic.c
index fc6e7da05c60..0f4dc05cc5b5 100644
--- a/drivers/net/wireless/ath/ath11k/pcic.c
+++ b/drivers/net/wireless/ath/ath11k/pcic.c
@@ -86,6 +86,17 @@ static const struct ath11k_msi_config ath11k_msi_config[] = {
 		},
 		.hw_rev = ATH11K_HW_QCN9074_HW10,
 	},
+	{
+		.total_vectors = 32,
+		.total_users = 4,
+		.users = (struct ath11k_msi_user[]) {
+			{ .name = "MHI", .num_vectors = 3, .base_vector = 0 },
+			{ .name = "CE", .num_vectors = 10, .base_vector = 3 },
+			{ .name = "WAKE", .num_vectors = 1, .base_vector = 13 },
+			{ .name = "DP", .num_vectors = 18, .base_vector = 14 },
+		},
+		.hw_rev = ATH11K_HW_WCN6855_HW11,
+	},
 	{
 		.total_vectors = 32,
 		.total_users = 4,

-- 
2.47.3


^ permalink raw reply related

* [PATCH v2 1/7] PCI: qcom: fix parsing of PERST# in the legacy case
From: Dmitry Baryshkov @ 2026-06-08  6:59 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260608-sm8350-wifi-v2-0-efb68f1ff04c@oss.qualcomm.com>

Commit deed8aec62dc ("PCI: qcom: Handle mixed PERST#/PHY DT
configuration") fixed support for the "mixed" platforms which declare
PERST# pin the RC node and the PHY in the RP node, however it also broke
support for a majority of existing platforms, which declare both PERST#
and PHY in the RC node, because now PERST# is first acquired in
qcom_pcie_parse_ports(), which then returns -ENODEV (as there are no
PHYs in the RP nodes). Later qcom_pcie_parse_legacy_binding() tries to
acquire the PERST# GPIO again and fails with -EBUSY (as the GPIO has
already been requested).

Move parsing of RC's perst-gpios to qcom_pcie_probe(), making it obvious
that it's shared for both cases and skip parsing it in both functions.

Fixes: deed8aec62dc ("PCI: qcom: Handle mixed PERST#/PHY DT configuration")
Closes: https://lore.kernel.org/r/gieaybsg2ckxpctvqj77nlwu7utama2yeyvebkonmexsxrra3v@v3fobqasxnmy/
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
 drivers/pci/controller/dwc/pcie-qcom.c | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
index 11fc60489892..7664c7c28c0e 100644
--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
@@ -1907,15 +1907,6 @@ static int qcom_pcie_parse_ports(struct qcom_pcie *pcie)
 	struct device *dev = pcie->pci->dev;
 	int ret = -ENODEV;
 
-	if (of_find_property(dev->of_node, "perst-gpios", NULL)) {
-		pcie->reset = devm_gpiod_get_optional(dev, "perst",
-						      GPIOD_OUT_HIGH);
-		if (IS_ERR(pcie->reset))
-			return PTR_ERR(pcie->reset);
-
-		dev_warn(dev, "Reusing PERST# from Root Complex node. DT needs to be fixed!\n");
-	}
-
 	for_each_available_child_of_node_scoped(dev->of_node, of_port) {
 		if (!of_node_is_type(of_port, "pci"))
 			continue;
@@ -1942,7 +1933,6 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
 	struct device *dev = pcie->pci->dev;
 	struct qcom_pcie_perst *perst;
 	struct qcom_pcie_port *port;
-	struct gpio_desc *reset;
 	struct phy *phy;
 	int ret;
 
@@ -1950,10 +1940,6 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
 	if (IS_ERR(phy))
 		return PTR_ERR(phy);
 
-	reset = devm_gpiod_get_optional(dev, "perst", GPIOD_OUT_HIGH);
-	if (IS_ERR(reset))
-		return PTR_ERR(reset);
-
 	ret = phy_init(phy);
 	if (ret)
 		return ret;
@@ -1970,7 +1956,7 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
 	INIT_LIST_HEAD(&port->list);
 	list_add_tail(&port->list, &pcie->ports);
 
-	perst->desc = reset;
+	perst->desc = pcie->reset;
 	INIT_LIST_HEAD(&port->perst);
 	INIT_LIST_HEAD(&perst->list);
 	list_add_tail(&perst->list, &port->perst);
@@ -2107,6 +2093,15 @@ static int qcom_pcie_probe(struct platform_device *pdev)
 
 	pp->ops = &qcom_pcie_dw_ops;
 
+	if (of_find_property(dev->of_node, "perst-gpios", NULL)) {
+		pcie->reset = devm_gpiod_get_optional(dev, "perst",
+						      GPIOD_OUT_HIGH);
+		if (IS_ERR(pcie->reset))
+			return PTR_ERR(pcie->reset);
+
+		dev_warn(dev, "Reusing PERST# from Root Complex node. DT needs to be updated!\n");
+	}
+
 	ret = qcom_pcie_parse_ports(pcie);
 	if (ret) {
 		if (ret != -ENODEV) {

-- 
2.47.3


^ permalink raw reply related

* [PATCH v2 0/7] arm64: dts: qcom: enable WiFi/BT on SM8350 HDK
From: Dmitry Baryshkov @ 2026-06-08  6:59 UTC (permalink / raw)
  To: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio
  Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
	devicetree, Bartosz Golaszewski, linux-bluetooth,
	Bartosz Golaszewski

The SM8350 HDK has an onboard WCN6851 WiFi/BT chip, which for a long
time was not supported. Bring up different pieces required to enable
this SoC.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Changes in v2:
- Bumped num_vdevs to 4 to follow other similar devices (Jeff)
- Link to v1: https://patch.msgid.link/20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com

---
Dmitry Baryshkov (7):
      PCI: qcom: fix parsing of PERST# in the legacy case
      wifi: ath11k: enable support for WCN6851
      regulator: dt-bindings: qcom,qca6390-pmu: document WCN6851
      dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
      arm64: dts: qcom: sm8350: expand UART18 to 4 pins config
      arm64: dts: qcom: sm8350: modernize PCIe entries
      arm64: dts: qcom: sm8350-hdk: describe WiFi/BT chip

 .../bindings/net/bluetooth/qcom,wcn6855-bt.yaml    |   8 +-
 .../bindings/regulator/qcom,qca6390-pmu.yaml       |   4 +
 arch/arm64/boot/dts/qcom/sm8350-hdk.dts            | 142 ++++++++++++++++++++-
 arch/arm64/boot/dts/qcom/sm8350.dtsi               |  14 +-
 drivers/net/wireless/ath/ath11k/core.c             |  92 +++++++++++++
 drivers/net/wireless/ath/ath11k/core.h             |   1 +
 drivers/net/wireless/ath/ath11k/mhi.c              |   1 +
 drivers/net/wireless/ath/ath11k/pci.c              |   9 ++
 drivers/net/wireless/ath/ath11k/pcic.c             |  11 ++
 drivers/pci/controller/dwc/pcie-qcom.c             |  25 ++--
 10 files changed, 275 insertions(+), 32 deletions(-)
---
base-commit: 6e845bcb78c95af935094040bd4edc3c2b6dd784
change-id: 20260531-sm8350-wifi-3b0659bc183a

Best regards,
--  
With best wishes
Dmitry


^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-08  1:59 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1091848
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* Re: [PATCH] Bluetooth: btmtk: Fix MT7925 WMT command timeout due to sleep protection
From: Danny Messina @ 2026-06-07 14:46 UTC (permalink / raw)
  To: Chris Lu (陸稚泓)
  Cc: luiz.dentz@gmail.com, SS Wu (巫憲欣),
	marcel@holtmann.org, linux-bluetooth@vger.kernel.org,
	Peter Tsao (曹珆彰)
In-Reply-To: <d5e35fb7ea067f1e66ade131db0f64d1021499f2.camel@mediatek.com>

Hi Chris,

Thanks -- I retested on v7.1-rc and the WMT command timeout no longer
reproduces.

Test setup:
  - Kernel: 7.1.0-rc6 (Fedora, 7.1.0-0.rc6.260604g...fc45)
  - HW: MT7925 (RZ717), BT iface USB 0e8d:0717
  - Firmware build time: 20260414
  - BlueZ: 5.86

Previously (6.18.7) setup failed with -110 on the wmt patch download
and "Execution of wmt command timed out". On 7.1.0-rc6 none of those
appear; hci0 completes setup (AOSP v1.00, MGMT 1.23), bluetoothd runs,
and an MX Ergo S Plus paired and works as a BT HID device. mt7925e
Wi-Fi associates and scans on the same boot.

Your change resolves the timeout. Your change resolves the timeout, so
I'll withdraw my patch as superseded.

Thanks,
Danny

^ permalink raw reply

* RE: [v1] Bluetooth: btintel_pcie: Load IOSF debug regs by controller variant
From: bluez.test.bot @ 2026-06-07  6:40 UTC (permalink / raw)
  To: linux-bluetooth, kiran.k
In-Reply-To: <20260607062117.110893-1-kiran.k@intel.com>

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1107196

---Test result---

Test Summary:
CheckPatch                    PASS      0.99 seconds
VerifyFixes                   PASS      0.07 seconds
VerifySignedoff               PASS      0.07 seconds
GitLint                       PASS      0.21 seconds
SubjectPrefix                 PASS      0.07 seconds
BuildKernel                   PASS      26.37 seconds
CheckAllWarning               PASS      28.88 seconds
CheckSparse                   PASS      27.39 seconds
BuildKernel32                 PASS      25.69 seconds
TestRunnerSetup               PASS      572.88 seconds
IncrementalBuild              PASS      24.74 seconds



https://github.com/bluez/bluetooth-next/pull/291

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH v1] Bluetooth: btintel_pcie: Load IOSF debug regs by controller variant
From: Kiran K @ 2026-06-07  6:21 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: ravishankar.srivatsa, chethan.tumkur.narayan,
	chandrashekar.devegowda, aluvala.sai.teja, Kiran K

From: Sai Teja Aluvala <aluvala.sai.teja@intel.com>

Load the IOSF DBGC base address based on the controller hardware
variant when reading DRAM buffers during a trace dump. Scorpius
Peak family controllers (SCP/SCP2/SCP2F) use a different DBGC base
address (0xf0d5d500) than Blazar family controllers (BZRI/BZRIW,
0xf3800300).

Fixes: 07e6bddb54b4 ("Bluetooth: btintel_pcie: Add support for device coredump")
Signed-off-by: Sai Teja Aluvala <aluvala.sai.teja@intel.com>
Signed-off-by: Kiran K <kiran.k@intel.com>
---
 drivers/bluetooth/btintel.h      |  1 +
 drivers/bluetooth/btintel_pcie.c | 30 ++++++++++++++++++++++++------
 drivers/bluetooth/btintel_pcie.h |  4 ++++
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/drivers/bluetooth/btintel.h b/drivers/bluetooth/btintel.h
index 7cce1bdebae0..37d93abdd5a3 100644
--- a/drivers/bluetooth/btintel.h
+++ b/drivers/bluetooth/btintel.h
@@ -78,6 +78,7 @@ struct intel_tlv {
 #define BTINTEL_HWID_BZRU	0x1d	/* BlazarU - Meteor Lake */
 #define BTINTEL_HWID_SCP	0x1f	/* Scorpius Peak - Panther Lake */
 #define BTINTEL_HWID_SCP2	0x20	/* Scorpius Peak2 - Nova Lake */
+#define BTINTEL_HWID_SCP2F	0x21	/* Scorpius Peak2-F - Nova Lake */
 #define BTINTEL_HWID_BZRIW	0x22	/* BlazarIW - Wildcat Lake */
 
 extern const guid_t btintel_guid_dsm;
diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 2baef130d101..845cfacd9294 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -654,9 +654,10 @@ static void *btintel_pcie_copy_tlv(void *dest, enum btintel_pcie_tlv_type type,
 static int btintel_pcie_read_dram_buffers(struct btintel_pcie_data *data)
 {
 	u32 offset, prev_size, wr_ptr_status, dump_size, data_len;
+	u32 status_reg, wrap_reg;
 	struct btintel_pcie_dbgc *dbgc = &data->dbgc;
 	struct hci_dev *hdev = data->hdev;
-	u8 *pdata, *p, buf_idx;
+	u8 *pdata, *p, buf_idx, hw_variant;
 	struct intel_tlv *tlv;
 	struct timespec64 now;
 	struct tm tm_now;
@@ -669,7 +670,28 @@ static int btintel_pcie_read_dram_buffers(struct btintel_pcie_data *data)
 		return -EOPNOTSUPP;
 
 
-	wr_ptr_status = btintel_pcie_rd_dev_mem(data, BTINTEL_PCIE_DBGC_CUR_DBGBUFF_STATUS);
+	hw_variant = INTEL_HW_VARIANT(data->cnvi);
+	switch (hw_variant) {
+	case BTINTEL_HWID_BZRI:
+	case BTINTEL_HWID_BZRIW:
+		status_reg = BTINTEL_PCIE_DBGC_CUR_DBGBUFF_STATUS;
+		wrap_reg = BTINTEL_PCIE_DBGC_DBGBUFF_WRAP_ARND;
+		break;
+	case BTINTEL_HWID_SCP:
+	case BTINTEL_HWID_SCP2:
+	case BTINTEL_HWID_SCP2F:
+		status_reg = BTINTEL_PCIE_DBGC_CUR_DBGBUFF_STATUS_SCP;
+		wrap_reg = BTINTEL_PCIE_DBGC_DBGBUFF_WRAP_ARND_SCP;
+		break;
+	default:
+		bt_dev_err(hdev, "Unsupported Intel hardware variant (0x%2.2x)",
+			   hw_variant);
+		return -EINVAL;
+	}
+
+	wr_ptr_status = btintel_pcie_rd_dev_mem(data, status_reg);
+	data->dmp_hdr.wrap_ctr = btintel_pcie_rd_dev_mem(data, wrap_reg);
+
 	offset = wr_ptr_status & BTINTEL_PCIE_DBG_OFFSET_BIT_MASK;
 
 	buf_idx = BTINTEL_PCIE_DBGC_DBG_BUF_IDX(wr_ptr_status);
@@ -751,10 +773,6 @@ static int btintel_pcie_read_dram_buffers(struct btintel_pcie_data *data)
 				  sizeof(data->dmp_hdr.write_ptr));
 	p = btintel_pcie_copy_tlv(p, BTINTEL_WRAP_CTR, &data->dmp_hdr.wrap_ctr,
 				  sizeof(data->dmp_hdr.wrap_ctr));
-
-	data->dmp_hdr.wrap_ctr = btintel_pcie_rd_dev_mem(data,
-							 BTINTEL_PCIE_DBGC_DBGBUFF_WRAP_ARND);
-
 	p = btintel_pcie_copy_tlv(p, BTINTEL_TRIGGER_REASON, &data->dmp_hdr.trigger_reason,
 				  sizeof(data->dmp_hdr.trigger_reason));
 	p = btintel_pcie_copy_tlv(p, BTINTEL_FW_SHA, &data->dmp_hdr.fw_git_sha1,
diff --git a/drivers/bluetooth/btintel_pcie.h b/drivers/bluetooth/btintel_pcie.h
index cae84b00a700..e4a8fa479188 100644
--- a/drivers/bluetooth/btintel_pcie.h
+++ b/drivers/bluetooth/btintel_pcie.h
@@ -68,6 +68,10 @@
 #define BTINTEL_PCIE_DBGC_CUR_DBGBUFF_STATUS		(BTINTEL_PCIE_DBGC_BASE_ADDR + 0x1C)
 #define BTINTEL_PCIE_DBGC_DBGBUFF_WRAP_ARND		(BTINTEL_PCIE_DBGC_BASE_ADDR + 0x2C)
 
+#define BTINTEL_PCIE_DBGC_BASE_ADDR_SCP			(0xf0d5d500)
+#define BTINTEL_PCIE_DBGC_CUR_DBGBUFF_STATUS_SCP	(BTINTEL_PCIE_DBGC_BASE_ADDR_SCP + 0x1C)
+#define BTINTEL_PCIE_DBGC_DBGBUFF_WRAP_ARND_SCP		(BTINTEL_PCIE_DBGC_BASE_ADDR_SCP + 0x2C)
+
 #define BTINTEL_PCIE_DBG_IDX_BIT_MASK		0x0F
 #define BTINTEL_PCIE_DBGC_DBG_BUF_IDX(data)	(((data) >> 24) & BTINTEL_PCIE_DBG_IDX_BIT_MASK)
 #define BTINTEL_PCIE_DBG_OFFSET_BIT_MASK	0xFFFFFF
-- 
2.54.0


^ permalink raw reply related

* [bluetooth-next:master] BUILD SUCCESS ae283ad45b1d1a906b3b1701ce2c28716379f056
From: kernel test robot @ 2026-06-07  0:57 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
branch HEAD: ae283ad45b1d1a906b3b1701ce2c28716379f056  Bluetooth: Add SPDX id lines to some source files

elapsed time: 3091m

configs tested: 193
configs skipped: 4

The following configs have been built successfully.
More configs may be tested in the coming days.

tested configs:
alpha                             allnoconfig    gcc-15.2.0
alpha                            allyesconfig    gcc-15.2.0
alpha                               defconfig    gcc-16.1.0
arc                              allmodconfig    clang-17
arc                               allnoconfig    gcc-15.2.0
arc                                 defconfig    gcc-16.1.0
arc                   randconfig-001-20260606    clang-23
arc                   randconfig-002-20260606    clang-23
arm                               allnoconfig    gcc-15.2.0
arm                              allyesconfig    clang-17
arm                                 defconfig    gcc-16.1.0
arm                   randconfig-001-20260606    clang-23
arm                   randconfig-002-20260606    clang-23
arm                   randconfig-003-20260606    clang-23
arm                   randconfig-004-20260606    clang-23
arm64                             allnoconfig    gcc-15.2.0
arm64                               defconfig    gcc-16.1.0
arm64                          randconfig-001    clang-23
arm64                 randconfig-001-20260606    clang-23
arm64                          randconfig-002    clang-23
arm64                 randconfig-002-20260606    clang-23
arm64                          randconfig-003    clang-23
arm64                 randconfig-003-20260606    clang-23
arm64                          randconfig-004    clang-23
arm64                 randconfig-004-20260606    clang-23
csky                             allmodconfig    gcc-15.2.0
csky                              allnoconfig    gcc-15.2.0
csky                                defconfig    gcc-16.1.0
csky                           randconfig-001    clang-23
csky                  randconfig-001-20260606    clang-23
csky                           randconfig-002    clang-23
csky                  randconfig-002-20260606    clang-23
hexagon                          allmodconfig    gcc-15.2.0
hexagon                           allnoconfig    gcc-15.2.0
hexagon                             defconfig    gcc-16.1.0
hexagon                        randconfig-001    gcc-11.5.0
hexagon               randconfig-001-20260606    gcc-11.5.0
hexagon                        randconfig-002    gcc-11.5.0
hexagon               randconfig-002-20260606    gcc-11.5.0
i386                             allmodconfig    clang-20
i386                             allmodconfig    gcc-14
i386                              allnoconfig    gcc-15.2.0
i386                             allyesconfig    clang-20
i386                             allyesconfig    gcc-14
i386        buildonly-randconfig-001-20260606    gcc-13
i386        buildonly-randconfig-002-20260606    gcc-13
i386        buildonly-randconfig-003-20260606    gcc-13
i386        buildonly-randconfig-004-20260606    gcc-13
i386        buildonly-randconfig-005-20260606    gcc-13
i386        buildonly-randconfig-006-20260606    gcc-13
i386                                defconfig    gcc-16.1.0
i386                  randconfig-001-20260606    clang-20
i386                  randconfig-002-20260606    clang-20
i386                  randconfig-003-20260606    clang-20
i386                  randconfig-004-20260606    clang-20
i386                  randconfig-005-20260606    clang-20
i386                  randconfig-006-20260606    clang-20
i386                  randconfig-007-20260606    clang-20
i386                           randconfig-011    clang-20
i386                  randconfig-011-20260606    clang-20
i386                           randconfig-012    clang-20
i386                  randconfig-012-20260606    clang-20
i386                           randconfig-013    clang-20
i386                  randconfig-013-20260606    clang-20
i386                           randconfig-014    clang-20
i386                  randconfig-014-20260606    clang-20
i386                           randconfig-015    clang-20
i386                  randconfig-015-20260606    clang-20
i386                           randconfig-016    clang-20
i386                  randconfig-016-20260606    clang-20
i386                           randconfig-017    clang-20
i386                  randconfig-017-20260606    clang-20
loongarch                        allmodconfig    clang-23
loongarch                         allnoconfig    gcc-15.2.0
loongarch                           defconfig    clang-23
loongarch                      randconfig-001    gcc-11.5.0
loongarch             randconfig-001-20260606    gcc-11.5.0
loongarch                      randconfig-002    gcc-11.5.0
loongarch             randconfig-002-20260606    gcc-11.5.0
m68k                             allmodconfig    gcc-15.2.0
m68k                              allnoconfig    gcc-15.2.0
m68k                             allyesconfig    clang-17
m68k                                defconfig    clang-23
microblaze                        allnoconfig    gcc-15.2.0
microblaze                       allyesconfig    gcc-15.2.0
microblaze                          defconfig    clang-23
mips                             allmodconfig    gcc-15.2.0
mips                              allnoconfig    gcc-15.2.0
mips                             allyesconfig    gcc-15.2.0
mips                      malta_kvm_defconfig    gcc-16.1.0
nios2                            allmodconfig    clang-23
nios2                             allnoconfig    clang-17
nios2                               defconfig    clang-23
nios2                          randconfig-001    gcc-11.5.0
nios2                 randconfig-001-20260606    gcc-11.5.0
nios2                          randconfig-002    gcc-11.5.0
nios2                 randconfig-002-20260606    gcc-11.5.0
openrisc                         allmodconfig    clang-23
openrisc                          allnoconfig    clang-17
openrisc                            defconfig    gcc-16.1.0
parisc                           allmodconfig    gcc-15.2.0
parisc                            allnoconfig    clang-17
parisc                           allyesconfig    clang-19
parisc                              defconfig    gcc-16.1.0
parisc                randconfig-001-20260606    gcc-8.5.0
parisc                randconfig-002-20260606    gcc-8.5.0
parisc64                            defconfig    clang-23
powerpc                          allmodconfig    gcc-15.2.0
powerpc                           allnoconfig    clang-17
powerpc               randconfig-001-20260606    gcc-8.5.0
powerpc               randconfig-002-20260606    gcc-8.5.0
powerpc64             randconfig-001-20260606    gcc-8.5.0
powerpc64             randconfig-002-20260606    gcc-8.5.0
riscv                            allmodconfig    clang-23
riscv                             allnoconfig    clang-17
riscv                            allyesconfig    clang-17
riscv                               defconfig    gcc-16.1.0
riscv                          randconfig-001    gcc-8.5.0
riscv                 randconfig-001-20260606    gcc-8.5.0
riscv                          randconfig-002    gcc-8.5.0
riscv                 randconfig-002-20260606    gcc-8.5.0
s390                             allmodconfig    clang-19
s390                              allnoconfig    clang-17
s390                             allyesconfig    gcc-15.2.0
s390                                defconfig    gcc-16.1.0
s390                           randconfig-001    gcc-8.5.0
s390                  randconfig-001-20260606    gcc-8.5.0
s390                           randconfig-002    gcc-8.5.0
s390                  randconfig-002-20260606    gcc-8.5.0
sh                               allmodconfig    gcc-15.2.0
sh                                allnoconfig    clang-17
sh                               allyesconfig    clang-19
sh                                  defconfig    gcc-14
sh                             randconfig-001    gcc-8.5.0
sh                    randconfig-001-20260606    gcc-8.5.0
sh                             randconfig-002    gcc-8.5.0
sh                    randconfig-002-20260606    gcc-8.5.0
sparc                             allnoconfig    clang-17
sparc                               defconfig    gcc-16.1.0
sparc                 randconfig-001-20260606    gcc-11.5.0
sparc                 randconfig-002-20260606    gcc-11.5.0
sparc64                          allmodconfig    clang-23
sparc64                             defconfig    gcc-14
sparc64               randconfig-001-20260606    gcc-11.5.0
sparc64               randconfig-002-20260606    gcc-11.5.0
um                               allmodconfig    clang-19
um                                allnoconfig    clang-17
um                               allyesconfig    gcc-15.2.0
um                                  defconfig    gcc-14
um                             i386_defconfig    gcc-14
um                    randconfig-001-20260606    gcc-11.5.0
um                    randconfig-002-20260606    gcc-11.5.0
um                           x86_64_defconfig    gcc-14
x86_64                           allmodconfig    clang-20
x86_64                            allnoconfig    clang-17
x86_64                           allyesconfig    clang-20
x86_64      buildonly-randconfig-001-20260606    gcc-14
x86_64      buildonly-randconfig-002-20260606    gcc-14
x86_64      buildonly-randconfig-003-20260606    gcc-14
x86_64      buildonly-randconfig-004-20260606    gcc-14
x86_64      buildonly-randconfig-005-20260606    gcc-14
x86_64      buildonly-randconfig-006-20260606    gcc-14
x86_64                              defconfig    gcc-14
x86_64                                  kexec    clang-22
x86_64                randconfig-001-20260606    gcc-14
x86_64                randconfig-002-20260606    gcc-14
x86_64                randconfig-003-20260606    gcc-14
x86_64                randconfig-004-20260606    gcc-14
x86_64                randconfig-005-20260606    gcc-14
x86_64                randconfig-006-20260606    gcc-14
x86_64                randconfig-011-20260606    gcc-14
x86_64                randconfig-012-20260606    gcc-14
x86_64                randconfig-013-20260606    gcc-14
x86_64                randconfig-014-20260606    gcc-14
x86_64                randconfig-015-20260606    gcc-14
x86_64                randconfig-016-20260606    gcc-14
x86_64                randconfig-071-20260607    clang-22
x86_64                randconfig-072-20260607    clang-22
x86_64                randconfig-073-20260607    clang-22
x86_64                randconfig-074-20260607    clang-22
x86_64                randconfig-075-20260607    clang-22
x86_64                randconfig-076-20260607    clang-22
x86_64                               rhel-9.4    clang-22
x86_64                           rhel-9.4-bpf    gcc-14
x86_64                          rhel-9.4-func    clang-22
x86_64                    rhel-9.4-kselftests    clang-22
x86_64                         rhel-9.4-kunit    gcc-14
x86_64                           rhel-9.4-ltp    gcc-14
x86_64                          rhel-9.4-rust    clang-20
xtensa                            allnoconfig    clang-17
xtensa                           allyesconfig    clang-23
xtensa                randconfig-001-20260606    gcc-11.5.0
xtensa                randconfig-002-20260606    gcc-11.5.0

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply

* [BUG] KASAN: slab-use-after-free in rfcomm_security_cfm
From: Bai, Shuangpeng @ 2026-06-07  0:56 UTC (permalink / raw)
  To: marcel@holtmann.org, luiz.dentz@gmail.com
  Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org

Hi Kernel Maintainers,

I hit the following KASAN report while testing current upstream kernel:

KASAN: slab-use-after-free in rfcomm_security_cfm

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds delays and print statements.

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/ab3bd255f7f73a6b2bcf64de5c834c10

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>

[  102.584461][ T4448] ==================================================================
[  102.585392][ T4448] BUG: KASAN: slab-use-after-free in rfcomm_security_cfm (./include/linux/instrumented.h:112 ./include/asm-generic/bitops/instrumented-atomic.h:85 net/bluetooth/rfcomm/core.c:2161)
[  102.586293][ T4448] Write of size 8 at addr ffff88811b6b4678 by task kworker/u11:1/4448
[  102.587178][ T4448]
[  102.587488][ T4448] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.587493][ T4448] Workqueue: hci0 hci_rx_work
[  102.587527][ T4448] Call Trace:
[  102.587536][ T4448]  <TASK>
[  102.587542][ T4448]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  102.587559][ T4448]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  102.587589][ T4448]  kasan_report (mm/kasan/report.c:595)
[  102.587599][ T4448]  kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[  102.587604][ T4448]  rfcomm_security_cfm (./include/linux/instrumented.h:112 ./include/asm-generic/bitops/instrumented-atomic.h:85 net/bluetooth/rfcomm/core.c:2161)
[  102.587660][ T4448]  hci_encrypt_cfm (./include/net/bluetooth/hci_core.h:2215)
[  102.587671][ T4448]  hci_encrypt_change_evt (net/bluetooth/hci_event.c:3689)
[  102.587679][ T4448]  hci_event_packet (net/bluetooth/hci_event.c:7796 net/bluetooth/hci_event.c:7847)
[  102.587716][ T4448]  hci_rx_work (net/bluetooth/hci_core.c:4077)
[  102.587721][ T4448]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  102.587734][ T4448]  worker_thread (kernel/workqueue.c:3478)
[  102.587745][ T4448]  kthread (kernel/kthread.c:436)
[  102.587767][ T4448]  ret_from_fork (arch/x86/kernel/process.c:158)
[  102.587789][ T4448]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  102.587795][ T4448]  </TASK>
[  102.587797][ T4448]
[  102.610751][ T4448] Freed by task 2678 on cpu 1 at 102.524678s:
[  102.611389][ T4448]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  102.611908][ T4448]  kasan_save_free_info (mm/kasan/generic.c:584)
[  102.612458][ T4448]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  102.612968][ T4448]  kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[  102.613403][ T4448]  __rfcomm_dlc_close (net/bluetooth/rfcomm/core.c:329 ./include/net/bluetooth/rfcomm.h:257 net/bluetooth/rfcomm/core.c:350 net/bluetooth/rfcomm/core.c:498)
[  102.613919][ T4448]  rfcomm_run (net/bluetooth/rfcomm/core.c:? net/bluetooth/rfcomm/core.c:2048 net/bluetooth/rfcomm/core.c:2131)
[  102.614395][ T4448]  kthread (kernel/kthread.c:436)
[  102.614402][ T4448]  ret_from_fork (arch/x86/kernel/process.c:158)
[  102.614407][ T4448]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  102.614412][ T4448]
[  102.614414][ T4448] The buggy address belongs to the object at ffff88811b6b4600
[  102.614414][ T4448]  which belongs to the cache kmalloc-256 of size 256
[  102.617515][ T4448] The buggy address is located 120 bytes inside of
[  102.617515][ T4448]  freed 256-byte region [ffff88811b6b4600, ffff88811b6b4700)


Best,
Shuangpeng


^ permalink raw reply

* [Bug 221521] Bluetooth: btusb/mt7921 - Failed to send wmt func ctrl (-22) on MediaTek MT7921 combo adapter
From: bugzilla-daemon @ 2026-06-06 23:29 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <bug-221521-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=221521

--- Comment #16 from Solarized (p@atiq.xyz) ---
* pertinent kernel module on this device is 'mt7925e'

```plain
$ modinfo mt7925e
filename:      
/lib/modules/6.18.7-76061807-generic/kernel/drivers/net/wireless/mediatek/mt76/mt7925/mt7925e.ko.zst
license:        Dual BSD/GPL
description:    MediaTek MT7925E (PCIe) wireless driver
author:         Lorenzo Bianconi <lorenzo@kernel.org>
author:         Deren Wu <deren.wu@mediatek.com>
firmware:       mediatek/mt7925/WIFI_MT7925_PATCH_MCU_1_1_hdr.bin
firmware:       mediatek/mt7925/WIFI_RAM_CODE_MT7925_1_1.bin
srcversion:     A85F45784A6D298A162C62A
alias:          pci:v000014C3d00000717sv*sd*bc*sc*i*
alias:          pci:v000014C3d00007925sv*sd*bc*sc*i*
depends:        mt792x-lib,mt76-connac-lib,mt76,mt7925-common
intree:         Y
name:           mt7925e
retpoline:      Y
vermagic:       6.18.7-76061807-generic SMP preempt mod_unload modversions
```

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* [Bug 221521] Bluetooth: btusb/mt7921 - Failed to send wmt func ctrl (-22) on MediaTek MT7921 combo adapter
From: bugzilla-daemon @ 2026-06-06 23:25 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <bug-221521-62941@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=221521

Solarized (p@atiq.xyz) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |p@atiq.xyz

--- Comment #15 from Solarized (p@atiq.xyz) ---
repros on kernel 7.0.9 on Asus ProArt 7606WV (has mediatek wireless chip)

if you peak into kernel log using `journalctl` you will find this:

```plain
Jun 06 13:19:30 kernel: cs35l56-hda i2c-CSC3556:00-cs35l56-hda.0: DSP1:
cirrus/cs35l56-b0-dsp1-misc-10431e63-spkid1-amp1.bin (v1): v3.11.16
Jun 06 13:19:30 kernel: cs35l56-hda i2c-CSC3556:00-cs35l56-hda.0: DSP1: misc:
C:\Users\gchen\Desktop\Asus_proj\CY24\MP\H7606W\240830\init\10431E63_240830_V1_A0-init.bin
Jun 06 13:19:30 kernel: Bluetooth: hci0: Failed to send wmt func ctrl (-22)
Jun 06 13:19:30 kernel: Bluetooth: hci0: HCI Enhanced Setup Synchronous
Connection command is advertised, but not supported.
Jun 06 13:19:30 kernel: zram0: detected capacity change from 0 to 33554432
Jun 06 13:19:30 kernel: cs35l56-hda i2c-CSC3556:00-cs35l56-hda.1: Calibration
applied
Jun 06 13:19:30 kernel: cs35l56-hda i2c-CSC3556:00-cs35l56-hda.0: Calibration
applied
Jun 06 13:19:30 kernel: cs35l56-hda i2c-CSC3556:00-cs35l56-hda.1: Tuning PID:
0x531116, SID: 0x201104, TID: 0x3c8830
Jun 06 13:19:30 kernel: cs35l56-hda i2c-CSC3556:00-cs35l56-hda.0: Tuning PID:
0x531116, SID: 0x201004, TID: 0x3c8830
Jun 06 13:19:31 kernel: NVRM: testIfDsmSubFunctionEnabled: GPS ACPI DSM called
before _acpiDsmSupportedFuncCacheInit subfunction = 10.
Jun 06 13:19:31 kernel: NVRM: testIfDsmSubFunctionEnabled: GPS ACPI DSM called
before _acpiDsmSupportedFuncCacheInit subfunction = 11.
Jun 06 13:19:31 kernel: [drm] Initialized nvidia-drm 0.0.0 for 0000:64:00.0 on
minor 1

```
which indicates broken bluetooth mediatek driver.


And, service log, shows following

```plain
$ journalctl --boot --unit bluetooth.service
Jun 06 13:19:29 systemd[1]: Starting bluetooth.service - Bluetooth service...
Jun 06 13:19:29 (uetoothd)[1329]: bluetooth.service: ConfigurationDirectory
'bluetooth' already exists but the mode is different. (File system: 755
ConfigurationDirectoryMode: 555)
Jun 06 13:19:29 bluetoothd[1329]: Bluetooth daemon 5.72
Jun 06 13:19:29 bluetoothd[1329]: Starting SDP server
Jun 06 13:19:29 bluetoothd[1329]: src/plugin.c:plugin_init() System does not
support csip plugin
Jun 06 13:19:29 bluetoothd[1329]: profiles/audio/micp.c:micp_init() D-Bus
experimental not enabled
Jun 06 13:19:29 bluetoothd[1329]: src/plugin.c:plugin_init() System does not
support micp plugin
Jun 06 13:19:29 bluetoothd[1329]: src/plugin.c:plugin_init() System does not
support vcp plugin
Jun 06 13:19:29 bluetoothd[1329]: src/plugin.c:plugin_init() System does not
support mcp plugin
Jun 06 13:19:29 bluetoothd[1329]: src/plugin.c:plugin_init() System does not
support bass plugin
Jun 06 13:19:29 bluetoothd[1329]: src/plugin.c:plugin_init() System does not
support bap plugin
Jun 06 13:19:29 bluetoothd[1329]: Bluetooth management interface 1.23
initialized
Jun 06 13:19:29 systemd[1]: Started bluetooth.service - Bluetooth service.
```

Related:
-
https://lore.kernel.org/all/81bcf9fd-2f07-4fc6-be90-da4e448379e4@leemhuis.info/
-
https://www.reddit.com/r/linuxhardware/comments/1tfn5ev/mediatek_mt7921_bluetooth_not_initializing/

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply

* RE: [net-next] net/bluetooth/bnep: Use strscpy() to copy device name
From: bluez.test.bot @ 2026-06-06 21:21 UTC (permalink / raw)
  To: linux-bluetooth, david.laight.linux
In-Reply-To: <20260606202633.5018-26-david.laight.linux@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/bnep/core.c:639
error: net/bluetooth/bnep/core.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH net-next] net/bluetooth/bnep: Use strscpy() to copy device name
From: david.laight.linux @ 2026-06-06 20:26 UTC (permalink / raw)
  To: Kees Cook, linux-hardening, Arnd Bergmann, linux-bluetooth,
	linux-kernel
  Cc: Luiz Augusto von Dentz, Marcel Holtmann, David Laight

From: David Laight <david.laight.linux@gmail.com>

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
This is one of a group of patches that remove potentially unbounded
strcpy() calls.

They are mostly replaced by strscpy() or, when strlen() has just been
called, with memcpy() (usually including the '\0').

Calls with copy string literals into arrays are left unchanged.
They are safe and easily detected as such.

The changes were made by getting the compiler to detect the calls and
then fixing the code by hand.

Note that all the changes are only compile tested.

Some Makefiles were changed to allow files to contain strcpy().
As well as 'difficult to fix' files, this included 'show' functions
as they really need to use sysfs_emit() or seq_printf().

All the patches are being sent individually to avoid very long cc lists.
Apologies for the terse commit messages and likely unexpected tags.
(There are about 100 patches in total.)

 net/bluetooth/bnep/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index d44987d4515c..1e14fa1e886a 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -639,7 +639,7 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
 	}
 
 	up_write(&bnep_session_sem);
-	strcpy(req->device, dev->name);
+	strscpy(req->device, dev->name);
 	return 0;
 
 failed:
@@ -678,7 +678,7 @@ static void __bnep_copy_ci(struct bnep_conninfo *ci, struct bnep_session *s)
 
 	memset(ci, 0, sizeof(*ci));
 	memcpy(ci->dst, s->eh.h_source, ETH_ALEN);
-	strcpy(ci->device, s->dev->name);
+	strscpy(ci->device, s->dev->name);
 	ci->flags = s->flags & valid_flags;
 	ci->state = s->state;
 	ci->role  = s->role;
-- 
2.39.5


^ permalink raw reply related

* Re: [syzbot] [mm?] upstream test error: WARNING in call_timer_fn
From: Andrew Morton @ 2026-06-06 20:06 UTC (permalink / raw)
  To: syzbot
  Cc: jannh, liam, linux-kernel, linux-mm, ljs, pfalcato,
	syzkaller-bugs, vbabka, Marcel Holtmann, Luiz Augusto von Dentz,
	linux-bluetooth
In-Reply-To: <6a246fb8.c25708ab.1b19ef.0009.GAE@google.com>

On Sat, 06 Jun 2026 12:06:32 -0700 syzbot <syzbot+8b331cede7bfea7c674c@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    ba3e43a9e601 Merge tag 'soc-fixes-7.1-2' of git://git.kern..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12180f2e580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b4166e8ea5fbf7e3
> dashboard link: https://syzkaller.appspot.com/bug?extid=8b331cede7bfea7c674c
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Thanks.

> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ba3e43a9.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/721f1d5136ec/vmlinux-ba3e43a9.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ff33eef1aaee/bzImage-ba3e43a9.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8b331cede7bfea7c674c@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> workqueue: cannot queue hci_cmd_timeout on wq hci0

Looks like a bluetooth thing.  Cc's added.

> WARNING: kernel/workqueue.c:2298 at __queue_work+0xd3f/0x1040 kernel/workqueue.c:2296, CPU#0: syz-executor/5425
> Modules linked in:
> CPU: 0 UID: 0 PID: 5425 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:__queue_work+0xd67/0x1040 kernel/workqueue.c:2296
> Code: a6 0e 49 8d 7d 18 48 89 f8 48 c1 e8 03 42 80 3c 20 00 74 05 e8 7a 7b a5 00 49 8b 75 18 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef
> RSP: 0000:ffffc90000007bd8 EFLAGS: 00010082
> RAX: 1ffff1100259b94e RBX: 0000000000000008 RCX: ffff8880336a2540
> RDX: ffff888041425170 RSI: ffffffff8a9c7e10 RDI: ffffffff90334eb0
> RBP: 0000000000000100 R08: ffffffff90304ff7 R09: 1ffffffff20609fe
> R10: dffffc0000000000 R11: ffffffff818d37e0 R12: dffffc0000000000
> R13: ffff888012cdca58 R14: ffffffff90334eb0 R15: ffff888041425170
> FS:  0000000000000000(0000) GS:ffff88808c891000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b2fa63fff CR3: 0000000012c0c000 CR4: 0000000000352ef0
> Call Trace:
>  <IRQ>
>  call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748
>  expire_timers kernel/time/timer.c:1794 [inline]
>  __run_timers kernel/time/timer.c:2374 [inline]
>  __run_timer_base+0x67e/0x8b0 kernel/time/timer.c:2386
>  run_timer_base kernel/time/timer.c:2395 [inline]
>  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2405
>  handle_softirqs+0x22a/0x840 kernel/softirq.c:622
>  __do_softirq kernel/softirq.c:656 [inline]
>  invoke_softirq kernel/softirq.c:496 [inline]
>  __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735
>  irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
>  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
>  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
>  </IRQ>
>  <TASK>
>  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
> RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:97 [inline]
> RIP: 0010:memory_is_nonzero mm/kasan/generic.c:115 [inline]
> RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:140 [inline]
> RIP: 0010:memory_is_poisoned mm/kasan/generic.c:172 [inline]
> RIP: 0010:check_region_inline mm/kasan/generic.c:191 [inline]
> RIP: 0010:kasan_check_range+0x90/0x2c0 mm/kasan/generic.c:200
> Code: 03 48 bb 01 00 00 00 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83 fc 10 7f 29 4d 85 e4 0f 84 3d 01 00 00 4c 89 cb 48 f7 d3 <4c> 01 fb 41 80 3b 00 0f 85 9e 01 00 00 49 ff c3 48 ff c3 75 ee e9
> RSP: 0000:ffffc9000e2bf240 EFLAGS: 00000202
> RAX: 1ffff92001c57e01 RBX: e00006dffe3a8187 RCX: ffffffff8176f0e3
> RDX: 0000000000000001 RSI: 0000000000000010 RDI: ffffc9000e2bf3b8
> RBP: 0000000000000000 R08: ffffc9000e2bf3c7 R09: 1ffff92001c57e78
> R10: dffffc0000000000 R11: fffff52001c57e77 R12: 0000000000000002
> R13: 1ffff92001c57e6f R14: fffff52001c57e79 R15: 1ffff92001c57e77
>  __asan_memset+0x22/0x50 mm/kasan/shadow.c:84
>  unwind_next_frame+0xf33/0x2550 arch/x86/kernel/unwind_orc.c:621
>  arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25
>  stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
>  kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
>  kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
>  __call_rcu_common kernel/rcu/tree.c:3131 [inline]
>  call_rcu+0xee/0x890 kernel/rcu/tree.c:3251
>  slab_free_hook mm/slub.c:2653 [inline]
>  slab_free mm/slub.c:6251 [inline]
>  kmem_cache_free+0x462/0x650 mm/slub.c:6378
>  tear_down_vmas+0x312/0x520 mm/mmap.c:1262
>  exit_mmap+0x4b6/0x9e0 mm/mmap.c:1320
>  __mmput+0x118/0x430 kernel/fork.c:1178
>  exit_mm+0x1f6/0x2d0 kernel/exit.c:582
>  do_exit+0x6a2/0x22c0 kernel/exit.c:964
>  do_group_exit+0x21b/0x2d0 kernel/exit.c:1119
>  get_signal+0x1284/0x1330 kernel/signal.c:3037
>  arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
>  __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
>  exit_to_user_mode_loop+0xa9/0x680 kernel/entry/common.c:98
>  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
>  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
>  syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
>  do_syscall_64+0x353/0x580 arch/x86/entry/syscall_64.c:100
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f328ef57fd7
> Code: Unable to access opcode bytes at 0x7f328ef57fad.
> RSP: 002b:00007ffd7ad34110 EFLAGS: 00000202 ORIG_RAX: 000000000000003d
> RAX: fffffffffffffe00 RBX: 0000555594d02500 RCX: 00007f328ef57fd7
> RDX: 0000000040000000 RSI: 00007ffd7ad3416c RDI: ffffffffffffffff
> RBP: 00007ffd7ad3416c R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd7ad341e8
> R13: 0000000000000002 R14: 00007ffd7ad343c8 R15: 0000000000000000
>  </TASK>
> ----------------
> Code disassembly (best guess), 2 bytes skipped:
>    0:	49 8d 7d 18          	lea    0x18(%r13),%rdi
>    4:	48 89 f8             	mov    %rdi,%rax
>    7:	48 c1 e8 03          	shr    $0x3,%rax
>    b:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
>   10:	74 05                	je     0x17
>   12:	e8 7a 7b a5 00       	call   0xa57b91
>   17:	49 8b 75 18          	mov    0x18(%r13),%rsi
>   1b:	49 81 c7 70 01 00 00 	add    $0x170,%r15
>   22:	4c 89 f7             	mov    %r14,%rdi
>   25:	4c 89 fa             	mov    %r15,%rdx
> * 28:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
>   2d:	4c 89 e8             	mov    %r13,%rax
>   30:	48 c1 e8 03          	shr    $0x3,%rax
>   34:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
>   39:	74 08                	je     0x43
>   3b:	4c 89 ef             	mov    %r13,%rdi
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-06 20:02 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1091217
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-06 18:55 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1091197
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-06 17:46 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1091167
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* RE: btio: handle error from broadcast ISO socket
From: bluez.test.bot @ 2026-06-06  8:48 UTC (permalink / raw)
  To: linux-bluetooth, michal.dzik
In-Reply-To: <20260606060348.2240980-2-michal.dzik@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1106927

---Test result---

Test Summary:
CheckPatch                    PASS      0.96 seconds
GitLint                       PASS      0.66 seconds
BuildEll                      PASS      20.29 seconds
BluezMake                     PASS      604.91 seconds
MakeCheck                     PASS      18.76 seconds
MakeDistcheck                 PASS      232.77 seconds
CheckValgrind                 PASS      274.45 seconds
CheckSmatch                   PASS      323.78 seconds
bluezmakeextell               PASS      166.77 seconds
IncrementalBuild              PASS      609.87 seconds
ScanBuild                     PASS      923.71 seconds



https://github.com/bluez/bluez/pull/2182

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [bluez/bluez] 1f6555: btio: handle error from broadcast ISO socket
From: mdzik-sue @ 2026-06-06  7:54 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1106927
  Home:   https://github.com/bluez/bluez
  Commit: 1f6555cda23c7e438bb3374f6a3669c396497b0e
      https://github.com/bluez/bluez/commit/1f6555cda23c7e438bb3374f6a3669c396497b0e
  Author: Michal Dzik <michal.dzik@streamunlimited.com>
  Date:   2026-06-06 (Sat, 06 Jun 2026)

  Changed paths:
    M btio/btio.c

  Log Message:
  -----------
  btio: handle error from broadcast ISO socket

If not handled, server_cb() will be stuck in endless loop of calling
accept() on the socket.


  Commit: 71d8d36535836f3bfd01736f3fca81d0c703b26a
      https://github.com/bluez/bluez/commit/71d8d36535836f3bfd01736f3fca81d0c703b26a
  Author: Michal Dzik <michal.dzik@streamunlimited.com>
  Date:   2026-06-06 (Sat, 06 Jun 2026)

  Changed paths:
    M profiles/audio/bap.c

  Log Message:
  -----------
  bap: log errors in BIG sync


Compare: https://github.com/bluez/bluez/compare/1f6555cda23c%5E...71d8d3653583

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [PATCH BlueZ 1/2] btio: handle error from broadcast ISO socket
From: Michal Dzik @ 2026-06-06  6:03 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Michal Dzik
In-Reply-To: <20260606060348.2240980-1-michal.dzik@streamunlimited.com>

If not handled, server_cb() will be stuck in endless loop of calling
accept() on the socket.
---
 btio/btio.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/btio/btio.c b/btio/btio.c
index cfaa9392d..39d4411f7 100644
--- a/btio/btio.c
+++ b/btio/btio.c
@@ -252,6 +252,26 @@ static gboolean server_cb(GIOChannel *io, GIOCondition cond,
 
 	srv_sock = g_io_channel_unix_get_fd(io);
 
+	if (cond & G_IO_ERR) {
+		int err, sk_err;
+		socklen_t len = sizeof(sk_err);
+
+		if (getsockopt(srv_sock, SOL_SOCKET, SO_ERROR, &sk_err, &len)
+									< 0)
+			err = errno;
+		else
+			err = sk_err;
+
+		if (server->connect) {
+			GError *gerr = NULL;
+
+			ERROR_FAILED(&gerr, "ERR on socket", err);
+			server->connect(io, gerr, server->user_data);
+			g_clear_error(&gerr);
+		}
+		return FALSE;
+	}
+
 	cli_sock = accept(srv_sock, NULL, NULL);
 	if (cli_sock < 0) {
 		if (errno == EBADFD)
-- 
2.43.0


^ permalink raw reply related

* [PATCH BlueZ 2/2] bap: log errors in BIG sync
From: Michal Dzik @ 2026-06-06  6:03 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Michal Dzik
In-Reply-To: <20260606060348.2240980-1-michal.dzik@streamunlimited.com>

---
 profiles/audio/bap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c
index b35542488..dd4b3c8ff 100644
--- a/profiles/audio/bap.c
+++ b/profiles/audio/bap.c
@@ -1474,7 +1474,10 @@ static void iso_bcast_confirm_cb(GIOChannel *io, GError *err, void *user_data)
 	int fd;
 	struct bap_data *bap_data = setup->data;
 
-	DBG("BIG Sync completed");
+	if (err)
+		error("BIG Sync failed: %s", err->message);
+	else
+		DBG("BIG Sync completed");
 
 	/* The order of the BIS fds notified from kernel corresponds
 	 * to the order of the BISes that were enqueued before
-- 
2.43.0


^ permalink raw reply related

* [PATCH BlueZ 0/2] btio: handle error from broadcast ISO socket
From: Michal Dzik @ 2026-06-06  6:03 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Michal Dzik

If not handled, server_cb() will be stuck in endless loop of calling
accept() on the socket.

Michal Dzik (2):
  btio: handle error from broadcast ISO socket
  bap: log errors in BIG sync

 btio/btio.c          | 20 ++++++++++++++++++++
 profiles/audio/bap.c |  5 ++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

-- 
2.43.0


^ permalink raw reply

* RE: [v1] Bluetooth: btintel_pcie: Add 50 ms delay before MAC init on BlazarIW
From: bluez.test.bot @ 2026-06-06  0:44 UTC (permalink / raw)
  To: linux-bluetooth, kiran.k
In-Reply-To: <20260606003637.94628-1-kiran.k@intel.com>

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1106883

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
VerifyFixes                   PASS      0.14 seconds
VerifySignedoff               PASS      0.14 seconds
GitLint                       PASS      0.34 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      26.07 seconds
CheckAllWarning               PASS      28.22 seconds
CheckSparse                   PASS      26.85 seconds
BuildKernel32                 PASS      25.06 seconds
TestRunnerSetup               PASS      531.09 seconds
IncrementalBuild              PASS      25.20 seconds



https://github.com/bluez/bluetooth-next/pull/290

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH v1] Bluetooth: btintel_pcie: Add 50 ms delay before MAC init on BlazarIW
From: Kiran K @ 2026-06-06  0:36 UTC (permalink / raw)
  To: linux-bluetooth
  Cc: ravishankar.srivatsa, chethan.tumkur.narayan,
	chandrashekar.devegowda, Kiran K

On BlazarIW, fast restart cycles fail because the D0 entry to MAC
init does not complete in time. As a result, MAC initialization
does not proceed and the controller fails to transition past the
ROM boot stage.

Add a 50 ms delay (worst case as per HW analysis) before doing MAC
init in btintel_pcie_enable_bt() so the shared hardware reset flow
has time to complete. The delay is gated on the BlazarIW PCI device
id 0x4D76 so other Intel BT PCIe controllers are unaffected.

Signed-off-by: Kiran K <kiran.k@intel.com>
---
 drivers/bluetooth/btintel_pcie.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 2baef130d101..b09878d71025 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -799,6 +799,11 @@ static void btintel_pcie_dump_traces(struct hci_dev *hdev)
 		bt_dev_err(hdev, "Failed to dump traces: (%d)", ret);
 }
 
+static bool btintel_pcie_is_blazariw(struct pci_dev *pdev)
+{
+	return pdev->device == 0x4D76;
+}
+
 /* This function enables BT function by setting BTINTEL_PCIE_CSR_FUNC_CTRL_MAC_INIT bit in
  * BTINTEL_PCIE_CSR_FUNC_CTRL_REG register and wait for MSI-X with
  * BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP0.
@@ -818,6 +823,14 @@ static int btintel_pcie_enable_bt(struct btintel_pcie_data *data)
 	btintel_pcie_wr_reg32(data, BTINTEL_PCIE_CSR_CI_ADDR_MSB_REG,
 			      (u64)data->ci_p_addr >> 32);
 
+	/* On BlazarIW, the D0 entry to MAC init does not complete in
+	 * time. Wait 50 ms (worst case as per HW analysis) for the
+	 * shared hardware reset flow to complete before proceeding with
+	 * MAC init.
+	 */
+	if (btintel_pcie_is_blazariw(data->pdev))
+		msleep(50);
+
 	/* Reset the cached value of boot stage. it is updated by the MSI-X
 	 * gp0 interrupt handler.
 	 */
-- 
2.54.0


^ permalink raw reply related

* RE: [v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: bluez.test.bot @ 2026-06-05 20:33 UTC (permalink / raw)
  To: linux-bluetooth, elver
In-Reply-To: <20260605142351.2306664-1-elver@google.com>

[-- Attachment #1: Type: text/plain, Size: 3450 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1106678

---Test result---

Test Summary:
CheckPatch                    FAIL      0.98 seconds
VerifyFixes                   PASS      0.14 seconds
VerifySignedoff               PASS      0.14 seconds
GitLint                       FAIL      0.35 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      25.50 seconds
CheckAllWarning               PASS      28.24 seconds
CheckSparse                   PASS      26.60 seconds
BuildKernel32                 PASS      24.91 seconds
TestRunnerSetup               PASS      524.91 seconds
TestRunner_l2cap-tester       PASS      58.70 seconds
IncrementalBuild              PASS      23.81 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#98: 
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]

ERROR: Unrecognized email address: 'https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz'
#218: 
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz

WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#218: 
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>

total: 1 errors, 2 warnings, 0 checks, 60 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14613573.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v2] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref

8: B1 Line exceeds max length (107>80): "| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]"
9: B1 Line exceeds max length (125>80): "| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"
10: B1 Line exceeds max length (93>80): "| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]"
11: B1 Line exceeds max length (84>80): "| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318"
14: B1 Line exceeds max length (100>80): "| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)"
15: B1 Line exceeds max length (95>80): "| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014"
20: B1 Line exceeds max length (91>80): "|  atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"


https://github.com/bluez/bluetooth-next/pull/289

---
Regards,
Linux Bluetooth


^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox