* Re: [PATCH BlueZ 1/2] avdtp: Fix GET_CONFIGURATION cmd
From: patchwork-bot+bluetooth @ 2026-06-08 18:20 UTC (permalink / raw)
To: Simon Mikuda; +Cc: linux-bluetooth
In-Reply-To: <20260608112923.3722754-1-simon.mikuda@streamunlimited.com>
Hello:
This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 8 Jun 2026 13:29:22 +0200 you wrote:
> This fixes AVDTP/SNK/ACP/SIG/SMG/BV-12-C
> ---
> profiles/audio/avdtp.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
Here is the summary with links:
- [BlueZ,1/2] avdtp: Fix GET_CONFIGURATION cmd
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=60437c06560e
- [BlueZ,2/2] avdtp: Fix error handling for AVDTP_OPEN cmd
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7c1c90f7b6d0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH BlueZ] device: Fix auth_retry timeout not being removed on reconnect
From: patchwork-bot+bluetooth @ 2026-06-08 18:20 UTC (permalink / raw)
To: Simon Mikuda; +Cc: linux-bluetooth
In-Reply-To: <20260608112403.3720840-1-simon.mikuda@streamunlimited.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 8 Jun 2026 13:24:03 +0200 you wrote:
> timeout_remove() was called with 0 instead of the actual timer ID
> because auth_retry_id was zeroed before the call.
> ---
> src/device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Here is the summary with links:
- [BlueZ] device: Fix auth_retry timeout not being removed on reconnect
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7ca747652dc4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH BlueZ] device: Fix cache update on device remove
From: patchwork-bot+bluetooth @ 2026-06-08 18:20 UTC (permalink / raw)
To: =?utf-8?b?RnLDqWTDqXJpYyBEYW5pcyA8ZnJlZGVyaWMuZGFuaXNAY29sbGFib3JhLmNvbT4=?=
Cc: linux-bluetooth
In-Reply-To: <20260608122713.72681-1-frederic.danis@collabora.com>
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 8 Jun 2026 14:27:13 +0200 you wrote:
> If there's no other group than the one explicitly removed the length
> returned by g_key_file_to_data() will be 0 and currently nothing
> will be changed in the device cache file.
>
> If there's nothing to write, remove the device cache file.
> ---
> src/device.c | 2 ++
> 1 file changed, 2 insertions(+)
Here is the summary with links:
- [BlueZ] device: Fix cache update on device remove
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=279c4ac70c77
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* [bluez/bluez] 60437c: avdtp: Fix GET_CONFIGURATION cmd
From: Šimon Mikuda @ 2026-06-08 19:49 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/master
Home: https://github.com/bluez/bluez
Commit: 60437c06560e46d211aaf99620cc9510dfd8081f
https://github.com/bluez/bluez/commit/60437c06560e46d211aaf99620cc9510dfd8081f
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M profiles/audio/avdtp.c
Log Message:
-----------
avdtp: Fix GET_CONFIGURATION cmd
This fixes AVDTP/SNK/ACP/SIG/SMG/BV-12-C
Commit: 7c1c90f7b6d0f653c581878a039e2d02362f33f5
https://github.com/bluez/bluez/commit/7c1c90f7b6d0f653c581878a039e2d02362f33f5
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M profiles/audio/avdtp.c
Log Message:
-----------
avdtp: Fix error handling for AVDTP_OPEN cmd
We have to return BAD_STATE when local SEP is available instead of
BAD_ACP_SEID.
This fixes: AVDTP/SNK/ACP/SIG/SMG/BI-26-C
Commit: 2c4ed7bfd3b3cade7abdec655702c554259cf8c0
https://github.com/bluez/bluez/commit/2c4ed7bfd3b3cade7abdec655702c554259cf8c0
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/shared/bap.c
M unit/test-bap.c
Log Message:
-----------
bap: Fix ASE control point properties
WriteWithoutResponse is mandatory as per ASCS 1.0.
Commit: 7ca747652dc44ecf1fa0336cc7570737f07a23f6
https://github.com/bluez/bluez/commit/7ca747652dc44ecf1fa0336cc7570737f07a23f6
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/device.c
Log Message:
-----------
device: Fix auth_retry timeout not being removed on reconnect
timeout_remove() was called with 0 instead of the actual timer ID
because auth_retry_id was zeroed before the call.
Commit: 279c4ac70c77d88e1947cef98cdabc288d2430d3
https://github.com/bluez/bluez/commit/279c4ac70c77d88e1947cef98cdabc288d2430d3
Author: Frédéric Danis <frederic.danis@collabora.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/device.c
Log Message:
-----------
device: Fix cache update on device remove
If there's no other group than the one explicitly removed the length
returned by g_key_file_to_data() will be 0 and currently nothing
will be changed in the device cache file.
If there's nothing to write, remove the device cache file.
Commit: 56835e9061de1eca24b8d2395ed6d1ae35d8361b
https://github.com/bluez/bluez/commit/56835e9061de1eca24b8d2395ed6d1ae35d8361b
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M profiles/input/server.c
M src/adapter.c
M src/device.c
M src/device.h
Log Message:
-----------
device: Refactor device_discover_services function
After refactoring we can reuse function once more in function
void device_bonding_complete(...)
Commit: 415955bb70baa17a82fa107e5fa34c501c6a006b
https://github.com/bluez/bluez/commit/415955bb70baa17a82fa107e5fa34c501c6a006b
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/device.c
Log Message:
-----------
device: Rename start_discovery function
Rename it to start_discovery_cb to indicate that it is callback function
from timer.
Commit: 622a46ebcd72a511219d51366352d4cf6a46dbba
https://github.com/bluez/bluez/commit/622a46ebcd72a511219d51366352d4cf6a46dbba
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/device.c
Log Message:
-----------
device: Fix returning discovery error for Device.Pair
If discovery was requesed from pair request we will report successfull
pairing even if there was an error during discovery.
Compare: https://github.com/bluez/bluez/compare/7a0c8ebf91e6...622a46ebcd72
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-08 19:50 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1107813
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-08 19:50 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1107789
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-08 19:50 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1107787
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [PATCH BlueZ v1 1/2] shared/hci: Avoid redundant BPF filter updates on duplicate events
From: Luiz Augusto von Dentz @ 2026-06-08 20:50 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Skip updating the BPF socket filter in bt_hci_register and
bt_hci_register_subevent when the event/subevent is already
registered, since it is already part of the filter.
Similarly, skip updating the filter in bt_hci_unregister and
bt_hci_unregister_subevent when other handlers for the same
event/subevent still remain in the queue.
This avoids unnecessary setsockopt(SO_ATTACH_FILTER) calls when
multiple handlers are registered for the same event code.
---
src/shared/hci.c | 37 +++++++++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 4 deletions(-)
diff --git a/src/shared/hci.c b/src/shared/hci.c
index 40326fc810e6..1aba7db1d995 100644
--- a/src/shared/hci.c
+++ b/src/shared/hci.c
@@ -765,15 +765,28 @@ static void update_evt_filter(struct bt_hci *hci)
free(filters);
}
+static bool match_evt_event(const void *a, const void *b)
+{
+ const struct evt *evt = a;
+ uint8_t event = PTR_TO_UINT(b);
+
+ return evt->event == event;
+}
+
unsigned int bt_hci_register(struct bt_hci *hci, uint8_t event,
bt_hci_callback_func_t callback,
void *user_data, bt_hci_destroy_func_t destroy)
{
struct evt *evt;
+ bool update_filter;
if (!hci)
return 0;
+ /* Check if event already has a handler registered */
+ update_filter = !queue_find(hci->evt_list, match_evt_event,
+ UINT_TO_PTR(event));
+
evt = new0(struct evt, 1);
evt->event = event;
@@ -791,7 +804,8 @@ unsigned int bt_hci_register(struct bt_hci *hci, uint8_t event,
return 0;
}
- update_evt_filter(hci);
+ if (update_filter)
+ update_evt_filter(hci);
return evt->id;
}
@@ -849,6 +863,7 @@ static bool match_evt_id(const void *a, const void *b)
bool bt_hci_unregister(struct bt_hci *hci, unsigned int id)
{
struct evt *evt;
+ uint8_t event;
if (!hci || !id)
return false;
@@ -857,9 +872,12 @@ bool bt_hci_unregister(struct bt_hci *hci, unsigned int id)
if (!evt)
return false;
+ event = evt->event;
evt_free(evt);
- update_evt_filter(hci);
+ /* Only update filter if no other handler for this event remains */
+ if (!queue_find(hci->evt_list, match_evt_event, UINT_TO_PTR(event)))
+ update_evt_filter(hci);
return true;
}
@@ -871,10 +889,15 @@ unsigned int bt_hci_register_subevent(struct bt_hci *hci,
void *user_data, bt_hci_destroy_func_t destroy)
{
struct evt *evt;
+ bool update_filter;
if (!hci)
return 0;
+ /* Check if subevent already has a handler registered */
+ update_filter = !queue_find(hci->subevt_list, match_evt_event,
+ UINT_TO_PTR(subevent));
+
evt = new0(struct evt, 1);
evt->event = subevent;
@@ -892,7 +915,8 @@ unsigned int bt_hci_register_subevent(struct bt_hci *hci,
return 0;
}
- update_evt_filter(hci);
+ if (update_filter)
+ update_evt_filter(hci);
return evt->id;
}
@@ -900,6 +924,7 @@ unsigned int bt_hci_register_subevent(struct bt_hci *hci,
bool bt_hci_unregister_subevent(struct bt_hci *hci, unsigned int id)
{
struct evt *evt;
+ uint8_t event;
if (!hci || !id)
return false;
@@ -909,9 +934,13 @@ bool bt_hci_unregister_subevent(struct bt_hci *hci, unsigned int id)
if (!evt)
return false;
+ event = evt->event;
evt_free(evt);
- update_evt_filter(hci);
+ /* Only update filter if no other handler for this subevent remains */
+ if (!queue_find(hci->subevt_list, match_evt_event,
+ UINT_TO_PTR(event)))
+ update_evt_filter(hci);
return true;
}
--
2.54.0
^ permalink raw reply related
* [PATCH BlueZ v1 2/2] shared/hci: Debounce SO_ATTACH_FILTER with timeout_add(0)
From: Luiz Augusto von Dentz @ 2026-06-08 20:50 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <20260608205009.97585-1-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Coalesce multiple BPF filter updates into a single SO_ATTACH_FILTER
setsockopt call by deferring the update to the next event loop
iteration using timeout_add(0, ...).
When bt_hci_register_event or bt_hci_register_subevent is called
multiple times in succession (e.g. from bt_rap_attach_hci), each call
previously triggered a full filter rebuild and setsockopt. Now,
schedule_evt_filter() simply marks a pending update which fires once
in filter_timeout() after all synchronous registrations complete.
---
src/shared/hci.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/src/shared/hci.c b/src/shared/hci.c
index 1aba7db1d995..e8586ab5014c 100644
--- a/src/shared/hci.c
+++ b/src/shared/hci.c
@@ -31,6 +31,7 @@
#include "src/shared/io.h"
#include "src/shared/util.h"
#include "src/shared/queue.h"
+#include "src/shared/timeout.h"
#include "src/shared/hci.h"
@@ -42,6 +43,7 @@ struct bt_hci {
uint8_t num_cmds;
unsigned int next_cmd_id;
unsigned int next_evt_id;
+ unsigned int filter_id;
struct queue *cmd_queue;
struct queue *rsp_queue;
struct queue *evt_list;
@@ -485,6 +487,9 @@ void bt_hci_unref(struct bt_hci *hci)
if (__sync_sub_and_fetch(&hci->ref_count, 1))
return;
+ if (hci->filter_id)
+ timeout_remove(hci->filter_id);
+
queue_destroy(hci->evt_list, evt_free);
queue_destroy(hci->subevt_list, evt_free);
queue_destroy(hci->cmd_queue, cmd_free);
@@ -765,6 +770,27 @@ static void update_evt_filter(struct bt_hci *hci)
free(filters);
}
+static bool filter_timeout(void *user_data)
+{
+ struct bt_hci *hci = user_data;
+
+ hci->filter_id = 0;
+ update_evt_filter(hci);
+
+ return false;
+}
+
+static void schedule_evt_filter(struct bt_hci *hci)
+{
+ /* Coalesce multiple filter updates into a single SO_ATTACH_FILTER call
+ * by deferring the update to the next event loop iteration.
+ */
+ if (hci->filter_id)
+ return;
+
+ hci->filter_id = timeout_add(0, filter_timeout, hci, NULL);
+}
+
static bool match_evt_event(const void *a, const void *b)
{
const struct evt *evt = a;
@@ -805,7 +831,7 @@ unsigned int bt_hci_register(struct bt_hci *hci, uint8_t event,
}
if (update_filter)
- update_evt_filter(hci);
+ schedule_evt_filter(hci);
return evt->id;
}
@@ -877,7 +903,7 @@ bool bt_hci_unregister(struct bt_hci *hci, unsigned int id)
/* Only update filter if no other handler for this event remains */
if (!queue_find(hci->evt_list, match_evt_event, UINT_TO_PTR(event)))
- update_evt_filter(hci);
+ schedule_evt_filter(hci);
return true;
}
@@ -916,7 +942,7 @@ unsigned int bt_hci_register_subevent(struct bt_hci *hci,
}
if (update_filter)
- update_evt_filter(hci);
+ schedule_evt_filter(hci);
return evt->id;
}
@@ -940,7 +966,7 @@ bool bt_hci_unregister_subevent(struct bt_hci *hci, unsigned int id)
/* Only update filter if no other handler for this subevent remains */
if (!queue_find(hci->subevt_list, match_evt_event,
UINT_TO_PTR(event)))
- update_evt_filter(hci);
+ schedule_evt_filter(hci);
return true;
}
--
2.54.0
^ permalink raw reply related
* [bluez/bluez] 61b6c0: shared/hci: Avoid redundant BPF filter updates on ...
From: Luiz Augusto von Dentz @ 2026-06-08 21:29 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108111
Home: https://github.com/bluez/bluez
Commit: 61b6c0cbc6a9c6c018ac942d301f4f900c272961
https://github.com/bluez/bluez/commit/61b6c0cbc6a9c6c018ac942d301f4f900c272961
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/shared/hci.c
Log Message:
-----------
shared/hci: Avoid redundant BPF filter updates on duplicate events
Skip updating the BPF socket filter in bt_hci_register and
bt_hci_register_subevent when the event/subevent is already
registered, since it is already part of the filter.
Similarly, skip updating the filter in bt_hci_unregister and
bt_hci_unregister_subevent when other handlers for the same
event/subevent still remain in the queue.
This avoids unnecessary setsockopt(SO_ATTACH_FILTER) calls when
multiple handlers are registered for the same event code.
Commit: ad880be30195eff5b2ad4d2df52f6c426d79fe73
https://github.com/bluez/bluez/commit/ad880be30195eff5b2ad4d2df52f6c426d79fe73
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M src/shared/hci.c
Log Message:
-----------
shared/hci: Debounce SO_ATTACH_FILTER with timeout_add(0)
Coalesce multiple BPF filter updates into a single SO_ATTACH_FILTER
setsockopt call by deferring the update to the next event loop
iteration using timeout_add(0, ...).
When bt_hci_register_event or bt_hci_register_subevent is called
multiple times in succession (e.g. from bt_rap_attach_hci), each call
previously triggered a full filter rebuild and setsockopt. Now,
schedule_evt_filter() simply marks a pending update which fires once
in filter_timeout() after all synchronous registrations complete.
Compare: https://github.com/bluez/bluez/compare/61b6c0cbc6a9%5E...ad880be30195
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* RE: [BlueZ,v1,1/2] shared/hci: Avoid redundant BPF filter updates on duplicate events
From: bluez.test.bot @ 2026-06-08 22:15 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260608205009.97585-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1118 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108111
---Test result---
Test Summary:
CheckPatch PASS 0.99 seconds
GitLint FAIL 0.67 seconds
BuildEll PASS 20.62 seconds
BluezMake PASS 632.10 seconds
CheckSmatch PASS 331.99 seconds
bluezmakeextell PASS 166.70 seconds
IncrementalBuild PASS 640.51 seconds
ScanBuild PASS 948.65 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[BlueZ,v1,1/2] shared/hci: Avoid redundant BPF filter updates on duplicate events
1: T1 Title exceeds max length (81>80): "[BlueZ,v1,1/2] shared/hci: Avoid redundant BPF filter updates on duplicate events"
https://github.com/bluez/bluez/pull/2197
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH] Bluetooth: hci: validate codec capability element length
From: Samuel Moelius @ 2026-06-08 23:56 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Samuel Moelius, Luiz Augusto von Dentz,
open list:BLUETOOTH SUBSYSTEM, open list
Read Local Codec Capabilities returns a sequence of capability elements.
Each element starts with a one-byte length followed by that many payload
bytes.
hci_read_codec_capabilities() checks that the skb contains the length
byte, but then validates only caps->len against the remaining skb
length. A malformed controller response with one remaining byte and
caps->len set to one passes that check even though the element needs two
bytes. The parser then records a two-byte capability and copies one
byte beyond the advertised response payload into the codec list.
Validate the full element size, including the length byte, before adding
it to the accumulated capability length. This preserves all well-formed
capability elements and drops only truncated controller responses.
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
net/bluetooth/hci_codec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_codec.c b/net/bluetooth/hci_codec.c
index 3cc135bb1d30..5bc5003c387c 100644
--- a/net/bluetooth/hci_codec.c
+++ b/net/bluetooth/hci_codec.c
@@ -100,7 +100,7 @@ static void hci_read_codec_capabilities(struct hci_dev *hdev, __u8 transport,
caps = (void *)skb->data;
if (skb->len < sizeof(*caps))
goto error;
- if (skb->len < caps->len)
+ if (skb->len < sizeof(caps->len) + caps->len)
goto error;
len += sizeof(caps->len) + caps->len;
skb_pull(skb, sizeof(caps->len) + caps->len);
--
2.43.0
^ permalink raw reply related
* [PATCH] Bluetooth: L2CAP: validate connectionless PSM length
From: Samuel Moelius @ 2026-06-08 23:57 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Samuel Moelius, Luiz Augusto von Dentz,
open list:BLUETOOTH SUBSYSTEM, open list
Connectionless L2CAP frames carry a two-byte PSM at the start of the
payload. l2cap_recv_frame() currently reads that PSM unconditionally
after validating only the outer L2CAP length.
A malformed connectionless frame with a zero- or one-byte payload can
therefore make the parser read beyond the advertised skb payload and use
tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer
injected a one-byte connectionless payload and reached the unchecked
read.
Reject connectionless frames that cannot contain the PSM before reading
or pulling it. This preserves all valid connectionless frames while
dropping only structurally incomplete packets.
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
net/bluetooth/l2cap_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c4ccfbda9d78..a9353fa91588 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7026,6 +7026,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
break;
case L2CAP_CID_CONN_LESS:
+ if (skb->len < L2CAP_PSMLEN_SIZE) {
+ kfree_skb(skb);
+ break;
+ }
+
psm = get_unaligned((__le16 *) skb->data);
skb_pull(skb, L2CAP_PSMLEN_SIZE);
l2cap_conless_channel(conn, psm, skb);
--
2.43.0
^ permalink raw reply related
* [PATCH] Bluetooth: vhci: validate devcoredump state before side effects
From: Samuel Moelius @ 2026-06-08 23:58 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Samuel Moelius, Luiz Augusto von Dentz,
open list:BLUETOOTH DRIVERS, open list
The VHCI force_devcoredump debugfs hook accepts a small test record from
userspace. It validates the requested terminal state only after
registering, initializing and appending a Bluetooth devcoredump.
As a result, an invalid state returns -EINVAL but still leaves queued
devcoredump work behind. With a non-zero timeout field, the rejected
write can still emit a devcoredump after the timeout expires.
Reject unsupported states before allocating the skb or changing the HCI
devcoredump state machine.
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
drivers/bluetooth/hci_vhci.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2762eacf7f20..3401e3b22f04 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -338,6 +338,14 @@ static ssize_t force_devcd_write(struct file *file, const char __user *user_buf,
return -EFAULT;
data_size = count - offsetof(struct devcoredump_test_data, data);
+ switch (dump_data.state) {
+ case HCI_DEVCOREDUMP_DONE:
+ case HCI_DEVCOREDUMP_ABORT:
+ case HCI_DEVCOREDUMP_TIMEOUT:
+ break;
+ default:
+ return -EINVAL;
+ }
skb = alloc_skb(data_size, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related
* RE: Bluetooth: L2CAP: validate connectionless PSM length
From: bluez.test.bot @ 2026-06-09 1:59 UTC (permalink / raw)
To: linux-bluetooth, sam.moelius
In-Reply-To: <20260608235705.1233510.fe2269cf0103.bluetooth-l2cap-connless-short-pdu-oob@trailofbits.com>
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108158
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
VerifyFixes PASS 0.09 seconds
VerifySignedoff PASS 0.09 seconds
GitLint PASS 0.25 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 27.18 seconds
CheckAllWarning PASS 29.26 seconds
CheckSparse PASS 27.84 seconds
BuildKernel32 PASS 26.17 seconds
TestRunnerSetup PASS 578.06 seconds
TestRunner_l2cap-tester PASS 60.04 seconds
IncrementalBuild PASS 25.60 seconds
https://github.com/bluez/bluetooth-next/pull/294
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: Bluetooth: hci: validate codec capability element length
From: bluez.test.bot @ 2026-06-09 2:08 UTC (permalink / raw)
To: linux-bluetooth, sam.moelius
In-Reply-To: <20260608235627.1233330.bc5338ecae62.bluetooth-hci-codec-cap-short-oob@trailofbits.com>
[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108156
---Test result---
Test Summary:
CheckPatch PASS 0.61 seconds
VerifyFixes PASS 0.08 seconds
VerifySignedoff PASS 0.07 seconds
GitLint PASS 0.21 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 26.58 seconds
CheckAllWarning PASS 29.53 seconds
CheckSparse PASS 28.04 seconds
BuildKernel32 PASS 25.93 seconds
TestRunnerSetup PASS 577.06 seconds
TestRunner_l2cap-tester PASS 60.65 seconds
TestRunner_iso-tester PASS 78.61 seconds
TestRunner_bnep-tester PASS 19.09 seconds
TestRunner_mgmt-tester FAIL 216.08 seconds
TestRunner_rfcomm-tester PASS 26.05 seconds
TestRunner_sco-tester PASS 32.97 seconds
TestRunner_ioctl-tester PASS 26.16 seconds
TestRunner_mesh-tester FAIL 25.86 seconds
TestRunner_smp-tester PASS 23.83 seconds
TestRunner_userchan-tester PASS 20.28 seconds
TestRunner_6lowpan-tester PASS 22.87 seconds
IncrementalBuild PASS 25.00 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.249 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.188 seconds
Mesh - Send cancel - 2 Timed out 1.989 seconds
https://github.com/bluez/bluetooth-next/pull/293
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: Bluetooth: vhci: validate devcoredump state before side effects
From: bluez.test.bot @ 2026-06-09 2:08 UTC (permalink / raw)
To: linux-bluetooth, sam.moelius
In-Reply-To: <20260608235822.1233691.33d07ec605af.bluetooth-vhci-invalid-devcoredump-state@trailofbits.com>
[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108159
---Test result---
Test Summary:
CheckPatch PASS 0.54 seconds
VerifyFixes PASS 0.07 seconds
VerifySignedoff PASS 0.07 seconds
GitLint PASS 0.21 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 26.64 seconds
CheckAllWarning PASS 29.34 seconds
CheckSparse PASS 28.65 seconds
BuildKernel32 PASS 26.87 seconds
TestRunnerSetup PASS 571.93 seconds
TestRunner_l2cap-tester PASS 58.86 seconds
TestRunner_iso-tester PASS 84.06 seconds
TestRunner_bnep-tester PASS 18.89 seconds
TestRunner_mgmt-tester FAIL 211.74 seconds
TestRunner_rfcomm-tester PASS 25.44 seconds
TestRunner_sco-tester PASS 32.50 seconds
TestRunner_ioctl-tester PASS 25.91 seconds
TestRunner_mesh-tester FAIL 25.85 seconds
TestRunner_smp-tester PASS 23.00 seconds
TestRunner_userchan-tester PASS 19.92 seconds
TestRunner_6lowpan-tester PASS 22.42 seconds
IncrementalBuild PASS 24.45 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.244 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.373 seconds
Mesh - Send cancel - 2 Timed out 1.990 seconds
https://github.com/bluez/bluetooth-next/pull/295
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: Bluetooth: L2CAP: validate connectionless PSM length
From: Victor Yeo @ 2026-06-09 2:50 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <6a277385.e1c1f991.db356.66c2@mx.google.com>
unsubscribe
On Mon, Jun 8, 2026 at 6:59 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108158
>
> ---Test result---
>
> Test Summary:
> CheckPatch PASS 0.60 seconds
> VerifyFixes PASS 0.09 seconds
> VerifySignedoff PASS 0.09 seconds
> GitLint PASS 0.25 seconds
> SubjectPrefix PASS 0.11 seconds
> BuildKernel PASS 27.18 seconds
> CheckAllWarning PASS 29.26 seconds
> CheckSparse PASS 27.84 seconds
> BuildKernel32 PASS 26.17 seconds
> TestRunnerSetup PASS 578.06 seconds
> TestRunner_l2cap-tester PASS 60.04 seconds
> IncrementalBuild PASS 25.60 seconds
>
>
>
> https://github.com/bluez/bluetooth-next/pull/294
>
> ---
> Regards,
> Linux Bluetooth
>
^ permalink raw reply
* [PATCH v4 0/8] Support for block device NVMEM providers
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain, Bartosz Golaszewski, Konrad Dybcio
On embedded devices, it is common for factory provisioning to store
device-specific information, such as Ethernet or WiFi MAC addresses,
in a dedicated area of an eMMC partition. This avoids the need for
and additional EEPROM/OTP and leverages the persistence of eMMC.
One example is the Arduino UNO-Q, where the WiFi MAC address and the
Bluetooth Device address are stored in the eMMC Boot1 partition.
Until now, accessing this information required a custom bootloader
to read the data and inject it into the Device Tree before handing
control over to the kernel. This approach is fragile and leads to
device-specific workarounds.
Rather than adding a new NVMEM provider specifically to the eMMC
subsystem, the new support operates at the block layer, allowing any
block device to behave like other non-volatile memories such as EEPROM
or OTP.
This series builds on earlier work by Daniel Golle that enables block
devices to act as NVMEM providers:
https://lore.kernel.org/all/6061aa4201030b9bb2f8d03ef32a564fdb786ed1.1709667858.git.daniel@makrotopia.org/
It also introduces an NVMEM layout description for the Arduino UNO-Q,
allowing device-specific data stored in the eMMC Boot1 partition to
be accessed in a standard way.
WiFi and Ethernet already support retrieving MAC addresses from NVMEM.
Bluetooth requires similar support, which is also addressed.
Note that this is currently limited to MMC-backed block devices, as
only the MMC core associates a firmware node with the block device
(add_disk_fwnode). This can be easily extended in the future to
support additional block drivers.
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
Changes in v4:
- Fix squash issue (dts commit incorrectly squashed) (Konrad)
- Use devres for nvmem resources (Bartosz)
- use __free() destructor helper when possible (Bartosz)
- Fix value return checking for bdev_file_open_by_dev
- Link to v3: https://lore.kernel.org/r/20260608-block-as-nvmem-v3-0-82681f50aa35@oss.qualcomm.com
Changes in v3:
- Fixed missing 'fixed-partitions' compatible in partition (Rob)
- Fixed clashing nvmem cells, document calibration along mac (Sashiko)
- Remove workaround to handle dangling nvmem references after
unregistering, this is a generic nvmem framework issue handled
in Bartosz's series:
https://lore.kernel.org/all/20260429-nvmem-unbind-v3-0-2a694f95395b@oss.qualcomm.com/
- Validate mac (is_valid_ether_addr) before copying to output buffer
- Link to v2: https://lore.kernel.org/r/20260507-block-as-nvmem-v2-0-bf17edd5134e@oss.qualcomm.com
Changes in v2:
- Fix example nvmem-layout cells to use compatible = "mac-base"
- Squash WiFi MAC and Bluetooth BD address consumer patches into the nvmem layout patch
- Fix possible use-after-free in blk-nvmem: bnv (nvmem priv) linked to nvmem lifetime
- Simplify nvmem-cell-names from items: - const: to plain const:
- Factor out common NVMEM EUI-48 retrieval logic
- Reorder changes
- Link to v1: https://lore.kernel.org/r/20260428-block-as-nvmem-v1-0-6ad23e75190a@oss.qualcomm.com
---
Daniel Golle (1):
block: implement NVMEM provider
Loic Poulain (7):
dt-bindings: mmc: Document support for nvmem-layout
dt-bindings: net: wireless: qcom,ath10k: Document NVMEM cells
dt-bindings: bluetooth: qcom: Add NVMEM BD address cell
net: of_net: Add of_get_nvmem_eui48() helper for EUI-48 lookup
Bluetooth: hci_sync: Add NVMEM-backed BD address retrieval
Bluetooth: qca: Set NVMEM BD address quirks when address is invalid
arm64: dts: qcom: arduino-imola: Describe NVMEM layout for WiFi/BT addresses
.../devicetree/bindings/mmc/mmc-card.yaml | 29 ++++++
.../net/bluetooth/qcom,bluetooth-common.yaml | 9 ++
.../bindings/net/wireless/qcom,ath10k.yaml | 16 +++
arch/arm64/boot/dts/qcom/qrb2210-arduino-imola.dts | 39 +++++++
block/Kconfig | 9 ++
block/Makefile | 1 +
block/blk-nvmem.c | 114 +++++++++++++++++++++
drivers/bluetooth/btqca.c | 5 +-
include/linux/of_net.h | 7 ++
include/net/bluetooth/hci.h | 18 ++++
net/bluetooth/hci_sync.c | 39 ++++++-
net/core/of_net.c | 49 ++++++---
12 files changed, 321 insertions(+), 14 deletions(-)
---
base-commit: 47c4835fc0fed583d01d90387b67633950eba2b2
change-id: 20260428-block-as-nvmem-4b308e8bda9a
Best regards,
--
Loic Poulain <loic.poulain@oss.qualcomm.com>
^ permalink raw reply
* [PATCH v4 1/8] dt-bindings: mmc: Document support for nvmem-layout
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain, Bartosz Golaszewski
In-Reply-To: <20260609-block-as-nvmem-v4-0-45712e6b22c6@oss.qualcomm.com>
Add support for an nvmem-layout subnode under an eMMC hardware
partition. This allows the partition to be exposed as an NVMEM
provider and its internal layout to be described. For example,
an eMMC boot partition can be used to store device-specific
information such as a WiFi MAC address.
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
.../devicetree/bindings/mmc/mmc-card.yaml | 29 ++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/Documentation/devicetree/bindings/mmc/mmc-card.yaml b/Documentation/devicetree/bindings/mmc/mmc-card.yaml
index a61d6c96df759102f9c1fbfd548b026a77921cae..ca907ad73095925b234b119948f94ae81e698c86 100644
--- a/Documentation/devicetree/bindings/mmc/mmc-card.yaml
+++ b/Documentation/devicetree/bindings/mmc/mmc-card.yaml
@@ -40,6 +40,9 @@ patternProperties:
contains:
const: fixed-partitions
+ nvmem-layout:
+ $ref: /schemas/nvmem/layouts/nvmem-layout.yaml
+
required:
- compatible
- reg
@@ -86,6 +89,32 @@ examples:
read-only;
};
};
+
+ partitions-boot2 {
+ compatible = "fixed-partitions";
+
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ nvmem-layout {
+ compatible = "fixed-layout";
+
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ mac-addr@4400 {
+ compatible = "mac-base";
+ reg = <0x4400 0x6>;
+ #nvmem-cell-cells = <1>;
+ };
+
+ bd-addr@5400 {
+ compatible = "mac-base";
+ reg = <0x5400 0x6>;
+ #nvmem-cell-cells = <1>;
+ };
+ };
+ };
};
};
--
2.34.1
^ permalink raw reply related
* [PATCH v4 2/8] dt-bindings: net: wireless: qcom,ath10k: Document NVMEM cells
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain, Bartosz Golaszewski
In-Reply-To: <20260609-block-as-nvmem-v4-0-45712e6b22c6@oss.qualcomm.com>
Document the NVMEM cells supported by the ath10k driver, the
mac-address, pre-calibration data, and calibration data.
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
.../devicetree/bindings/net/wireless/qcom,ath10k.yaml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml b/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml
index c21d66c7cd558ab792524be9afec8b79272d1c87..7391df5e7071e626af4c64b9919d48c41ac09f1e 100644
--- a/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml
+++ b/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml
@@ -92,6 +92,22 @@ properties:
ieee80211-freq-limit: true
+ nvmem-cells:
+ minItems: 1
+ maxItems: 3
+ description: |
+ References to nvmem cells for MAC address and/or calibration data.
+ Supported cell names are mac-address, calibration, and pre-calibration.
+
+ nvmem-cell-names:
+ minItems: 1
+ maxItems: 3
+ items:
+ enum:
+ - mac-address
+ - calibration
+ - pre-calibration
+
qcom,calibration-data:
$ref: /schemas/types.yaml#/definitions/uint8-array
description:
--
2.34.1
^ permalink raw reply related
* [PATCH v4 3/8] dt-bindings: bluetooth: qcom: Add NVMEM BD address cell
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain, Bartosz Golaszewski
In-Reply-To: <20260609-block-as-nvmem-v4-0-45712e6b22c6@oss.qualcomm.com>
Add support for an NVMEM cell provider for "local-bd-address",
allowing the Bluetooth stack to retrieve controller's BD address
from non-volatile storage such as an EEPROM or an eMMC partition.
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
.../devicetree/bindings/net/bluetooth/qcom,bluetooth-common.yaml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,bluetooth-common.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,bluetooth-common.yaml
index c8e9c55c1afb4c8e05ba2dae41ce2db4194b4a0f..7cb28f30c9af032082f23311f2fc89a32f266f17 100644
--- a/Documentation/devicetree/bindings/net/bluetooth/qcom,bluetooth-common.yaml
+++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,bluetooth-common.yaml
@@ -22,4 +22,13 @@ properties:
description:
boot firmware is incorrectly passing the address in big-endian order
+ nvmem-cells:
+ maxItems: 1
+ description:
+ Nvmem data cell that contains a 6 byte BD address with the most
+ significant byte first (big-endian).
+
+ nvmem-cell-names:
+ const: local-bd-address
+
additionalProperties: true
--
2.34.1
^ permalink raw reply related
* [PATCH v4 4/8] block: implement NVMEM provider
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain
In-Reply-To: <20260609-block-as-nvmem-v4-0-45712e6b22c6@oss.qualcomm.com>
From: Daniel Golle <daniel@makrotopia.org>
On embedded devices using an eMMC it is common that one or more partitions
on the eMMC are used to store MAC addresses and Wi-Fi calibration EEPROM
data. Allow referencing the partition in device tree for the kernel and
Wi-Fi drivers accessing it via the NVMEM layer.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Co-developed-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
block/Kconfig | 9 +++++
block/Makefile | 1 +
block/blk-nvmem.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 124 insertions(+)
diff --git a/block/Kconfig b/block/Kconfig
index 15027963472d7b40e27b9097a5993c457b5b3054..0b33747e16dc33473683706f75c92bdf8b648f7c 100644
--- a/block/Kconfig
+++ b/block/Kconfig
@@ -209,6 +209,15 @@ config BLK_INLINE_ENCRYPTION_FALLBACK
by falling back to the kernel crypto API when inline
encryption hardware is not present.
+config BLK_NVMEM
+ bool "Block device NVMEM provider"
+ depends on OF
+ depends on NVMEM
+ help
+ Allow block devices (or partitions) to act as NVMEM providers,
+ typically used with eMMC to store MAC addresses or Wi-Fi
+ calibration data on embedded devices.
+
source "block/partitions/Kconfig"
config BLK_PM
diff --git a/block/Makefile b/block/Makefile
index 7dce2e44276c4274c11a0a61121c83d9c43d6e0c..d7ac389e71902bc091a8800ea266190a43b3e63d 100644
--- a/block/Makefile
+++ b/block/Makefile
@@ -36,3 +36,4 @@ obj-$(CONFIG_BLK_INLINE_ENCRYPTION) += blk-crypto.o blk-crypto-profile.o \
blk-crypto-sysfs.o
obj-$(CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK) += blk-crypto-fallback.o
obj-$(CONFIG_BLOCK_HOLDER_DEPRECATED) += holder.o
+obj-$(CONFIG_BLK_NVMEM) += blk-nvmem.o
diff --git a/block/blk-nvmem.c b/block/blk-nvmem.c
new file mode 100644
index 0000000000000000000000000000000000000000..a6e62fa98675ee9bcb9c7035a611b5a573ab9091
--- /dev/null
+++ b/block/blk-nvmem.c
@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * block device NVMEM provider
+ *
+ * Copyright (c) 2024 Daniel Golle <daniel@makrotopia.org>
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ *
+ * Useful on devices using a partition on an eMMC for MAC addresses or
+ * Wi-Fi calibration EEPROM data.
+ */
+
+#include <linux/file.h>
+#include <linux/nvmem-provider.h>
+#include <linux/nvmem-consumer.h>
+#include <linux/of.h>
+#include <linux/pagemap.h>
+#include <linux/property.h>
+
+#include "blk.h"
+
+static int blk_nvmem_reg_read(void *priv, unsigned int from,
+ void *val, size_t bytes)
+{
+ blk_mode_t mode = BLK_OPEN_READ | BLK_OPEN_RESTRICT_WRITES;
+ dev_t devt = (dev_t)(uintptr_t)priv;
+ size_t bytes_left = bytes;
+ loff_t pos = from;
+ int ret = 0;
+
+ struct file *bdev_file __free(fput) = bdev_file_open_by_dev(devt, mode, priv, NULL);
+ if (IS_ERR(bdev_file))
+ return PTR_ERR(bdev_file);
+
+ while (bytes_left) {
+ pgoff_t f_index = pos >> PAGE_SHIFT;
+ struct folio *folio;
+ size_t folio_off;
+ size_t to_read;
+
+ folio = read_mapping_folio(bdev_file->f_mapping, f_index, NULL);
+ if (IS_ERR(folio)) {
+ ret = PTR_ERR(folio);
+ break;
+ }
+
+ folio_off = offset_in_folio(folio, pos);
+ to_read = min(bytes_left, folio_size(folio) - folio_off);
+ memcpy_from_folio(val, folio, folio_off, to_read);
+ pos += to_read;
+ bytes_left -= to_read;
+ val += to_read;
+ folio_put(folio);
+ }
+
+ return ret;
+}
+
+static int blk_nvmem_register(struct device *dev)
+{
+ struct block_device *bdev = dev_to_bdev(dev);
+ struct nvmem_config config = {};
+
+ /* skip devices which do not have a device tree node */
+ if (!dev_of_node(dev))
+ return 0;
+
+ /* skip devices without an nvmem layout defined */
+ struct device_node *child __free(device_node) =
+ of_get_child_by_name(dev_of_node(dev), "nvmem-layout");
+ if (!child)
+ return 0;
+
+ /*
+ * skip block device too large to be represented as NVMEM devices,
+ * the NVMEM reg_read callback uses an unsigned int offset
+ */
+ if (bdev_nr_bytes(bdev) > UINT_MAX) {
+ dev_warn(dev, "block device too large to be an NVMEM provider\n");
+ return -ENODEV;
+ }
+
+ config.id = NVMEM_DEVID_NONE;
+ config.dev = dev;
+ config.name = dev_name(dev);
+ config.owner = THIS_MODULE;
+ config.priv = (void *)(uintptr_t)dev->devt;
+ config.reg_read = blk_nvmem_reg_read;
+ config.size = bdev_nr_bytes(bdev);
+ config.word_size = 1;
+ config.stride = 1;
+ config.read_only = true;
+ config.root_only = true;
+ config.ignore_wp = true;
+ config.of_node = to_of_node(dev->fwnode);
+
+ return PTR_ERR_OR_ZERO(devm_nvmem_register(dev, &config));
+}
+
+static struct class_interface blk_nvmem_bus_interface __refdata = {
+ .class = &block_class,
+ .add_dev = &blk_nvmem_register,
+};
+
+static int __init blk_nvmem_init(void)
+{
+ int ret;
+
+ ret = class_interface_register(&blk_nvmem_bus_interface);
+ if (ret)
+ return ret;
+
+ return 0;
+}
+device_initcall(blk_nvmem_init);
--
2.34.1
^ permalink raw reply related
* [PATCH v4 5/8] net: of_net: Add of_get_nvmem_eui48() helper for EUI-48 lookup
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain, Bartosz Golaszewski
In-Reply-To: <20260609-block-as-nvmem-v4-0-45712e6b22c6@oss.qualcomm.com>
Factor out the common NVMEM EUI-48 retrieval logic from
of_get_mac_address_nvmem() into a new of_get_nvmem_eui48() helper that
accepts the NVMEM cell name as a parameter. This allows other subsystems
(e.g. Bluetooth) to reuse the same lookup-validate-copy pattern with a
different cell name, without duplicating code.
of_get_mac_address_nvmem() is updated to call of_get_nvmem_eui48() with
"mac-address", preserving its existing behavior.
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
include/linux/of_net.h | 7 +++++++
net/core/of_net.c | 49 +++++++++++++++++++++++++++++++++++++------------
2 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/include/linux/of_net.h b/include/linux/of_net.h
index d88715a0b3a52f87af23d47791bea3baf5be5200..7854ba555d9a55f3d020a37fe00a27ae52e0e5dc 100644
--- a/include/linux/of_net.h
+++ b/include/linux/of_net.h
@@ -15,6 +15,7 @@ struct net_device;
extern int of_get_phy_mode(struct device_node *np, phy_interface_t *interface);
extern int of_get_mac_address(struct device_node *np, u8 *mac);
extern int of_get_mac_address_nvmem(struct device_node *np, u8 *mac);
+int of_get_nvmem_eui48(struct device_node *np, const char *cell_name, u8 *addr);
int of_get_ethdev_address(struct device_node *np, struct net_device *dev);
extern struct net_device *of_find_net_device_by_node(struct device_node *np);
#else
@@ -34,6 +35,12 @@ static inline int of_get_mac_address_nvmem(struct device_node *np, u8 *mac)
return -ENODEV;
}
+static inline int of_get_nvmem_eui48(struct device_node *np,
+ const char *cell_name, u8 *addr)
+{
+ return -ENODEV;
+}
+
static inline int of_get_ethdev_address(struct device_node *np, struct net_device *dev)
{
return -ENODEV;
diff --git a/net/core/of_net.c b/net/core/of_net.c
index 93ea425b9248a23f4f95a336e9cdbf0053248e32..75341c186123e949fbe21f1e51fce3ac74d4f56b 100644
--- a/net/core/of_net.c
+++ b/net/core/of_net.c
@@ -61,9 +61,7 @@ static int of_get_mac_addr(struct device_node *np, const char *name, u8 *addr)
int of_get_mac_address_nvmem(struct device_node *np, u8 *addr)
{
struct platform_device *pdev = of_find_device_by_node(np);
- struct nvmem_cell *cell;
- const void *mac;
- size_t len;
+ u8 mac[ETH_ALEN];
int ret;
/* Try lookup by device first, there might be a nvmem_cell_lookup
@@ -75,27 +73,54 @@ int of_get_mac_address_nvmem(struct device_node *np, u8 *addr)
return ret;
}
- cell = of_nvmem_cell_get(np, "mac-address");
+ ret = of_get_nvmem_eui48(np, "mac-address", mac);
+ if (ret)
+ return ret;
+
+ if (!is_valid_ether_addr(mac))
+ return -EINVAL;
+
+ ether_addr_copy(addr, mac);
+ return 0;
+}
+EXPORT_SYMBOL(of_get_mac_address_nvmem);
+
+/**
+ * of_get_nvmem_eui48 - Read a 6-byte EUI-48 address from a named NVMEM cell.
+ * @np: Device node to look up the NVMEM cell from.
+ * @cell_name: Name of the NVMEM cell (e.g. "mac-address", "local-bd-address").
+ * @addr: Output buffer for the 6-byte address.
+ *
+ * Reads the named NVMEM cell and validates that it contains a non-zero 6-byte
+ * address. Returns 0 on success, negative errno on failure.
+ */
+int of_get_nvmem_eui48(struct device_node *np, const char *cell_name, u8 *addr)
+{
+ struct nvmem_cell *cell;
+ const void *eui48;
+ size_t len;
+
+ cell = of_nvmem_cell_get(np, cell_name);
if (IS_ERR(cell))
return PTR_ERR(cell);
- mac = nvmem_cell_read(cell, &len);
+ eui48 = nvmem_cell_read(cell, &len);
nvmem_cell_put(cell);
- if (IS_ERR(mac))
- return PTR_ERR(mac);
+ if (IS_ERR(eui48))
+ return PTR_ERR(eui48);
- if (len != ETH_ALEN || !is_valid_ether_addr(mac)) {
- kfree(mac);
+ if (len != ETH_ALEN || !memchr_inv(eui48, 0, ETH_ALEN)) {
+ kfree(eui48);
return -EINVAL;
}
- memcpy(addr, mac, ETH_ALEN);
- kfree(mac);
+ memcpy(addr, eui48, ETH_ALEN);
+ kfree(eui48);
return 0;
}
-EXPORT_SYMBOL(of_get_mac_address_nvmem);
+EXPORT_SYMBOL_GPL(of_get_nvmem_eui48);
/**
* of_get_mac_address()
--
2.34.1
^ permalink raw reply related
* [PATCH v4 6/8] Bluetooth: hci_sync: Add NVMEM-backed BD address retrieval
From: Loic Poulain @ 2026-06-09 7:52 UTC (permalink / raw)
To: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
Russell King, Saravana Kannan
Cc: linux-mmc, devicetree, linux-kernel, linux-arm-msm, linux-block,
linux-wireless, ath10k, linux-bluetooth, netdev, daniel,
Loic Poulain, Bartosz Golaszewski
In-Reply-To: <20260609-block-as-nvmem-v4-0-45712e6b22c6@oss.qualcomm.com>
Some devices store the Bluetooth BD address in non-volatile
memory, which can be accessed through the NVMEM framework.
Similar to Ethernet or WiFi MAC addresses, add support for
reading the BD address from a 'local-bd-address' NVMEM cell.
As with the device-tree provided BD address, add a quirk to
indicate whether a device or platform should attempt to read
the address from NVMEM when no valid in-chip address is present.
Also add a quirk to indicate if the address is stored in
big-endian byte order.
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
---
include/net/bluetooth/hci.h | 18 ++++++++++++++++++
net/bluetooth/hci_sync.c | 39 ++++++++++++++++++++++++++++++++++++++-
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 572b1c620c5d653a1fe10b26c1b0ba33e8f4968f..7686466d1109253b0d75edeb5f6a99fb98ce4cc6 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -164,6 +164,24 @@ enum {
*/
HCI_QUIRK_BDADDR_PROPERTY_BROKEN,
+ /* When this quirk is set, the public Bluetooth address
+ * initially reported by HCI Read BD Address command
+ * is considered invalid. The public BD Address can be
+ * retrieved via a 'local-bd-address' NVMEM cell.
+ *
+ * This quirk can be set before hci_register_dev is called or
+ * during the hdev->setup vendor callback.
+ */
+ HCI_QUIRK_USE_BDADDR_NVMEM,
+
+ /* When this quirk is set, the Bluetooth Device Address provided by
+ * the 'local-bd-address' NVMEM is stored in big-endian order.
+ *
+ * This quirk can be set before hci_register_dev is called or
+ * during the hdev->setup vendor callback.
+ */
+ HCI_QUIRK_BDADDR_NVMEM_BE,
+
/* When this quirk is set, the duplicate filtering during
* scanning is based on Bluetooth devices addresses. To allow
* RSSI based updates, restart scanning if needed.
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index fd3aacdea512a37c22b9a2be90c89ddca4b4d99f..589ccdfa26c1281d6eb979370523fff0d7920302 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7,6 +7,7 @@
*/
#include <linux/property.h>
+#include <linux/of_net.h>
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
@@ -3588,6 +3589,37 @@ int hci_powered_update_sync(struct hci_dev *hdev)
return 0;
}
+/**
+ * hci_dev_get_bd_addr_from_nvmem - Get the Bluetooth Device Address
+ * (BD_ADDR) for a HCI device from
+ * an NVMEM cell.
+ * @hdev: The HCI device
+ *
+ * Search for 'local-bd-address' NVMEM cell in the device firmware node.
+ *
+ * All-zero BD addresses are rejected (unprovisioned).
+ */
+static int hci_dev_get_bd_addr_from_nvmem(struct hci_dev *hdev)
+{
+ struct device_node *np = dev_of_node(hdev->dev.parent);
+ u8 ba[sizeof(bdaddr_t)];
+ int err;
+
+ if (!np)
+ return -ENODEV;
+
+ err = of_get_nvmem_eui48(np, "local-bd-address", ba);
+ if (err)
+ return err;
+
+ if (hci_test_quirk(hdev, HCI_QUIRK_BDADDR_NVMEM_BE))
+ baswap(&hdev->public_addr, (bdaddr_t *)ba);
+ else
+ bacpy(&hdev->public_addr, (bdaddr_t *)ba);
+
+ return 0;
+}
+
/**
* hci_dev_get_bd_addr_from_property - Get the Bluetooth Device Address
* (BD_ADDR) for a HCI device from
@@ -5042,12 +5074,17 @@ static int hci_dev_setup_sync(struct hci_dev *hdev)
* its setup callback.
*/
invalid_bdaddr = hci_test_quirk(hdev, HCI_QUIRK_INVALID_BDADDR) ||
- hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_PROPERTY);
+ hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_PROPERTY) ||
+ hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_NVMEM);
if (!ret) {
if (hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_PROPERTY) &&
!bacmp(&hdev->public_addr, BDADDR_ANY))
hci_dev_get_bd_addr_from_property(hdev);
+ if (hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_NVMEM) &&
+ !bacmp(&hdev->public_addr, BDADDR_ANY))
+ hci_dev_get_bd_addr_from_nvmem(hdev);
+
if (invalid_bdaddr && bacmp(&hdev->public_addr, BDADDR_ANY) &&
hdev->set_bdaddr) {
ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
--
2.34.1
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox