* [bluez/bluez] 1fd31c: media: Add Mute property to MediaTransport1
From: Šimon Mikuda @ 2026-06-09 18:35 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108770
Home: https://github.com/bluez/bluez
Commit: 1fd31cca12a6e9a34e93ec3d1fc1814ffce2a0e4
https://github.com/bluez/bluez/commit/1fd31cca12a6e9a34e93ec3d1fc1814ffce2a0e4
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M doc/org.bluez.MediaTransport.rst
M profiles/audio/transport.c
M profiles/audio/vcp.c
M profiles/audio/vcp.h
M src/shared/vcp.c
M src/shared/vcp.h
Log Message:
-----------
media: Add Mute property to MediaTransport1
Boolean, optional, readwrite. Only present for LE Audio (BAP) unicast
transports backed by VCS. A2DP has no mute concept in AVRCP.
bt_vcp_set_mute() writes VCS Control Point Mute/Unmute for a client
session, or updates Volume State for a server session.
bt_vcp_get_mute() returns the cached value updated by Volume State
notifications.
Commit: c01f9bd015cbe527b9f30a6338fb393da034e782
https://github.com/bluez/bluez/commit/c01f9bd015cbe527b9f30a6338fb393da034e782
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M client/player.c
Log Message:
-----------
client/player: Add transport.mute command
Mirrors transport.volume. Accepts on/off, yes/no, 1/0.
Compare: https://github.com/bluez/bluez/compare/1fd31cca12a6%5E...c01f9bd015cb
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] 45183e: shared/vcp: Fix duplicate VCS registration in bt_v...
From: Šimon Mikuda @ 2026-06-09 18:35 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108772
Home: https://github.com/bluez/bluez
Commit: 45183e49cd6de5e6ded958abce96a1889144d2fb
https://github.com/bluez/bluez/commit/45183e49cd6de5e6ded958abce96a1889144d2fb
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M src/shared/vcp.c
Log Message:
-----------
shared/vcp: Fix duplicate VCS registration in bt_vcp_add_db
bt_vcp_add_db() called vcp_db_new() unconditionally, registering a
second VCS instance when bt_vcp_new() (e.g. a remote client session)
had already created a vdb for the same gatt_db. Guard the db as
bt_tmap_add_db()/bt_gmap_add_db() do, since VCS permits only one
instance per device.
Fixes PTS test VCS/SR/SGGIT/SER/BV-01-C.
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [PATCH BlueZ v2 1/4] btio: Handle EOPNOTSUPP from accept() to prevent busy loop
From: Luiz Augusto von Dentz @ 2026-06-09 18:53 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
When accept() returns EOPNOTSUPP on an L2CAP SEQPACKET server socket
(e.g. AVCTP browsing channel, PSM 0x1b), the error is permanent and
retrying will never succeed. Previously, only EBADFD was treated as
fatal, causing server_cb to return TRUE for EOPNOTSUPP. Since the fd
remains readable, this creates an infinite busy loop that hangs
bluetoothd.
Treat EOPNOTSUPP the same as EBADFD by returning FALSE to remove the
GLib IO watch and stop the loop.
---
btio/btio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/btio/btio.c b/btio/btio.c
index 39d4411f790b..4c69d60350f8 100644
--- a/btio/btio.c
+++ b/btio/btio.c
@@ -274,7 +274,7 @@ static gboolean server_cb(GIOChannel *io, GIOCondition cond,
cli_sock = accept(srv_sock, NULL, NULL);
if (cli_sock < 0) {
- if (errno == EBADFD)
+ if (errno == EBADFD || errno == EOPNOTSUPP)
return FALSE;
return TRUE;
}
--
2.54.0
^ permalink raw reply related
* [PATCH BlueZ v2 2/4] profile: Check if bearer is enabled on registration
From: Luiz Augusto von Dentz @ 2026-06-09 18:53 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <20260609185313.155105-1-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
btd_profile_register now verifies that the profile's bearer type is
compatible with btd_opts.mode before registering. If the required bearer
is not enabled (e.g. LE-only profile when mode is BR/EDR, or BR/EDR-only
profile when mode is LE), registration is rejected with -ENOTSUP.
---
src/profile.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/profile.c b/src/profile.c
index 65df0f7a0969..97fffe9b4d5c 100644
--- a/src/profile.c
+++ b/src/profile.c
@@ -36,6 +36,7 @@
#include "dbus-common.h"
#include "sdp-client.h"
#include "sdp-xml.h"
+#include "btd.h"
#include "adapter.h"
#include "device.h"
#include "profile.h"
@@ -802,6 +803,14 @@ struct btd_profile *btd_profile_find_remote_uuid(const char *uuid)
int btd_profile_register(struct btd_profile *profile)
{
+ if ((profile->bearer == BTD_PROFILE_BEARER_LE &&
+ btd_opts.mode == BT_MODE_BREDR) ||
+ (profile->bearer == BTD_PROFILE_BEARER_BREDR &&
+ btd_opts.mode == BT_MODE_LE)) {
+ DBG("Bearer not enabled");
+ return -ENOTSUP;
+ }
+
if (profile->experimental && !(g_dbus_get_flags() &
G_DBUS_FLAG_ENABLE_EXPERIMENTAL)) {
DBG("D-Bus experimental not enabled");
--
2.54.0
^ permalink raw reply related
* [PATCH BlueZ v2 3/4] plugins: Check btd_profile_register return value
From: Luiz Augusto von Dentz @ 2026-06-09 18:53 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <20260609185313.155105-1-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Ensure all plugin init functions check the return value of
btd_profile_register. If registration fails (e.g. bearer not enabled),
the plugin init propagates the error instead of continuing with an
unregistered profile.
---
profiles/audio/a2dp.c | 14 ++++++++++++--
profiles/audio/avrcp.c | 13 +++++++++++--
profiles/audio/hfp-hf.c | 4 +---
profiles/audio/micp.c | 7 ++++++-
profiles/input/manager.c | 4 +---
profiles/network/manager.c | 5 ++++-
src/gatt-database.c | 4 +++-
7 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index c7e0fc75c09e..a5e002784c02 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -3798,9 +3798,19 @@ static struct btd_adapter_driver media_driver = {
static int a2dp_init(void)
{
+ int err;
+
btd_register_adapter_driver(&media_driver);
- btd_profile_register(&a2dp_source_profile);
- btd_profile_register(&a2dp_sink_profile);
+
+ err = btd_profile_register(&a2dp_source_profile);
+ if (err)
+ return err;
+
+ err = btd_profile_register(&a2dp_sink_profile);
+ if (err) {
+ btd_profile_unregister(&a2dp_source_profile);
+ return err;
+ }
return 0;
}
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index b6823753fe68..f63acd47091a 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -4987,8 +4987,17 @@ static struct btd_profile avrcp_controller_profile = {
static int avrcp_init(void)
{
- btd_profile_register(&avrcp_controller_profile);
- btd_profile_register(&avrcp_target_profile);
+ int err;
+
+ err = btd_profile_register(&avrcp_controller_profile);
+ if (err)
+ return err;
+
+ err = btd_profile_register(&avrcp_target_profile);
+ if (err) {
+ btd_profile_unregister(&avrcp_controller_profile);
+ return err;
+ }
populate_default_features();
diff --git a/profiles/audio/hfp-hf.c b/profiles/audio/hfp-hf.c
index c91b16426898..8de2d7a62d68 100644
--- a/profiles/audio/hfp-hf.c
+++ b/profiles/audio/hfp-hf.c
@@ -507,9 +507,7 @@ static struct btd_profile hfp_hf_profile = {
static int hfp_init(void)
{
- btd_profile_register(&hfp_hf_profile);
-
- return 0;
+ return btd_profile_register(&hfp_hf_profile);
}
static void hfp_exit(void)
diff --git a/profiles/audio/micp.c b/profiles/audio/micp.c
index 475f32daf75c..3d39ef5e147f 100644
--- a/profiles/audio/micp.c
+++ b/profiles/audio/micp.c
@@ -318,12 +318,17 @@ static unsigned int micp_id;
static int micp_init(void)
{
+ int err;
+
if (!(g_dbus_get_flags() & G_DBUS_FLAG_ENABLE_EXPERIMENTAL)) {
DBG("D-Bus experimental not enabled");
return -ENOTSUP;
}
- btd_profile_register(&micp_profile);
+ err = btd_profile_register(&micp_profile);
+ if (err)
+ return err;
+
micp_id = bt_micp_register(micp_attached, micp_detached, NULL);
return 0;
diff --git a/profiles/input/manager.c b/profiles/input/manager.c
index 0fcd6728c2fc..1fd82d82f500 100644
--- a/profiles/input/manager.c
+++ b/profiles/input/manager.c
@@ -118,12 +118,10 @@ static int input_init(void)
}
- btd_profile_register(&input_profile);
-
if (config)
g_key_file_free(config);
- return 0;
+ return btd_profile_register(&input_profile);
}
static void input_exit(void)
diff --git a/profiles/network/manager.c b/profiles/network/manager.c
index 693547d45fbc..a5f28a99ebfd 100644
--- a/profiles/network/manager.c
+++ b/profiles/network/manager.c
@@ -180,7 +180,10 @@ static int network_init(void)
if (server_init(conf_security) < 0)
return -1;
- btd_profile_register(&panu_profile);
+ err = btd_profile_register(&panu_profile);
+ if (err)
+ return err;
+
btd_profile_register(&gn_profile);
btd_profile_register(&nap_profile);
diff --git a/src/gatt-database.c b/src/gatt-database.c
index 680a52952b16..30e25b6f41ca 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3624,7 +3624,9 @@ static void add_profile(void *data, void *user_data)
{
struct btd_adapter *adapter = user_data;
- btd_profile_register(data);
+ if (btd_profile_register(data))
+ return;
+
adapter_add_profile(adapter, data);
}
--
2.54.0
^ permalink raw reply related
* [PATCH BlueZ v2 4/4] bearer: Check btd_opts.mode on btd_bearer_new
From: Luiz Augusto von Dentz @ 2026-06-09 18:53 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <20260609185313.155105-1-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Only create the bearer interface if the corresponding transport is
enabled. Return NULL if BREDR bearer is requested in LE-only mode or
LE bearer in BREDR-only mode, so the D-Bus interface is never
registered for unsupported bearers.
---
src/bearer.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/bearer.c b/src/bearer.c
index 02267c711431..ac3a22030770 100644
--- a/src/bearer.c
+++ b/src/bearer.c
@@ -34,6 +34,7 @@
#include "log.h"
#include "error.h"
+#include "btd.h"
#include "adapter.h"
#include "device.h"
#include "profile.h"
@@ -278,6 +279,19 @@ struct btd_bearer *btd_bearer_new(struct btd_device *device, uint8_t type)
{
struct btd_bearer *bearer;
+ switch (btd_opts.mode) {
+ case BT_MODE_LE:
+ if (type == BDADDR_BREDR)
+ return NULL;
+ break;
+ case BT_MODE_BREDR:
+ if (type != BDADDR_BREDR)
+ return NULL;
+ break;
+ case BT_MODE_DUAL:
+ break;
+ }
+
bearer = new0(struct btd_bearer, 1);
bearer->device = device;
bearer->type = type;
--
2.54.0
^ permalink raw reply related
* RE: [Bug,221629] New: Bluetooth l2cap: ident leak in l2cap_chan_le_send_credits() stalls BLE CoC
From: bluez.test.bot @ 2026-06-09 19:04 UTC (permalink / raw)
To: linux-bluetooth, bugzilla-daemon
In-Reply-To: <bug-221629-62941@https.bugzilla.kernel.org/>
[-- Attachment #1: Type: text/plain, Size: 478 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: corrupt patch at line 21
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: [BlueZ,1/2] media: Add Mute property to MediaTransport1
From: bluez.test.bot @ 2026-06-09 19:30 UTC (permalink / raw)
To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609181108.3787224-1-simon.mikuda@streamunlimited.com>
[-- Attachment #1: Type: text/plain, Size: 989 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108770
---Test result---
Test Summary:
CheckPatch PASS 1.16 seconds
GitLint PASS 0.64 seconds
BuildEll PASS 20.17 seconds
BluezMake PASS 613.44 seconds
MakeCheck PASS 19.16 seconds
MakeDistcheck PASS 235.40 seconds
CheckValgrind PASS 276.40 seconds
CheckSmatch PASS 326.72 seconds
bluezmakeextell PASS 165.83 seconds
IncrementalBuild PASS 625.23 seconds
ScanBuild PASS 947.04 seconds
https://github.com/bluez/bluez/pull/2204
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: [BlueZ] shared/vcp: Fix duplicate VCS registration in bt_vcp_add_db
From: bluez.test.bot @ 2026-06-09 19:32 UTC (permalink / raw)
To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609181351.3787741-1-simon.mikuda@streamunlimited.com>
[-- Attachment #1: Type: text/plain, Size: 989 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108772
---Test result---
Test Summary:
CheckPatch PASS 0.27 seconds
GitLint PASS 0.19 seconds
BuildEll PASS 20.02 seconds
BluezMake PASS 641.79 seconds
MakeCheck PASS 0.94 seconds
MakeDistcheck PASS 244.57 seconds
CheckValgrind PASS 220.97 seconds
CheckSmatch PASS 345.87 seconds
bluezmakeextell PASS 181.21 seconds
IncrementalBuild PASS 645.43 seconds
ScanBuild PASS 1023.19 seconds
https://github.com/bluez/bluez/pull/2205
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: Luiz Augusto von Dentz @ 2026-06-09 19:32 UTC (permalink / raw)
To: linux-bluetooth
From: Marco Elver <elver@google.com>
l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
the connection is torn down while the timer is running or pending,
chan->conn can be freed, leading to a use-after-free when the timer
worker attempts to lock conn->lock:
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
|
| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
| Workqueue: events l2cap_chan_timeout
| Call Trace:
| <TASK>
| instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
| </TASK>
|
| Allocated by task 320:
| l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
| l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
| hci_event_func net/bluetooth/hci_event.c:7796 [inline]
| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
| process_one_work kernel/workqueue.c:3326 [inline]
| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
| kthread+0x346/0x430 kernel/kthread.c:436
| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| Freed by task 322:
| hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
| __fput+0x369/0x890 fs/file_table.c:510
| task_work_run+0x160/0x1d0 kernel/task_work.c:233
| get_signal+0xf5b/0x1120 kernel/signal.c:2810
| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
| entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| The buggy address belongs to the object at ffff8881298d9400
| which belongs to the cache kmalloc-512 of size 512
| The buggy address is located 336 bytes inside of
| freed 512-byte region [ffff8881298d9400, ffff8881298d9600)
Fix it by having chan->conn hold a reference to l2cap_conn (via
l2cap_conn_get) when the channel is added to the connection, and
releasing it in the channel destructor. This ensures the l2cap_conn
remains alive as long as the channel exists.
A new FLAG_DEL channel flag is introduced to indicate that the channel
has been deleted from its connection. l2cap_chan_del() atomically sets
this flag using test_and_set_bit() instead of setting chan->conn to
NULL. All asynchronous workers (l2cap_chan_timeout, l2cap_ack_timeout,
l2cap_monitor_timeout, l2cap_retrans_timeout) and l2cap_chan_send()
check FLAG_DEL to determine whether the channel has been torn down,
rather than testing chan->conn for NULL.
Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
Cc: <stable@vger.kernel.org>
Cc: Siwei Zhang <oss@fourdim.xyz>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Assisted-by: Gemini:gemini-3.1-pro-preview
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 34 ++++++++++++++++++++--------------
2 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 790935950a0c..1640cc9bf83a 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -745,6 +745,7 @@ enum {
FLAG_ECRED_CONN_REQ_SENT,
FLAG_PENDING_SECURITY,
FLAG_HOLD_HCI_CONN,
+ FLAG_DEL,
};
/* Lock nesting levels for L2CAP channels. We need these because lockdep
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 863fc4b8a55e..a97d492473e2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -408,7 +408,7 @@ static void l2cap_chan_timeout(struct work_struct *work)
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
- if (!conn) {
+ if (test_bit(FLAG_DEL, &chan->flags)) {
l2cap_chan_put(chan);
return;
}
@@ -419,6 +419,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
*/
l2cap_chan_lock(chan);
+ if (test_bit(FLAG_DEL, &chan->flags))
+ goto unlock;
+
if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
reason = ECONNREFUSED;
else if (chan->state == BT_CONNECT &&
@@ -431,10 +434,10 @@ static void l2cap_chan_timeout(struct work_struct *work)
chan->ops->close(chan);
+unlock:
l2cap_chan_unlock(chan);
- l2cap_chan_put(chan);
-
mutex_unlock(&conn->lock);
+ l2cap_chan_put(chan);
}
struct l2cap_chan *l2cap_chan_create(void)
@@ -487,6 +490,9 @@ static void l2cap_chan_destroy(struct kref *kref)
list_del(&chan->global_l);
write_unlock(&chan_list_lock);
+ if (chan->conn)
+ l2cap_conn_put(chan->conn);
+
kfree(chan);
}
@@ -590,7 +596,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
- chan->conn = conn;
+ chan->conn = l2cap_conn_get(conn);
switch (chan->chan_type) {
case L2CAP_CHAN_CONN_ORIENTED:
@@ -645,30 +651,26 @@ void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
void l2cap_chan_del(struct l2cap_chan *chan, int err)
{
- struct l2cap_conn *conn = chan->conn;
-
__clear_chan_timer(chan);
- BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
+ BT_DBG("chan %p, err %d, state %s", chan, err,
state_to_string(chan->state));
chan->ops->teardown(chan, err);
- if (conn) {
+ if (!test_and_set_bit(FLAG_DEL, &chan->flags)) {
/* Delete from channel list */
list_del(&chan->list);
l2cap_chan_put(chan);
- chan->conn = NULL;
-
/* Reference was only held for non-fixed channels or
* fixed channels that explicitly requested it using the
* FLAG_HOLD_HCI_CONN flag.
*/
if (chan->chan_type != L2CAP_CHAN_FIXED ||
test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
- hci_conn_drop(conn->hcon);
+ hci_conn_drop(chan->conn->hcon);
}
if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
@@ -1900,7 +1902,7 @@ static void l2cap_monitor_timeout(struct work_struct *work)
l2cap_chan_lock(chan);
- if (!chan->conn) {
+ if (test_bit(FLAG_DEL, &chan->flags)) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
@@ -1921,7 +1923,7 @@ static void l2cap_retrans_timeout(struct work_struct *work)
l2cap_chan_lock(chan);
- if (!chan->conn) {
+ if (test_bit(FLAG_DEL, &chan->flags)) {
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
return;
@@ -2562,7 +2564,7 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
int err;
struct sk_buff_head seg_queue;
- if (!chan->conn)
+ if (test_bit(FLAG_DEL, &chan->flags))
return -ENOTCONN;
/* Connectionless channel */
@@ -3157,12 +3159,16 @@ static void l2cap_ack_timeout(struct work_struct *work)
l2cap_chan_lock(chan);
+ if (test_bit(FLAG_DEL, &chan->flags))
+ goto unlock;
+
frames_to_ack = __seq_offset(chan, chan->buffer_seq,
chan->last_acked_seq);
if (frames_to_ack)
l2cap_send_rr_or_rnr(chan, 0);
+unlock:
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
--
2.54.0
^ permalink raw reply related
* RE: [BlueZ,v1,1/4] btio: Handle EOPNOTSUPP from accept() to prevent busy loop
From: bluez.test.bot @ 2026-06-09 19:35 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260609165057.90837-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1909 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108736
---Test result---
Test Summary:
CheckPatch FAIL 1.15 seconds
GitLint PASS 0.80 seconds
BuildEll PASS 20.44 seconds
BluezMake PASS 680.07 seconds
MakeCheck PASS 18.48 seconds
MakeDistcheck PASS 247.78 seconds
CheckValgrind PASS 292.15 seconds
CheckSmatch PASS 353.17 seconds
bluezmakeextell PASS 182.48 seconds
IncrementalBuild PASS 692.42 seconds
ScanBuild PASS 1037.61 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v1,4/4] bearer: Check btd_opts.mode on btd_bearer_new
WARNING:LONG_LINE: line length of 81 exceeds 80 columns
#126: FILE: src/bearer.c:283:
+ (type != BDADDR_BREDR && btd_opts.mode == BT_MODE_BREDR))
/github/workspace/src/patch/14620165.patch total: 0 errors, 1 warnings, 17 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14620165.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluez/pull/2203
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [bluez/bluez] 5e8164: btio: Handle EOPNOTSUPP from accept() to prevent b...
From: Luiz Augusto von Dentz @ 2026-06-09 20:32 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108786
Home: https://github.com/bluez/bluez
Commit: 5e81648c163877e2f5091576203557e95601251e
https://github.com/bluez/bluez/commit/5e81648c163877e2f5091576203557e95601251e
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M btio/btio.c
Log Message:
-----------
btio: Handle EOPNOTSUPP from accept() to prevent busy loop
When accept() returns EOPNOTSUPP on an L2CAP SEQPACKET server socket
(e.g. AVCTP browsing channel, PSM 0x1b), the error is permanent and
retrying will never succeed. Previously, only EBADFD was treated as
fatal, causing server_cb to return TRUE for EOPNOTSUPP. Since the fd
remains readable, this creates an infinite busy loop that hangs
bluetoothd.
Treat EOPNOTSUPP the same as EBADFD by returning FALSE to remove the
GLib IO watch and stop the loop.
Commit: 70fa42fd8f621ce76b4a0128aad37d624b7e4779
https://github.com/bluez/bluez/commit/70fa42fd8f621ce76b4a0128aad37d624b7e4779
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M src/profile.c
Log Message:
-----------
profile: Check if bearer is enabled on registration
btd_profile_register now verifies that the profile's bearer type is
compatible with btd_opts.mode before registering. If the required bearer
is not enabled (e.g. LE-only profile when mode is BR/EDR, or BR/EDR-only
profile when mode is LE), registration is rejected with -ENOTSUP.
Commit: 672cde593161db95582039c27e94a63431e7706d
https://github.com/bluez/bluez/commit/672cde593161db95582039c27e94a63431e7706d
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M profiles/audio/a2dp.c
M profiles/audio/avrcp.c
M profiles/audio/hfp-hf.c
M profiles/audio/micp.c
M profiles/input/manager.c
M profiles/network/manager.c
M src/gatt-database.c
Log Message:
-----------
plugins: Check btd_profile_register return value
Ensure all plugin init functions check the return value of
btd_profile_register. If registration fails (e.g. bearer not enabled),
the plugin init propagates the error instead of continuing with an
unregistered profile.
Commit: 3cc2dd3fe2be5ebc3f7a8ff2e3bb7f7bbab05b88
https://github.com/bluez/bluez/commit/3cc2dd3fe2be5ebc3f7a8ff2e3bb7f7bbab05b88
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M src/bearer.c
Log Message:
-----------
bearer: Check btd_opts.mode on btd_bearer_new
Only create the bearer interface if the corresponding transport is
enabled. Return NULL if BREDR bearer is requested in LE-only mode or
LE bearer in BREDR-only mode, so the D-Bus interface is never
registered for unsupported bearers.
Compare: https://github.com/bluez/bluez/compare/5e81648c1638%5E...3cc2dd3fe2be
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-09 20:32 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108736
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [PATCH BlueZ] shared/bap: Report invalid-length ASE CP write via notification
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Simon Mikuda
A zero-length write to the ASE Control Point returned an ATT error, but
ASCS requires the write to succeed at ATT level and the failure to be
carried by a CP notification. Build a response with the truncated error
code and return success instead.
Fixes PTS tests ASCS/SR/SPE/BI-01-C and BI-02-C
---
src/shared/bap.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..212d489ff 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3762,9 +3762,9 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
if (!len) {
DBG(bap, "invalid len %u < %u sizeof(*hdr)", len,
sizeof(*hdr));
- gatt_db_attribute_write_result(attrib, id,
- BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN);
- return;
+ rsp = ascs_ase_cp_rsp_new(len > 0 ? value[0] : 0x00);
+ ret = BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+ goto respond;
}
if (len < sizeof(*hdr)) {
@@ -3829,8 +3829,10 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
}
respond:
- if (ret == BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN)
+ if (ret == BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN) {
ascs_ase_rsp_add_errno(rsp, 0x00, -ENOMSG);
+ ret = 0;
+ }
gatt_db_attribute_notify(attrib, rsp->iov_base, rsp->iov_len, att);
gatt_db_attribute_write_result(attrib, id, ret);
--
2.43.0
^ permalink raw reply related
* [PATCH BlueZ] shared/bap: Don't link ucast streams before CIS IDs are assigned
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Simon Mikuda
bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
are unset in Codec Configured state, so a Sink and Source bound for
different CISes get linked. The stray link later propagates a
disconnect to the wrong ASE and breaks Receiver Start Ready.
Skip linking until QoS Configured assigns the IDs.
Fixes PTS test BAP/USR/STR/BV-362-C
---
src/shared/bap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..98537de60 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2679,6 +2679,12 @@ static int bap_ucast_io_link(struct bt_bap_stream *stream,
stream->ep->dir == link->ep->dir)
return -EINVAL;
+ /* Don't link until QoS Configured assigns the CIS IDs; while unset
+ * the check above would pair unrelated streams.
+ */
+ if (!stream->qos.ucast.cis_id || !link->qos.ucast.cis_id)
+ return -EINVAL;
+
if (stream->client && !(stream->locked && link->locked))
return -EINVAL;
--
2.43.0
^ permalink raw reply related
* [PATCH BlueZ] shared/bap: Transition ASE to QoS Configured on CIS loss
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Simon Mikuda
stream_io_disconnected() only handled the Releasing state, leaving
Enabling, Streaming and Disabling ASEs stuck when the CIS was lost
unexpectedly. The ASE shall autonomously move to QoS Configured on loss
of the CIS and notify the peer; add that transition.
Fixes PTS test BAP/USR/SCC/BV-167-C
---
src/shared/bap.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..350ed53d9 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -6779,6 +6779,14 @@ static bool stream_io_disconnected(struct io *io, void *user_data)
if (stream->ep->state == BT_ASCS_ASE_STATE_RELEASING)
stream_set_state(stream, BT_BAP_STREAM_STATE_CONFIG);
+ /* On loss of the CIS the ASE shall autonomously transition to QoS
+ * Configured and notify the peer.
+ */
+ if (stream->ep->state == BT_ASCS_ASE_STATE_STREAMING ||
+ stream->ep->state == BT_ASCS_ASE_STATE_ENABLING ||
+ stream->ep->state == BT_ASCS_ASE_STATE_DISABLING)
+ stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
+
bt_bap_stream_set_io(stream, -1);
return false;
}
--
2.43.0
^ permalink raw reply related
* [PATCH BlueZ] transport: Complete Acquire for Sink ASE entering Enabling
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Simon Mikuda
On the QoS to Enabling transition the IO is not yet available because
the CIS is not established, so the handler returns early and a pending
Acquire is left unanswered once the IO later arrives.
Notify the connecting callbacks once the fd is attached so the
transport can re-run the Enabling handling and complete the Acquire.
---
profiles/audio/transport.c | 7 +++++++
src/shared/bap.c | 28 +++++++++++++++++++---------
2 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 4b9d26c5e..22a755064 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -2397,6 +2397,13 @@ static void bap_connecting(struct bt_bap_stream *stream, bool state, int fd,
return;
bap_update_links(transport);
+
+ /* IO connected; re-run Enabling to complete a deferred Acquire. */
+ if (!state && fd >= 0 && bt_bap_stream_get_state(stream) ==
+ BT_BAP_STREAM_STATE_ENABLING)
+ bap_state_changed(stream, BT_BAP_STREAM_STATE_ENABLING,
+ BT_BAP_STREAM_STATE_ENABLING,
+ user_data);
}
static bool transport_bap_is_playback(struct media_transport *transport)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..09f671a15 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3006,6 +3006,20 @@ static bool bap_stream_io_attach(struct bt_bap_stream *stream, int fd,
return true;
}
+static void bap_stream_notify_connecting(struct bt_bap_stream *stream,
+ bool connecting, int fd)
+{
+ const struct queue_entry *entry;
+
+ for (entry = queue_get_entries(stream->bap->state_cbs); entry;
+ entry = entry->next) {
+ struct bt_bap_state *state = entry->data;
+
+ if (state->connecting)
+ state->connecting(stream, connecting, fd, state->data);
+ }
+}
+
static void bap_stream_set_io(void *data, void *user_data)
{
struct bt_bap_stream *stream = data;
@@ -3042,6 +3056,10 @@ static void bap_stream_set_io(void *data, void *user_data)
bt_bap_stream_stop(stream, NULL, NULL);
break;
}
+
+ /* Notify IO connected so transports can complete pending requests. */
+ if (fd >= 0)
+ bap_stream_notify_connecting(stream, false, fd);
}
static void ascs_ase_rsp_add_errno(struct iovec *iov, uint8_t id, int err)
@@ -7028,7 +7046,6 @@ static void bap_stream_io_connecting(void *data, void *user_data)
{
struct bt_bap_stream *stream = data;
int fd = PTR_TO_INT(user_data);
- const struct queue_entry *entry;
if (!stream)
return;
@@ -7038,14 +7055,7 @@ static void bap_stream_io_connecting(void *data, void *user_data)
else
bap_stream_io_detach(stream);
- for (entry = queue_get_entries(stream->bap->state_cbs); entry;
- entry = entry->next) {
- struct bt_bap_state *state = entry->data;
-
- if (state->connecting)
- state->connecting(stream, stream->io ? true : false,
- fd, state->data);
- }
+ bap_stream_notify_connecting(stream, stream->io ? true : false, fd);
}
int bt_bap_stream_io_connecting(struct bt_bap_stream *stream, int fd)
--
2.43.0
^ permalink raw reply related
* [PATCH BlueZ] avrcp: Abort continuing response on fragmented CT replies
From: Simon Mikuda @ 2026-06-09 21:26 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Simon Mikuda
Send AbortContinuingResponse when a Get Element Attributes reply
arrives fragmented, as the CT side does not reassemble fragments.
Fixes PTS test AVRCP/CT/RCR/BV-03-C
---
profiles/audio/avrcp.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index b6823753f..56564dcab 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2473,6 +2473,24 @@ static void avrcp_parse_attribute_list(struct avrcp_player *player,
}
}
+static void avrcp_abort_continuing(struct avrcp *session, uint8_t pdu_id)
+{
+ uint8_t buf[AVRCP_HEADER_LENGTH + 1];
+ struct avrcp_header *pdu = (void *) buf;
+
+ memset(buf, 0, sizeof(buf));
+
+ set_company_id(pdu->company_id, IEEEID_BTSIG);
+ pdu->pdu_id = AVRCP_ABORT_CONTINUING;
+ pdu->packet_type = AVRCP_PACKET_TYPE_SINGLE;
+ pdu->params_len = cpu_to_be16(1);
+ pdu->params[0] = pdu_id;
+
+ avctp_send_vendordep_req(session->conn, AVC_CTYPE_CONTROL,
+ AVC_SUBUNIT_PANEL, buf, sizeof(buf),
+ NULL, session);
+}
+
static gboolean avrcp_get_element_attributes_rsp(struct avctp *conn,
uint8_t code, uint8_t subunit,
uint8_t transaction,
@@ -2490,6 +2508,13 @@ static gboolean avrcp_get_element_attributes_rsp(struct avctp *conn,
if (code == AVC_CTYPE_REJECTED)
return FALSE;
+ /* Abort fragmented responses as reassembly is not supported */
+ if (pdu->packet_type == AVRCP_PACKET_TYPE_START ||
+ pdu->packet_type == AVRCP_PACKET_TYPE_CONTINUING) {
+ avrcp_abort_continuing(session, AVRCP_GET_ELEMENT_ATTRIBUTES);
+ return FALSE;
+ }
+
count = pdu->params[0];
if (be16_to_cpu(pdu->params_len) - 1 < count * 8) {
--
2.43.0
^ permalink raw reply related
* RE: [v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: bluez.test.bot @ 2026-06-09 21:29 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260609193222.192456-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3454 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108797
---Test result---
Test Summary:
CheckPatch FAIL 0.71 seconds
VerifyFixes PASS 0.58 seconds
VerifySignedoff PASS 0.09 seconds
GitLint FAIL 0.22 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 19.66 seconds
CheckAllWarning PASS 22.22 seconds
CheckSparse PASS 22.50 seconds
BuildKernel32 PASS 20.00 seconds
TestRunnerSetup PASS 420.55 seconds
TestRunner_l2cap-tester PASS 50.22 seconds
IncrementalBuild PASS 18.98 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#103:
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
ERROR: Unrecognized email address: 'https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz'
#181:
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#181:
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
total: 1 errors, 2 warnings, 0 checks, 126 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14620630.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
10: B1 Line exceeds max length (107>80): "| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]"
11: B1 Line exceeds max length (125>80): "| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"
12: B1 Line exceeds max length (93>80): "| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]"
13: B1 Line exceeds max length (84>80): "| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318"
16: B1 Line exceeds max length (100>80): "| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)"
17: B1 Line exceeds max length (95>80): "| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014"
22: B1 Line exceeds max length (91>80): "| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"
https://github.com/bluez/bluetooth-next/pull/300
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH BlueZ] avdtp: Return correct error when SEP is inuse
From: Simon Mikuda @ 2026-06-09 21:30 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Simon Mikuda
This fixes AVDTP/SNK/ACP/SIG/SMG/BI-08-C
---
profiles/audio/avdtp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 6be6e99b4..56d27b973 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1556,6 +1556,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
goto failed;
}
+ /* check if SEID is in use */
+ if (find_stream_by_lsep(session, sep)) {
+ err = AVDTP_SEP_IN_USE;
+ goto failed;
+ }
+
switch (sep->info.type) {
case AVDTP_SEP_TYPE_SOURCE:
service = btd_device_get_service(session->device,
--
2.43.0
^ permalink raw reply related
* RE: [BlueZ,v2,1/4] btio: Handle EOPNOTSUPP from accept() to prevent busy loop
From: bluez.test.bot @ 2026-06-09 21:31 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260609185313.155105-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1437 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108786
---Test result---
Test Summary:
CheckPatch PASS 1.22 seconds
GitLint PASS 0.78 seconds
BuildEll PASS 20.04 seconds
BluezMake PASS 656.72 seconds
MakeCheck PASS 18.90 seconds
MakeDistcheck PASS 249.96 seconds
CheckValgrind PASS 295.94 seconds
CheckSmatch PASS 350.89 seconds
bluezmakeextell PASS 181.16 seconds
IncrementalBuild PASS 673.06 seconds
ScanBuild WARNING 1036.74 seconds
Details
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
1 warning generated.
tools/btgatt-client.c:1822:2: warning: Value stored to 'argv' is never read
tools/check-selftest.c:42:3: warning: Value stored to 'ptr' is never read
argv += optind;
ptr = fgets(result, sizeof(result), fp);
^ ~~~~~~
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
https://github.com/bluez/bluez/pull/2206
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH BlueZ] shared/bap: Don't link ucast streams before CIS IDs are assigned
From: Pauli Virtanen @ 2026-06-09 22:03 UTC (permalink / raw)
To: Simon Mikuda, linux-bluetooth
In-Reply-To: <20260609211111.3887657-1-simon.mikuda@streamunlimited.com>
ti, 2026-06-09 kello 23:11 +0200, Simon Mikuda kirjoitti:
> bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
> are unset in Codec Configured state, so a Sink and Source bound for
> different CISes get linked. The stray link later propagates a
> disconnect to the wrong ASE and breaks Receiver Start Ready.
>
> Skip linking until QoS Configured assigns the IDs.
>
> Fixes PTS test BAP/USR/STR/BV-362-C
> ---
> src/shared/bap.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/shared/bap.c b/src/shared/bap.c
> index deb85b264..98537de60 100644
> --- a/src/shared/bap.c
> +++ b/src/shared/bap.c
> @@ -2679,6 +2679,12 @@ static int bap_ucast_io_link(struct bt_bap_stream *stream,
> stream->ep->dir == link->ep->dir)
> return -EINVAL;
>
> + /* Don't link until QoS Configured assigns the CIS IDs; while unset
> + * the check above would pair unrelated streams.
> + */
> + if (!stream->qos.ucast.cis_id || !link->qos.ucast.cis_id)
> + return -EINVAL;
Zero is valid CIS ID?
> +
> if (stream->client && !(stream->locked && link->locked))
> return -EINVAL;
>
--
Pauli Virtanen
^ permalink raw reply
* [bluez/bluez] cedc4d: shared/bap: Report invalid-length ASE CP write via...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108823
Home: https://github.com/bluez/bluez
Commit: cedc4dee229747e0dbae75c6bc017e0e72aeaae3
https://github.com/bluez/bluez/commit/cedc4dee229747e0dbae75c6bc017e0e72aeaae3
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M src/shared/bap.c
Log Message:
-----------
shared/bap: Report invalid-length ASE CP write via notification
A zero-length write to the ASE Control Point returned an ATT error, but
ASCS requires the write to succeed at ATT level and the failure to be
carried by a CP notification. Build a response with the truncated error
code and return success instead.
Fixes PTS tests ASCS/SR/SPE/BI-01-C and BI-02-C
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] b854c4: shared/bap: Don't link ucast streams before CIS ID...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108824
Home: https://github.com/bluez/bluez
Commit: b854c4a729f3c8c36f8f90f18e957430bf8acc5c
https://github.com/bluez/bluez/commit/b854c4a729f3c8c36f8f90f18e957430bf8acc5c
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M src/shared/bap.c
Log Message:
-----------
shared/bap: Don't link ucast streams before CIS IDs are assigned
bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
are unset in Codec Configured state, so a Sink and Source bound for
different CISes get linked. The stray link later propagates a
disconnect to the wrong ASE and breaks Receiver Start Ready.
Skip linking until QoS Configured assigns the IDs.
Fixes PTS test BAP/USR/STR/BV-362-C
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [bluez/bluez] 0aee36: shared/bap: Transition ASE to QoS Configured on CI...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1108825
Home: https://github.com/bluez/bluez
Commit: 0aee365bc6f29c2b2625b8ec057de32f1bbe2420
https://github.com/bluez/bluez/commit/0aee365bc6f29c2b2625b8ec057de32f1bbe2420
Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M src/shared/bap.c
Log Message:
-----------
shared/bap: Transition ASE to QoS Configured on CIS loss
stream_io_disconnected() only handled the Releasing state, leaving
Enabling, Streaming and Disabling ASEs stuck when the CIS was lost
unexpectedly. The ASE shall autonomously move to QoS Configured on loss
of the CIS and notify the peer; add that transition.
Fixes PTS test BAP/USR/SCC/BV-167-C
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox