Linux bluetooth development
 help / color / mirror / Atom feed
* RE: [BlueZ] avdtp: Return correct error when SEP is inuse
From: bluez.test.bot @ 2026-06-09 23:06 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609213013.3900808-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108834

---Test result---

Test Summary:
CheckPatch                    PASS      0.28 seconds
GitLint                       PASS      0.20 seconds
BuildEll                      PASS      20.53 seconds
BluezMake                     PASS      669.66 seconds
MakeCheck                     PASS      2.95 seconds
MakeDistcheck                 PASS      247.75 seconds
CheckValgrind                 PASS      228.75 seconds
CheckSmatch                   PASS      352.15 seconds
bluezmakeextell               PASS      184.12 seconds
IncrementalBuild              PASS      662.09 seconds
ScanBuild                     PASS      1053.81 seconds



https://github.com/bluez/bluez/pull/2212

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] transport: Complete Acquire for Sink ASE entering Enabling
From: bluez.test.bot @ 2026-06-09 23:04 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609211130.3887817-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 1600 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108826

---Test result---

Test Summary:
CheckPatch                    PASS      0.38 seconds
GitLint                       PASS      0.25 seconds
BuildEll                      PASS      18.46 seconds
BluezMake                     PASS      675.35 seconds
MakeCheck                     PASS      15.28 seconds
MakeDistcheck                 PASS      227.96 seconds
CheckValgrind                 PASS      260.62 seconds
CheckSmatch                   WARNING   315.70 seconds
bluezmakeextell               PASS      170.28 seconds
IncrementalBuild              PASS      665.24 seconds
ScanBuild                     PASS      938.94 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures


https://github.com/bluez/bluez/pull/2210

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] shared/bap: Report invalid-length ASE CP write via notification
From: bluez.test.bot @ 2026-06-09 23:02 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609211104.3887577-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 1600 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108823

---Test result---

Test Summary:
CheckPatch                    PASS      0.34 seconds
GitLint                       PASS      0.23 seconds
BuildEll                      PASS      18.69 seconds
BluezMake                     PASS      685.55 seconds
MakeCheck                     PASS      12.43 seconds
MakeDistcheck                 PASS      225.68 seconds
CheckValgrind                 PASS      256.41 seconds
CheckSmatch                   WARNING   313.77 seconds
bluezmakeextell               PASS      167.62 seconds
IncrementalBuild              PASS      619.95 seconds
ScanBuild                     PASS      919.45 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures


https://github.com/bluez/bluez/pull/2207

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] shared/bap: Transition ASE to QoS Configured on CIS loss
From: bluez.test.bot @ 2026-06-09 23:02 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609211120.3887737-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 1600 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108825

---Test result---

Test Summary:
CheckPatch                    PASS      0.45 seconds
GitLint                       PASS      0.48 seconds
BuildEll                      PASS      20.19 seconds
BluezMake                     PASS      625.65 seconds
MakeCheck                     PASS      12.74 seconds
MakeDistcheck                 PASS      236.69 seconds
CheckValgrind                 PASS      257.53 seconds
CheckSmatch                   WARNING   326.14 seconds
bluezmakeextell               PASS      165.85 seconds
IncrementalBuild              PASS      622.35 seconds
ScanBuild                     PASS      935.06 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures


https://github.com/bluez/bluez/pull/2209

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] shared/bap: Don't link ucast streams before CIS IDs are assigned
From: bluez.test.bot @ 2026-06-09 23:00 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609211111.3887657-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 1600 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108824

---Test result---

Test Summary:
CheckPatch                    PASS      0.46 seconds
GitLint                       PASS      0.33 seconds
BuildEll                      PASS      20.37 seconds
BluezMake                     PASS      601.20 seconds
MakeCheck                     PASS      12.72 seconds
MakeDistcheck                 PASS      233.39 seconds
CheckValgrind                 PASS      253.37 seconds
CheckSmatch                   WARNING   322.84 seconds
bluezmakeextell               PASS      165.30 seconds
IncrementalBuild              PASS      608.51 seconds
ScanBuild                     PASS      916.87 seconds

Details
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures


https://github.com/bluez/bluez/pull/2208

---
Regards,
Linux Bluetooth


^ permalink raw reply

* Re: [PATCH BlueZ] shared/bap: Transition ASE to QoS Configured on CIS loss
From: Pauli Virtanen @ 2026-06-09 22:15 UTC (permalink / raw)
  To: Simon Mikuda, linux-bluetooth
In-Reply-To: <20260609211120.3887737-1-simon.mikuda@streamunlimited.com>

ti, 2026-06-09 kello 23:11 +0200, Simon Mikuda kirjoitti:
> stream_io_disconnected() only handled the Releasing state, leaving
> Enabling, Streaming and Disabling ASEs stuck when the CIS was lost
> unexpectedly. The ASE shall autonomously move to QoS Configured on loss
> of the CIS and notify the peer; add that transition.
> 
> Fixes PTS test BAP/USR/SCC/BV-167-C
> ---
>  src/shared/bap.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/shared/bap.c b/src/shared/bap.c
> index deb85b264..350ed53d9 100644
> --- a/src/shared/bap.c
> +++ b/src/shared/bap.c
> @@ -6779,6 +6779,14 @@ static bool stream_io_disconnected(struct io *io, void *user_data)
>  	if (stream->ep->state == BT_ASCS_ASE_STATE_RELEASING)
>  		stream_set_state(stream, BT_BAP_STREAM_STATE_CONFIG);
>  
> +	/* On loss of the CIS the ASE shall autonomously transition to QoS
> +	 * Configured and notify the peer.
> +	 */
> +	if (stream->ep->state == BT_ASCS_ASE_STATE_STREAMING ||
> +			stream->ep->state == BT_ASCS_ASE_STATE_ENABLING ||
> +			stream->ep->state == BT_ASCS_ASE_STATE_DISABLING)
> +		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
> +
>  	bt_bap_stream_set_io(stream, -1);
>  	return false;
>  }

iirc it may be also broadcast source here, does it do the right thing?

-- 
Pauli Virtanen

^ permalink raw reply

* [bluez/bluez] da2011: avdtp: Return correct error when SEP is inuse
From: Šimon Mikuda @ 2026-06-09 22:08 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108834
  Home:   https://github.com/bluez/bluez
  Commit: da201148e7a288e2568a1822d55c69d932b77672
      https://github.com/bluez/bluez/commit/da201148e7a288e2568a1822d55c69d932b77672
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M profiles/audio/avdtp.c

  Log Message:
  -----------
  avdtp: Return correct error when SEP is inuse

This fixes AVDTP/SNK/ACP/SIG/SMG/BI-08-C



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] 029590: avrcp: Abort continuing response on fragmented CT ...
From: Šimon Mikuda @ 2026-06-09 22:08 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108830
  Home:   https://github.com/bluez/bluez
  Commit: 029590df103af1e37e72c3936604e23829155036
      https://github.com/bluez/bluez/commit/029590df103af1e37e72c3936604e23829155036
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M profiles/audio/avrcp.c

  Log Message:
  -----------
  avrcp: Abort continuing response on fragmented CT replies

Send AbortContinuingResponse when a Get Element Attributes reply
arrives fragmented, as the CT side does not reassemble fragments.

Fixes PTS test AVRCP/CT/RCR/BV-03-C



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] 95d160: transport: Complete Acquire for Sink ASE entering ...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108826
  Home:   https://github.com/bluez/bluez
  Commit: 95d16025c92d0a67f5b3886ad18bb80a6efeee31
      https://github.com/bluez/bluez/commit/95d16025c92d0a67f5b3886ad18bb80a6efeee31
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M profiles/audio/transport.c
    M src/shared/bap.c

  Log Message:
  -----------
  transport: Complete Acquire for Sink ASE entering Enabling

On the QoS to Enabling transition the IO is not yet available because
the CIS is not established, so the handler returns early and a pending
Acquire is left unanswered once the IO later arrives.

Notify the connecting callbacks once the fd is attached so the
transport can re-run the Enabling handling and complete the Acquire.



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] 0aee36: shared/bap: Transition ASE to QoS Configured on CI...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108825
  Home:   https://github.com/bluez/bluez
  Commit: 0aee365bc6f29c2b2625b8ec057de32f1bbe2420
      https://github.com/bluez/bluez/commit/0aee365bc6f29c2b2625b8ec057de32f1bbe2420
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M src/shared/bap.c

  Log Message:
  -----------
  shared/bap: Transition ASE to QoS Configured on CIS loss

stream_io_disconnected() only handled the Releasing state, leaving
Enabling, Streaming and Disabling ASEs stuck when the CIS was lost
unexpectedly. The ASE shall autonomously move to QoS Configured on loss
of the CIS and notify the peer; add that transition.

Fixes PTS test BAP/USR/SCC/BV-167-C



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] b854c4: shared/bap: Don't link ucast streams before CIS ID...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108824
  Home:   https://github.com/bluez/bluez
  Commit: b854c4a729f3c8c36f8f90f18e957430bf8acc5c
      https://github.com/bluez/bluez/commit/b854c4a729f3c8c36f8f90f18e957430bf8acc5c
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M src/shared/bap.c

  Log Message:
  -----------
  shared/bap: Don't link ucast streams before CIS IDs are assigned

bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
are unset in Codec Configured state, so a Sink and Source bound for
different CISes get linked. The stray link later propagates a
disconnect to the wrong ASE and breaks Receiver Start Ready.

Skip linking until QoS Configured assigns the IDs.

Fixes PTS test BAP/USR/STR/BV-362-C



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] cedc4d: shared/bap: Report invalid-length ASE CP write via...
From: Šimon Mikuda @ 2026-06-09 22:07 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108823
  Home:   https://github.com/bluez/bluez
  Commit: cedc4dee229747e0dbae75c6bc017e0e72aeaae3
      https://github.com/bluez/bluez/commit/cedc4dee229747e0dbae75c6bc017e0e72aeaae3
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M src/shared/bap.c

  Log Message:
  -----------
  shared/bap: Report invalid-length ASE CP write via notification

A zero-length write to the ASE Control Point returned an ATT error, but
ASCS requires the write to succeed at ATT level and the failure to be
carried by a CP notification. Build a response with the truncated error
code and return success instead.

Fixes PTS tests ASCS/SR/SPE/BI-01-C and BI-02-C



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* Re: [PATCH BlueZ] shared/bap: Don't link ucast streams before CIS IDs are assigned
From: Pauli Virtanen @ 2026-06-09 22:03 UTC (permalink / raw)
  To: Simon Mikuda, linux-bluetooth
In-Reply-To: <20260609211111.3887657-1-simon.mikuda@streamunlimited.com>

ti, 2026-06-09 kello 23:11 +0200, Simon Mikuda kirjoitti:
> bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
> are unset in Codec Configured state, so a Sink and Source bound for
> different CISes get linked. The stray link later propagates a
> disconnect to the wrong ASE and breaks Receiver Start Ready.
> 
> Skip linking until QoS Configured assigns the IDs.
> 
> Fixes PTS test BAP/USR/STR/BV-362-C
> ---
>  src/shared/bap.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/shared/bap.c b/src/shared/bap.c
> index deb85b264..98537de60 100644
> --- a/src/shared/bap.c
> +++ b/src/shared/bap.c
> @@ -2679,6 +2679,12 @@ static int bap_ucast_io_link(struct bt_bap_stream *stream,
>  			stream->ep->dir == link->ep->dir)
>  		return -EINVAL;
>  
> +	/* Don't link until QoS Configured assigns the CIS IDs; while unset
> +	 * the check above would pair unrelated streams.
> +	 */
> +	if (!stream->qos.ucast.cis_id || !link->qos.ucast.cis_id)
> +		return -EINVAL;

Zero is valid CIS ID?

> +
>  	if (stream->client && !(stream->locked && link->locked))
>  		return -EINVAL;
>  

-- 
Pauli Virtanen

^ permalink raw reply

* RE: [BlueZ,v2,1/4] btio: Handle EOPNOTSUPP from accept() to prevent busy loop
From: bluez.test.bot @ 2026-06-09 21:31 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260609185313.155105-1-luiz.dentz@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1437 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108786

---Test result---

Test Summary:
CheckPatch                    PASS      1.22 seconds
GitLint                       PASS      0.78 seconds
BuildEll                      PASS      20.04 seconds
BluezMake                     PASS      656.72 seconds
MakeCheck                     PASS      18.90 seconds
MakeDistcheck                 PASS      249.96 seconds
CheckValgrind                 PASS      295.94 seconds
CheckSmatch                   PASS      350.89 seconds
bluezmakeextell               PASS      181.16 seconds
IncrementalBuild              PASS      673.06 seconds
ScanBuild                     WARNING   1036.74 seconds

Details
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
1 warning generated.
tools/btgatt-client.c:1822:2: warning: Value stored to 'argv' is never read
tools/check-selftest.c:42:3: warning: Value stored to 'ptr' is never read
        argv += optind;
                ptr = fgets(result, sizeof(result), fp);
        ^       ~~~~~~
                ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.



https://github.com/bluez/bluez/pull/2206

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH BlueZ] avdtp: Return correct error when SEP is inuse
From: Simon Mikuda @ 2026-06-09 21:30 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda

This fixes AVDTP/SNK/ACP/SIG/SMG/BI-08-C
---
 profiles/audio/avdtp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 6be6e99b4..56d27b973 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1556,6 +1556,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
 		goto failed;
 	}
 
+	/* check if SEID is in use */
+	if (find_stream_by_lsep(session, sep)) {
+		err = AVDTP_SEP_IN_USE;
+		goto failed;
+	}
+
 	switch (sep->info.type) {
 	case AVDTP_SEP_TYPE_SOURCE:
 		service = btd_device_get_service(session->device,
-- 
2.43.0


^ permalink raw reply related

* RE: [v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: bluez.test.bot @ 2026-06-09 21:29 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260609193222.192456-1-luiz.dentz@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3454 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108797

---Test result---

Test Summary:
CheckPatch                    FAIL      0.71 seconds
VerifyFixes                   PASS      0.58 seconds
VerifySignedoff               PASS      0.09 seconds
GitLint                       FAIL      0.22 seconds
SubjectPrefix                 PASS      0.08 seconds
BuildKernel                   PASS      19.66 seconds
CheckAllWarning               PASS      22.22 seconds
CheckSparse                   PASS      22.50 seconds
BuildKernel32                 PASS      20.00 seconds
TestRunnerSetup               PASS      420.55 seconds
TestRunner_l2cap-tester       PASS      50.22 seconds
IncrementalBuild              PASS      18.98 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#103: 
| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]

ERROR: Unrecognized email address: 'https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz'
#181: 
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz

WARNING: Reported-by: should be immediately followed by Closes: with a URL to the report
#181: 
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>

total: 1 errors, 2 warnings, 0 checks, 126 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14620630.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref

10: B1 Line exceeds max length (107>80): "| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]"
11: B1 Line exceeds max length (125>80): "| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"
12: B1 Line exceeds max length (93>80): "| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]"
13: B1 Line exceeds max length (84>80): "| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318"
16: B1 Line exceeds max length (100>80): "| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)"
17: B1 Line exceeds max length (95>80): "| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014"
22: B1 Line exceeds max length (91>80): "|  atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]"


https://github.com/bluez/bluetooth-next/pull/300

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH BlueZ] avrcp: Abort continuing response on fragmented CT replies
From: Simon Mikuda @ 2026-06-09 21:26 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda

Send AbortContinuingResponse when a Get Element Attributes reply
arrives fragmented, as the CT side does not reassemble fragments.

Fixes PTS test AVRCP/CT/RCR/BV-03-C
---
 profiles/audio/avrcp.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index b6823753f..56564dcab 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2473,6 +2473,24 @@ static void avrcp_parse_attribute_list(struct avrcp_player *player,
 	}
 }
 
+static void avrcp_abort_continuing(struct avrcp *session, uint8_t pdu_id)
+{
+	uint8_t buf[AVRCP_HEADER_LENGTH + 1];
+	struct avrcp_header *pdu = (void *) buf;
+
+	memset(buf, 0, sizeof(buf));
+
+	set_company_id(pdu->company_id, IEEEID_BTSIG);
+	pdu->pdu_id = AVRCP_ABORT_CONTINUING;
+	pdu->packet_type = AVRCP_PACKET_TYPE_SINGLE;
+	pdu->params_len = cpu_to_be16(1);
+	pdu->params[0] = pdu_id;
+
+	avctp_send_vendordep_req(session->conn, AVC_CTYPE_CONTROL,
+					AVC_SUBUNIT_PANEL, buf, sizeof(buf),
+					NULL, session);
+}
+
 static gboolean avrcp_get_element_attributes_rsp(struct avctp *conn,
 						uint8_t code, uint8_t subunit,
 						uint8_t transaction,
@@ -2490,6 +2508,13 @@ static gboolean avrcp_get_element_attributes_rsp(struct avctp *conn,
 	if (code == AVC_CTYPE_REJECTED)
 		return FALSE;
 
+	/* Abort fragmented responses as reassembly is not supported */
+	if (pdu->packet_type == AVRCP_PACKET_TYPE_START ||
+			pdu->packet_type == AVRCP_PACKET_TYPE_CONTINUING) {
+		avrcp_abort_continuing(session, AVRCP_GET_ELEMENT_ATTRIBUTES);
+		return FALSE;
+	}
+
 	count = pdu->params[0];
 
 	if (be16_to_cpu(pdu->params_len) - 1 < count * 8) {
-- 
2.43.0


^ permalink raw reply related

* [PATCH BlueZ] transport: Complete Acquire for Sink ASE entering Enabling
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda

On the QoS to Enabling transition the IO is not yet available because
the CIS is not established, so the handler returns early and a pending
Acquire is left unanswered once the IO later arrives.

Notify the connecting callbacks once the fd is attached so the
transport can re-run the Enabling handling and complete the Acquire.
---
 profiles/audio/transport.c |  7 +++++++
 src/shared/bap.c           | 28 +++++++++++++++++++---------
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 4b9d26c5e..22a755064 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -2397,6 +2397,13 @@ static void bap_connecting(struct bt_bap_stream *stream, bool state, int fd,
 		return;
 
 	bap_update_links(transport);
+
+	/* IO connected; re-run Enabling to complete a deferred Acquire. */
+	if (!state && fd >= 0 && bt_bap_stream_get_state(stream) ==
+					BT_BAP_STREAM_STATE_ENABLING)
+		bap_state_changed(stream, BT_BAP_STREAM_STATE_ENABLING,
+					BT_BAP_STREAM_STATE_ENABLING,
+					user_data);
 }
 
 static bool transport_bap_is_playback(struct media_transport *transport)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..09f671a15 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3006,6 +3006,20 @@ static bool bap_stream_io_attach(struct bt_bap_stream *stream, int fd,
 	return true;
 }
 
+static void bap_stream_notify_connecting(struct bt_bap_stream *stream,
+						bool connecting, int fd)
+{
+	const struct queue_entry *entry;
+
+	for (entry = queue_get_entries(stream->bap->state_cbs); entry;
+						entry = entry->next) {
+		struct bt_bap_state *state = entry->data;
+
+		if (state->connecting)
+			state->connecting(stream, connecting, fd, state->data);
+	}
+}
+
 static void bap_stream_set_io(void *data, void *user_data)
 {
 	struct bt_bap_stream *stream = data;
@@ -3042,6 +3056,10 @@ static void bap_stream_set_io(void *data, void *user_data)
 			bt_bap_stream_stop(stream, NULL, NULL);
 		break;
 	}
+
+	/* Notify IO connected so transports can complete pending requests. */
+	if (fd >= 0)
+		bap_stream_notify_connecting(stream, false, fd);
 }
 
 static void ascs_ase_rsp_add_errno(struct iovec *iov, uint8_t id, int err)
@@ -7028,7 +7046,6 @@ static void bap_stream_io_connecting(void *data, void *user_data)
 {
 	struct bt_bap_stream *stream = data;
 	int fd = PTR_TO_INT(user_data);
-	const struct queue_entry *entry;
 
 	if (!stream)
 		return;
@@ -7038,14 +7055,7 @@ static void bap_stream_io_connecting(void *data, void *user_data)
 	else
 		bap_stream_io_detach(stream);
 
-	for (entry = queue_get_entries(stream->bap->state_cbs); entry;
-							entry = entry->next) {
-		struct bt_bap_state *state = entry->data;
-
-		if (state->connecting)
-			state->connecting(stream, stream->io ? true : false,
-							fd, state->data);
-	}
+	bap_stream_notify_connecting(stream, stream->io ? true : false, fd);
 }
 
 int bt_bap_stream_io_connecting(struct bt_bap_stream *stream, int fd)
-- 
2.43.0


^ permalink raw reply related

* [PATCH BlueZ] shared/bap: Transition ASE to QoS Configured on CIS loss
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda

stream_io_disconnected() only handled the Releasing state, leaving
Enabling, Streaming and Disabling ASEs stuck when the CIS was lost
unexpectedly. The ASE shall autonomously move to QoS Configured on loss
of the CIS and notify the peer; add that transition.

Fixes PTS test BAP/USR/SCC/BV-167-C
---
 src/shared/bap.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..350ed53d9 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -6779,6 +6779,14 @@ static bool stream_io_disconnected(struct io *io, void *user_data)
 	if (stream->ep->state == BT_ASCS_ASE_STATE_RELEASING)
 		stream_set_state(stream, BT_BAP_STREAM_STATE_CONFIG);
 
+	/* On loss of the CIS the ASE shall autonomously transition to QoS
+	 * Configured and notify the peer.
+	 */
+	if (stream->ep->state == BT_ASCS_ASE_STATE_STREAMING ||
+			stream->ep->state == BT_ASCS_ASE_STATE_ENABLING ||
+			stream->ep->state == BT_ASCS_ASE_STATE_DISABLING)
+		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
+
 	bt_bap_stream_set_io(stream, -1);
 	return false;
 }
-- 
2.43.0


^ permalink raw reply related

* [PATCH BlueZ] shared/bap: Don't link ucast streams before CIS IDs are assigned
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda

bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
are unset in Codec Configured state, so a Sink and Source bound for
different CISes get linked. The stray link later propagates a
disconnect to the wrong ASE and breaks Receiver Start Ready.

Skip linking until QoS Configured assigns the IDs.

Fixes PTS test BAP/USR/STR/BV-362-C
---
 src/shared/bap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..98537de60 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2679,6 +2679,12 @@ static int bap_ucast_io_link(struct bt_bap_stream *stream,
 			stream->ep->dir == link->ep->dir)
 		return -EINVAL;
 
+	/* Don't link until QoS Configured assigns the CIS IDs; while unset
+	 * the check above would pair unrelated streams.
+	 */
+	if (!stream->qos.ucast.cis_id || !link->qos.ucast.cis_id)
+		return -EINVAL;
+
 	if (stream->client && !(stream->locked && link->locked))
 		return -EINVAL;
 
-- 
2.43.0


^ permalink raw reply related

* [PATCH BlueZ] shared/bap: Report invalid-length ASE CP write via notification
From: Simon Mikuda @ 2026-06-09 21:11 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda

A zero-length write to the ASE Control Point returned an ATT error, but
ASCS requires the write to succeed at ATT level and the failure to be
carried by a CP notification. Build a response with the truncated error
code and return success instead.

Fixes PTS tests ASCS/SR/SPE/BI-01-C and BI-02-C
---
 src/shared/bap.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index deb85b264..212d489ff 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -3762,9 +3762,9 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
 	if (!len) {
 		DBG(bap, "invalid len %u < %u sizeof(*hdr)", len,
 							sizeof(*hdr));
-		gatt_db_attribute_write_result(attrib, id,
-				BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN);
-		return;
+		rsp = ascs_ase_cp_rsp_new(len > 0 ? value[0] : 0x00);
+		ret = BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
+		goto respond;
 	}
 
 	if (len < sizeof(*hdr)) {
@@ -3829,8 +3829,10 @@ static void ascs_ase_cp_write(struct gatt_db_attribute *attrib,
 	}
 
 respond:
-	if (ret == BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN)
+	if (ret == BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN) {
 		ascs_ase_rsp_add_errno(rsp, 0x00, -ENOMSG);
+		ret = 0;
+	}
 
 	gatt_db_attribute_notify(attrib, rsp->iov_base, rsp->iov_len, att);
 	gatt_db_attribute_write_result(attrib, id, ret);
-- 
2.43.0


^ permalink raw reply related

* [bluez/bluez]
From: BluezTestBot @ 2026-06-09 20:32 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108736
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] 5e8164: btio: Handle EOPNOTSUPP from accept() to prevent b...
From: Luiz Augusto von Dentz @ 2026-06-09 20:32 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1108786
  Home:   https://github.com/bluez/bluez
  Commit: 5e81648c163877e2f5091576203557e95601251e
      https://github.com/bluez/bluez/commit/5e81648c163877e2f5091576203557e95601251e
  Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M btio/btio.c

  Log Message:
  -----------
  btio: Handle EOPNOTSUPP from accept() to prevent busy loop

When accept() returns EOPNOTSUPP on an L2CAP SEQPACKET server socket
(e.g. AVCTP browsing channel, PSM 0x1b), the error is permanent and
retrying will never succeed. Previously, only EBADFD was treated as
fatal, causing server_cb to return TRUE for EOPNOTSUPP. Since the fd
remains readable, this creates an infinite busy loop that hangs
bluetoothd.

Treat EOPNOTSUPP the same as EBADFD by returning FALSE to remove the
GLib IO watch and stop the loop.


  Commit: 70fa42fd8f621ce76b4a0128aad37d624b7e4779
      https://github.com/bluez/bluez/commit/70fa42fd8f621ce76b4a0128aad37d624b7e4779
  Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M src/profile.c

  Log Message:
  -----------
  profile: Check if bearer is enabled on registration

btd_profile_register now verifies that the profile's bearer type is
compatible with btd_opts.mode before registering. If the required bearer
is not enabled (e.g. LE-only profile when mode is BR/EDR, or BR/EDR-only
profile when mode is LE), registration is rejected with -ENOTSUP.


  Commit: 672cde593161db95582039c27e94a63431e7706d
      https://github.com/bluez/bluez/commit/672cde593161db95582039c27e94a63431e7706d
  Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M profiles/audio/a2dp.c
    M profiles/audio/avrcp.c
    M profiles/audio/hfp-hf.c
    M profiles/audio/micp.c
    M profiles/input/manager.c
    M profiles/network/manager.c
    M src/gatt-database.c

  Log Message:
  -----------
  plugins: Check btd_profile_register return value

Ensure all plugin init functions check the return value of
btd_profile_register. If registration fails (e.g. bearer not enabled),
the plugin init propagates the error instead of continuing with an
unregistered profile.


  Commit: 3cc2dd3fe2be5ebc3f7a8ff2e3bb7f7bbab05b88
      https://github.com/bluez/bluez/commit/3cc2dd3fe2be5ebc3f7a8ff2e3bb7f7bbab05b88
  Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    M src/bearer.c

  Log Message:
  -----------
  bearer: Check btd_opts.mode on btd_bearer_new

Only create the bearer interface if the corresponding transport is
enabled. Return NULL if BREDR bearer is requested in LE-only mode or
LE bearer in BREDR-only mode, so the D-Bus interface is never
registered for unsupported bearers.


Compare: https://github.com/bluez/bluez/compare/5e81648c1638%5E...3cc2dd3fe2be

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* RE: [BlueZ,v1,1/4] btio: Handle EOPNOTSUPP from accept() to prevent busy loop
From: bluez.test.bot @ 2026-06-09 19:35 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260609165057.90837-1-luiz.dentz@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1909 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108736

---Test result---

Test Summary:
CheckPatch                    FAIL      1.15 seconds
GitLint                       PASS      0.80 seconds
BuildEll                      PASS      20.44 seconds
BluezMake                     PASS      680.07 seconds
MakeCheck                     PASS      18.48 seconds
MakeDistcheck                 PASS      247.78 seconds
CheckValgrind                 PASS      292.15 seconds
CheckSmatch                   PASS      353.17 seconds
bluezmakeextell               PASS      182.48 seconds
IncrementalBuild              PASS      692.42 seconds
ScanBuild                     PASS      1037.61 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v1,4/4] bearer: Check btd_opts.mode on btd_bearer_new
WARNING:LONG_LINE: line length of 81 exceeds 80 columns
#126: FILE: src/bearer.c:283:
+			(type != BDADDR_BREDR && btd_opts.mode == BT_MODE_BREDR))

/github/workspace/src/patch/14620165.patch total: 0 errors, 1 warnings, 17 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14620165.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.




https://github.com/bluez/bluez/pull/2203

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH v3] Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref
From: Luiz Augusto von Dentz @ 2026-06-09 19:32 UTC (permalink / raw)
  To: linux-bluetooth

From: Marco Elver <elver@google.com>

l2cap_chan_timeout() runs asynchronously and accesses chan->conn. If
the connection is torn down while the timer is running or pending,
chan->conn can be freed, leading to a use-after-free when the timer
worker attempts to lock conn->lock:

| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
| Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83
|
| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
| Workqueue: events l2cap_chan_timeout
| Call Trace:
|  <TASK>
|  instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
|  atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]
|  __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]
|  mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318
|  l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422
|  process_one_work kernel/workqueue.c:3326 [inline]
|  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
|  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
|  kthread+0x346/0x430 kernel/kthread.c:436
|  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
|  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|  </TASK>
|
| Allocated by task 320:
|  l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075
|  l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452
|  hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]
|  hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760
|  hci_event_func net/bluetooth/hci_event.c:7796 [inline]
|  hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847
|  hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040
|  process_one_work kernel/workqueue.c:3326 [inline]
|  process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409
|  worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490
|  kthread+0x346/0x430 kernel/kthread.c:436
|  ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158
|  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
|
| Freed by task 322:
|  hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
|  hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736
|  hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405
|  hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
|  hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679
|  vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690
|  __fput+0x369/0x890 fs/file_table.c:510
|  task_work_run+0x160/0x1d0 kernel/task_work.c:233
|  get_signal+0xf5b/0x1120 kernel/signal.c:2810
|  arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337
|  __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
|  exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98
|  do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100
|  entry_SYSCALL_64_after_hwframe+0x77/0x7f
|
| The buggy address belongs to the object at ffff8881298d9400
|  which belongs to the cache kmalloc-512 of size 512
| The buggy address is located 336 bytes inside of
|  freed 512-byte region [ffff8881298d9400, ffff8881298d9600)

Fix it by having chan->conn hold a reference to l2cap_conn (via
l2cap_conn_get) when the channel is added to the connection, and
releasing it in the channel destructor. This ensures the l2cap_conn
remains alive as long as the channel exists.

A new FLAG_DEL channel flag is introduced to indicate that the channel
has been deleted from its connection. l2cap_chan_del() atomically sets
this flag using test_and_set_bit() instead of setting chan->conn to
NULL. All asynchronous workers (l2cap_chan_timeout, l2cap_ack_timeout,
l2cap_monitor_timeout, l2cap_retrans_timeout) and l2cap_chan_send()
check FLAG_DEL to determine whether the channel has been torn down,
rather than testing chan->conn for NULL.

Fixes: 75780ca4c6a8 ("Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()")
Cc: <stable@vger.kernel.org>
Cc: Siwei Zhang <oss@fourdim.xyz>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Assisted-by: Gemini:gemini-3.1-pro-preview
Reported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 include/net/bluetooth/l2cap.h |  1 +
 net/bluetooth/l2cap_core.c    | 34 ++++++++++++++++++++--------------
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 790935950a0c..1640cc9bf83a 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -745,6 +745,7 @@ enum {
 	FLAG_ECRED_CONN_REQ_SENT,
 	FLAG_PENDING_SECURITY,
 	FLAG_HOLD_HCI_CONN,
+	FLAG_DEL,
 };
 
 /* Lock nesting levels for L2CAP channels. We need these because lockdep
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 863fc4b8a55e..a97d492473e2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -408,7 +408,7 @@ static void l2cap_chan_timeout(struct work_struct *work)
 
 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
 
-	if (!conn) {
+	if (test_bit(FLAG_DEL, &chan->flags)) {
 		l2cap_chan_put(chan);
 		return;
 	}
@@ -419,6 +419,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
 	 */
 	l2cap_chan_lock(chan);
 
+	if (test_bit(FLAG_DEL, &chan->flags))
+		goto unlock;
+
 	if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
 		reason = ECONNREFUSED;
 	else if (chan->state == BT_CONNECT &&
@@ -431,10 +434,10 @@ static void l2cap_chan_timeout(struct work_struct *work)
 
 	chan->ops->close(chan);
 
+unlock:
 	l2cap_chan_unlock(chan);
-	l2cap_chan_put(chan);
-
 	mutex_unlock(&conn->lock);
+	l2cap_chan_put(chan);
 }
 
 struct l2cap_chan *l2cap_chan_create(void)
@@ -487,6 +490,9 @@ static void l2cap_chan_destroy(struct kref *kref)
 	list_del(&chan->global_l);
 	write_unlock(&chan_list_lock);
 
+	if (chan->conn)
+		l2cap_conn_put(chan->conn);
+
 	kfree(chan);
 }
 
@@ -590,7 +596,7 @@ void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
 
 	conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
 
-	chan->conn = conn;
+	chan->conn = l2cap_conn_get(conn);
 
 	switch (chan->chan_type) {
 	case L2CAP_CHAN_CONN_ORIENTED:
@@ -645,30 +651,26 @@ void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
 
 void l2cap_chan_del(struct l2cap_chan *chan, int err)
 {
-	struct l2cap_conn *conn = chan->conn;
-
 	__clear_chan_timer(chan);
 
-	BT_DBG("chan %p, conn %p, err %d, state %s", chan, conn, err,
+	BT_DBG("chan %p, err %d, state %s", chan, err,
 	       state_to_string(chan->state));
 
 	chan->ops->teardown(chan, err);
 
-	if (conn) {
+	if (!test_and_set_bit(FLAG_DEL, &chan->flags)) {
 		/* Delete from channel list */
 		list_del(&chan->list);
 
 		l2cap_chan_put(chan);
 
-		chan->conn = NULL;
-
 		/* Reference was only held for non-fixed channels or
 		 * fixed channels that explicitly requested it using the
 		 * FLAG_HOLD_HCI_CONN flag.
 		 */
 		if (chan->chan_type != L2CAP_CHAN_FIXED ||
 		    test_bit(FLAG_HOLD_HCI_CONN, &chan->flags))
-			hci_conn_drop(conn->hcon);
+			hci_conn_drop(chan->conn->hcon);
 	}
 
 	if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
@@ -1900,7 +1902,7 @@ static void l2cap_monitor_timeout(struct work_struct *work)
 
 	l2cap_chan_lock(chan);
 
-	if (!chan->conn) {
+	if (test_bit(FLAG_DEL, &chan->flags)) {
 		l2cap_chan_unlock(chan);
 		l2cap_chan_put(chan);
 		return;
@@ -1921,7 +1923,7 @@ static void l2cap_retrans_timeout(struct work_struct *work)
 
 	l2cap_chan_lock(chan);
 
-	if (!chan->conn) {
+	if (test_bit(FLAG_DEL, &chan->flags)) {
 		l2cap_chan_unlock(chan);
 		l2cap_chan_put(chan);
 		return;
@@ -2562,7 +2564,7 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
 	int err;
 	struct sk_buff_head seg_queue;
 
-	if (!chan->conn)
+	if (test_bit(FLAG_DEL, &chan->flags))
 		return -ENOTCONN;
 
 	/* Connectionless channel */
@@ -3157,12 +3159,16 @@ static void l2cap_ack_timeout(struct work_struct *work)
 
 	l2cap_chan_lock(chan);
 
+	if (test_bit(FLAG_DEL, &chan->flags))
+		goto unlock;
+
 	frames_to_ack = __seq_offset(chan, chan->buffer_seq,
 				     chan->last_acked_seq);
 
 	if (frames_to_ack)
 		l2cap_send_rr_or_rnr(chan, 0);
 
+unlock:
 	l2cap_chan_unlock(chan);
 	l2cap_chan_put(chan);
 }
-- 
2.54.0


^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox