Linux bluetooth development
 help / color / mirror / Atom feed
* Re: [PATCH] 6lowpan: fix NHC entry use-after-free on error path
From: Alexander Aring @ 2026-06-10 13:05 UTC (permalink / raw)
  To: Yizhou Zhao
  Cc: linux-bluetooth, Alexander Aring, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, linux-wpan, netdev,
	linux-kernel, Yuxiang Yang, Ao Wang, Xuewei Feng, Qi Li, Ke Xu,
	stable
In-Reply-To: <20260609080054.4541-1-zhaoyz24@mails.tsinghua.edu.cn>

Hi,

On Tue, Jun 9, 2026 at 4:03 AM Yizhou Zhao
<zhaoyz24@mails.tsinghua.edu.cn> wrote:
>
> lowpan_nhc_do_uncompression() looks up an NHC descriptor while holding
> lowpan_nhc_lock.  If the descriptor has no uncompress callback, the error
> path drops the lock before printing nhc->name.
>
> lowpan_nhc_del() removes descriptors under the same lock and then relies
> on synchronize_net() before the owning module can be unloaded.  That only
> waits for net RX RCU readers.  lowpan_header_decompress() is also exported
> and can be reached from callers that are not necessarily covered by the net
> core RX critical section, for example the Bluetooth 6LoWPAN L2CAP receive
> path.
>
> This leaves a race where one task drops lowpan_nhc_lock in the error path,
> another task unregisters and frees the matching descriptor after
> synchronize_net() returns, and the first task then dereferences nhc->name
> for the warning.
>
> With the post-unlock window widened, KASAN reports:
>
>   BUG: KASAN: slab-use-after-free in lowpan_nhc_do_uncompression+0x1f4/0x220
>   Read of size 8
>   lowpan_nhc_do_uncompression
>   lowpan_header_decompress
>
> Fix this by printing the warning before dropping lowpan_nhc_lock, so the
> descriptor name is read while unregister is still excluded.  The malformed
> packet is still rejected with -ENOTSUPP.
>
> Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
> Cc: stable@vger.kernel.org
> Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
> Reported-by: Ao Wang <wangao@seu.edu.cn>
> Reported-by: Xuewei Feng <fengxw06@126.com>
> Reported-by: Qi Li <qli01@tsinghua.edu.cn>
> Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
> Assisted-by: GLM:GLM-5.1
> Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>

looks good. Thanks.

Acked-by: Alexander Aring <aahringo@redhat.com>

- Alex


^ permalink raw reply

* Re: [PATCH v2 0/7] arm64: dts: qcom: enable WiFi/BT on SM8350 HDK
From: Konrad Dybcio @ 2026-06-10 11:56 UTC (permalink / raw)
  To: Rob Herring, Dmitry Baryshkov
  Cc: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Bjorn Helgaas, Qiang Yu, Jeff Johnson,
	Liam Girdwood, Mark Brown, Krzysztof Kozlowski, Conor Dooley,
	Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz,
	Balakrishna Godavarthi, Rocky Liao, Bjorn Andersson,
	Konrad Dybcio, linux-arm-msm, linux-pci, linux-kernel,
	linux-wireless, ath11k, devicetree, Bartosz Golaszewski,
	linux-bluetooth, Bartosz Golaszewski
In-Reply-To: <20260608151835.GA2707238-robh@kernel.org>

On 6/8/26 5:18 PM, Rob Herring wrote:
> On Mon, Jun 08, 2026 at 09:59:18AM +0300, Dmitry Baryshkov wrote:
>> The SM8350 HDK has an onboard WCN6851 WiFi/BT chip, which for a long
>> time was not supported. Bring up different pieces required to enable
>> this SoC.
>>
>> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
>> ---
>> Changes in v2:
>> - Bumped num_vdevs to 4 to follow other similar devices (Jeff)
>> - Link to v1: https://patch.msgid.link/20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com
>>
>> ---
>> Dmitry Baryshkov (7):
>>       PCI: qcom: fix parsing of PERST# in the legacy case
>>       wifi: ath11k: enable support for WCN6851
>>       regulator: dt-bindings: qcom,qca6390-pmu: document WCN6851
>>       dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
>>       arm64: dts: qcom: sm8350: expand UART18 to 4 pins config
>>       arm64: dts: qcom: sm8350: modernize PCIe entries
>>       arm64: dts: qcom: sm8350-hdk: describe WiFi/BT chip
> 
> Before adding new devices, can you (Qcom) fix the all the existing DT 
> warnings related to QCom WiFi/BT:
> 
>       6 (qcom,wcn6855-bt): 'vddrfa1p7-supply' is a required property
>       6 (qcom,wcn6855-bt): Unevaluated properties are not allowed ('vddrfa1p8-supply' was unexpected)
>       2 (qcom,wcn6855-bt): 'vddwlmx-supply' is a required property
>       2 (qcom,wcn6855-bt): 'vddwlcx-supply' is a required property
>       2 (qcom,wcn6855-bt): 'vddbtcmx-supply' is a required property
>       2 (qcom,wcn6855-bt): 'vddaon-supply' is a required property
>       2 (pci17cb,1103): 'vddwlmx-supply' is a required property
>       2 (pci17cb,1103): 'vddwlcx-supply' is a required property
>       2 (pci17cb,1103): 'vddrfacmn-supply' is a required property
>       2 (pci17cb,1103): 'vddrfa1p8-supply' is a required property
>       2 (pci17cb,1103): 'vddrfa1p2-supply' is a required property
>       2 (pci17cb,1103): 'vddrfa0p8-supply' is a required property
>       2 (pci17cb,1103): 'vddpcie1p8-supply' is a required property
>       2 (pci17cb,1103): 'vddpcie0p9-supply' is a required property
>       2 (pci17cb,1103): 'vddaon-supply' is a required property

Most of them will be gone with 

https://lore.kernel.org/linux-arm-msm/20260522-surface-sp9-5g-for-next-v2-8-dd9d477407f5@gmail.com/

a single dt generates 2 DTBs (one overlayed) that throw almost all of
these errors.. we should be able to tackle the rest that remain shortly

Konrad

^ permalink raw reply

* RE: [BlueZ,v2] adapter: Fix failed bonding attempt after LE link disconnection
From: bluez.test.bot @ 2026-06-10 11:02 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260610082054.3915366-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1109089

---Test result---

Test Summary:
CheckPatch                    PASS      5.58 seconds
GitLint                       PASS      0.33 seconds
BuildEll                      PASS      21.00 seconds
BluezMake                     PASS      619.90 seconds
CheckSmatch                   PASS      325.95 seconds
bluezmakeextell               PASS      166.15 seconds
IncrementalBuild              PASS      605.73 seconds
ScanBuild                     PASS      948.54 seconds



https://github.com/bluez/bluez/pull/2213

---
Regards,
Linux Bluetooth


^ permalink raw reply

* [bluez/bluez]
From: BluezTestBot @ 2026-06-10 10:16 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1107775
  Home:   https://github.com/bluez/bluez

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* [bluez/bluez] cc2e16: adapter: Fix failed bonding attempt after LE link ...
From: Šimon Mikuda @ 2026-06-10 10:16 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/1109089
  Home:   https://github.com/bluez/bluez
  Commit: cc2e16f0137dbc4f21b2f5078d2c28b63a886260
      https://github.com/bluez/bluez/commit/cc2e16f0137dbc4f21b2f5078d2c28b63a886260
  Author: Simon Mikuda <simon.mikuda@streamunlimited.com>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M src/adapter.c

  Log Message:
  -----------
  adapter: Fix failed bonding attempt after LE link disconnection

What happens when issue occurs:
- device is connected to both bearers BR/EDR and LE
- bonding is requested
- LE link disconnects
- pairing keys arrive

BlueZ would finish bonding request with error and mark device as
temporary. Then it would be disconnected+removed after default
temporary timeout (30 seconds).



To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply

* RE: [v2] Bluetooth: qca: Add BT FW build version to kernel log
From: bluez.test.bot @ 2026-06-10  8:58 UTC (permalink / raw)
  To: linux-bluetooth, xiuzhuo.shang
In-Reply-To: <20260610064232.2385866-1-xiuzhuo.shang@oss.qualcomm.com>

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1109012

---Test result---

Test Summary:
CheckPatch                    PASS      0.53 seconds
VerifyFixes                   PASS      0.07 seconds
VerifySignedoff               PASS      0.07 seconds
GitLint                       PASS      0.20 seconds
SubjectPrefix                 PASS      0.06 seconds
BuildKernel                   PASS      26.56 seconds
CheckAllWarning               PASS      29.70 seconds
CheckSparse                   PASS      27.92 seconds
BuildKernel32                 PASS      26.02 seconds
TestRunnerSetup               PASS      573.52 seconds
IncrementalBuild              PASS      25.70 seconds



https://github.com/bluez/bluetooth-next/pull/301

---
Regards,
Linux Bluetooth


^ permalink raw reply

* Re: [PATCH] Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work()
From: Sergey Senozhatsky @ 2026-06-10  8:51 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz, Mark-yw Chen
  Cc: Sean Wang, Tomasz Figa, linux-bluetooth, linux-kernel,
	linux-arm-kernel, linux-mediatek, stable, Sergey Senozhatsky
In-Reply-To: <20260609121329.1262170-1-senozhatsky@chromium.org>

On (26/06/09 21:10), Sergey Senozhatsky wrote:
> Every once in a while we see a hung btmtksdio_flush() task:
> 
>  INFO: task kworker/u17:0:189 blocked for more than 122 seconds.
>  __cancel_work_timer+0x3f4/0x460
>  cancel_work_sync+0x1c/0x2c
>  btmtksdio_flush+0x2c/0x40
>  hci_dev_open_sync+0x10c4/0x2190
>  [..]
> 
> It all boils down to incorrect time_is_before_jiffies() usage in
> btmtksdio_txrx_work().  The btmtksdio_txrx_work() loop is expected
> to be terminated if running for longer than 5*HZ.  However the
> timeout check is twisted:  time_is_before_jiffies(old_jiffies + 5*HZ)
> evaluates to true when old_jiffies + 5*HZ is in the past i.e. when a
> timeout has occurred.  Using OR with time_is_before_jiffies(txrx_timeout)
> means that:
> - before the 5-second timeout: the condition is `int_status || false`,
>   so it loops as long as there are pending interrupts.
> - after the 5-second timeout: the condition becomes `int_status || true`,
>   which is always true.
> 
> When the loop becomes infinite btmtksdio_txrx_work() loop never
> terminates and never releases the SDIO host.
> 
> Fix loop termination condition to actually enforce a 5*HZ timeout.

Please hold off this patch, this change alone might not be enough.
Let us look closer into it, we'll come back you.

^ permalink raw reply

* Re: "cleanup" variable attribute follow-up
From: Bastien Nocera @ 2026-06-10  8:49 UTC (permalink / raw)
  To: linux-bluetooth
In-Reply-To: <6a284da8.7dd3efdf.a331b.6852@mx.google.com>

I have fixes for some of the warnings checkpatch threw:
https://github.com/hadess/bluez/commit/1f69ae6c89e6811f554087a35152b9e5b5f20e5c

Let me know if you want me to send them in a v2.

Cheers

On Tue, 2026-06-09 at 10:30 -0700, bluez.test.bot@gmail.com wrote:
> This is automated email and please do not reply to this email!
> 
> Dear submitter,
> 
> Thank you for submitting the patches to the linux bluetooth mailing
> list.
> This is a CI test results with your patch series:
> PW
> Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108
> 616
> 
> ---Test result---
> 
> Test Summary:
> CheckPatch                    FAIL      2.51 seconds
> GitLint                       PASS      1.73 seconds
> BuildEll                      PASS      16.19 seconds
> BluezMake                     PASS      498.81 seconds
> MakeCheck                     PASS      18.30 seconds
> MakeDistcheck                 PASS      189.35 seconds
> CheckValgrind                 PASS      217.95 seconds
> CheckSmatch                   WARNING   253.71 seconds
> bluezmakeextell               PASS      131.42 seconds
> IncrementalBuild              PASS      985.31 seconds
> ScanBuild                     PASS      733.50 seconds
> 
> Details
> ##############################
> Test: CheckPatch - FAIL
> Desc: Run checkpatch.pl script
> Output:
> [BlueZ,1/6] shared/util: Fix warnings when cleaning up NULL pointers
> WARNING:LONG_LINE: line length of 94 exceeds 80 columns
> #74: FILE: src/shared/util.h:130:
> +	static inline void cleanup_##type (type **_ptr) { if (*_ptr
> != NULL) (func) (*_ptr); }

Fixed.

> WARNING:SPACING: space prohibited between function name and open
> parenthesis '('
> #74: FILE: src/shared/util.h:130:
> +	static inline void cleanup_##type (type **_ptr) { if (*_ptr
> != NULL) (func) (*_ptr); }

Fixed

> 
> ERROR:SPACING: need consistent spacing around '*' (ctx:WxO)
> #74: FILE: src/shared/util.h:130:
> +	static inline void cleanup_##type (type **_ptr) { if (*_ptr
> != NULL) (func) (*_ptr); }

Bogus.

>  	                                        ^
> 
> ERROR:TRAILING_STATEMENTS: trailing statements should be on next line
> #74: FILE: src/shared/util.h:130:
> +	static inline void cleanup_##type (type **_ptr) { if (*_ptr
> != NULL) (func) (*_ptr); }

Fixed.

> 
> /github/workspace/src/patch/14619750.patch total: 2 errors, 2
> warnings, 8 lines checked
> 
> NOTE: For some of the reported defects, checkpatch may be able to
>       mechanically convert to the typical style using --fix or --fix-
> inplace.
> 
> /github/workspace/src/patch/14619750.patch has style problems, please
> review.
> 
> NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO
> CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED
> SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
> 
> NOTE: If any of the errors are false positives, please report
>       them to the maintainer, see CHECKPATCH in MAINTAINERS.
> 
> 
> [BlueZ,4/6] main: Use _cleanup_() to simplify configuration parsing
> ERROR:SPACING: need consistent spacing around '*' (ctx:WxV)
> #90: FILE: src/main.c:265:
> +	_cleanup_type_(GError) GError *err = NULL;

Those are all bogus, not sure why it's complaining there.

> ERROR:SPACING: need consistent spacing around '*' (ctx:WxV)
> #114: FILE: src/main.c:447:
> +	_cleanup_type_(GError) GError *err = NULL;
>  	                              ^
> 
> ERROR:SPACING: need consistent spacing around '*' (ctx:WxV)
> #210: FILE: src/main.c:895:
> +	_cleanup_type_(GError) GError *err = NULL;
>  	                              ^
> 
> ERROR:SPACING: need consistent spacing around '*' (ctx:WxV)
> #415: FILE: src/main.c:1214:
> +	_cleanup_type_(GError) GError *err = NULL;
>  	                              ^
> 
> ERROR:SPACING: need consistent spacing around '*' (ctx:WxV)
> #507: FILE: src/main.c:1577:
> +	_cleanup_type_(GError) GError *err = NULL;
>  	                              ^
> 
> /github/workspace/src/patch/14619699.patch total: 5 errors, 0
> warnings, 420 lines checked
> 
> NOTE: For some of the reported defects, checkpatch may be able to
>       mechanically convert to the typical style using --fix or --fix-
> inplace.
> 
> /github/workspace/src/patch/14619699.patch has style problems, please
> review.
> 
> NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO
> CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED
> SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
> 
> NOTE: If any of the errors are false positives, please report
>       them to the maintainer, see CHECKPATCH in MAINTAINERS.
> 
> 
> ##############################
> Test: CheckSmatch - WARNING
> Desc: Run smatch tool with source
> Output:
> src/main.c: note: in included file (through src/device.h):
> 
> 
> https://github.com/bluez/bluez/pull/2201
> 
> ---
> Regards,
> Linux Bluetooth

^ permalink raw reply

* RE: [v2] Bluetooth: SCO: Fix use-after-free on listening socket in sco_conn_ready()
From: bluez.test.bot @ 2026-06-10  8:33 UTC (permalink / raw)
  To: linux-bluetooth, sanghyun.park.cnu
In-Reply-To: <20260610060824.552957-2-sanghyun.park.cnu@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/sco.c:410
error: net/bluetooth/sco.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth


^ permalink raw reply

* [PATCH BlueZ v2] adapter: Fix failed bonding attempt after LE link disconnection
From: Simon Mikuda @ 2026-06-10  8:20 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Simon Mikuda
In-Reply-To: <20260608111034.3684632-1-simon.mikuda@streamunlimited.com>

What happens when issue occurs:
- device is connected to both bearers BR/EDR and LE
- bonding is requested
- LE link disconnects
- pairing keys arrive

BlueZ would finish bonding request with error and mark device as
temporary. Then it would be disconnected+removed after default
temporary timeout (30 seconds).
---
 src/adapter.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/adapter.c b/src/adapter.c
index cc753fbd6..538f63e0a 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -8622,7 +8622,9 @@ static void dev_disconnected(struct btd_adapter *adapter,
 		disconnect_notify(device, reason);
 	}
 
-	bonding_attempt_complete(adapter, &addr->bdaddr, addr->type,
+	/* device could be still connected to different bearer */
+	if (!device || !btd_device_is_connected(device))
+		bonding_attempt_complete(adapter, &addr->bdaddr, addr->type,
 						MGMT_STATUS_DISCONNECTED);
 }
 
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH v2] Bluetooth: qca: Add BT FW build version to kernel log
From: Bartosz Golaszewski @ 2026-06-10  8:17 UTC (permalink / raw)
  To: Xiuzhuo Shang
  Cc: linux-arm-msm, linux-bluetooth, linux-kernel, cheng.jiang,
	quic_chezhou, wei.deng, shuai.zhang, mengshi.wu, jinwang.li,
	Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz
In-Reply-To: <c0eee7b4-50ee-4635-b8d6-fe9cb4ea05a8@oss.qualcomm.com>

On Wed, Jun 10, 2026 at 9:36 AM Xiuzhuo Shang
<xiuzhuo.shang@oss.qualcomm.com> wrote:
>
> Hi Bart,
>
> The main change in v2 was the commit message — I added the motivation and an example log line as
>
> Paul requested on v1. Carrying your Acked-by (given on v1) forward was just to avoid losing it. So
>
> v2 wasn't sent solely to collect a tag.
>

Well, I don't know it because you didn't add a changelog to v2. Please
add something like "Changes in v2:" in the future.

Bartosz

^ permalink raw reply

* Re: [PATCH BlueZ] shared/bap: Transition ASE to QoS Configured on CIS loss
From: Simon Mikuda @ 2026-06-10  7:57 UTC (permalink / raw)
  To: Pauli Virtanen, linux-bluetooth
In-Reply-To: <e89af328197d3fb429c08b7a3107d7fd8e05ac00.camel@iki.fi>

this check is for ep (struct bt_bap_endpoint) that is used only for 
unicast. broadcasts use different state in struct bt_bap_stream, so it 
should be OK

On 6/10/26 00:15, Pauli Virtanen wrote:
> ti, 2026-06-09 kello 23:11 +0200, Simon Mikuda kirjoitti:
>> stream_io_disconnected() only handled the Releasing state, leaving
>> Enabling, Streaming and Disabling ASEs stuck when the CIS was lost
>> unexpectedly. The ASE shall autonomously move to QoS Configured on loss
>> of the CIS and notify the peer; add that transition.
>>
>> Fixes PTS test BAP/USR/SCC/BV-167-C
>> ---
>>   src/shared/bap.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/src/shared/bap.c b/src/shared/bap.c
>> index deb85b264..350ed53d9 100644
>> --- a/src/shared/bap.c
>> +++ b/src/shared/bap.c
>> @@ -6779,6 +6779,14 @@ static bool stream_io_disconnected(struct io *io, void *user_data)
>>   	if (stream->ep->state == BT_ASCS_ASE_STATE_RELEASING)
>>   		stream_set_state(stream, BT_BAP_STREAM_STATE_CONFIG);
>>   
>> +	/* On loss of the CIS the ASE shall autonomously transition to QoS
>> +	 * Configured and notify the peer.
>> +	 */
>> +	if (stream->ep->state == BT_ASCS_ASE_STATE_STREAMING ||
>> +			stream->ep->state == BT_ASCS_ASE_STATE_ENABLING ||
>> +			stream->ep->state == BT_ASCS_ASE_STATE_DISABLING)
>> +		stream_set_state(stream, BT_BAP_STREAM_STATE_QOS);
>> +
>>   	bt_bap_stream_set_io(stream, -1);
>>   	return false;
>>   }
> iirc it may be also broadcast source here, does it do the right thing?
>

^ permalink raw reply

* Re: [PATCH BlueZ] shared/bap: Don't link ucast streams before CIS IDs are assigned
From: Simon Mikuda @ 2026-06-10  7:46 UTC (permalink / raw)
  To: Pauli Virtanen, linux-bluetooth
In-Reply-To: <0744a915b7ea628647a17fa9aad0aa4365f83989.camel@iki.fi>

I looked into it and 0 is valid ID (probably not used, but still valid).

There is a ugly part in bluez though, when stream is allocated cig and 
cis in qos struct are 0 not 0xff:

stream = new0(struct bt_bap_stream, 1);   /* qos all-zero: cig/cis = 0 */

and also in tests there are some struct comparisons that also use 
cig/cis == 0. Some parts check for 0xff (BT_ISO_QOS_CIG_UNSET, 
BT_ISO_QOS_CIS_UNSET)

Maybe more clean fix would be to hook this up to state, so that when 
CIG/CIS is not at least configured it is rejected e.g.:

if (stream->ep->state < BT_ASCS_ASE_STATE_QOS || link->ep->state < 
BT_ASCS_ASE_STATE_QOS)
         return -EINVAL;

Also probably i should cleanup all structs (code and tests), so that cig 
and cis are initialized properly with 0xff. And then provide the fix?

On 6/10/26 00:03, Pauli Virtanen wrote:
> ti, 2026-06-09 kello 23:11 +0200, Simon Mikuda kirjoitti:
>> bap_ucast_io_link pairs streams whose CIG/CIS IDs match, but the IDs
>> are unset in Codec Configured state, so a Sink and Source bound for
>> different CISes get linked. The stray link later propagates a
>> disconnect to the wrong ASE and breaks Receiver Start Ready.
>>
>> Skip linking until QoS Configured assigns the IDs.
>>
>> Fixes PTS test BAP/USR/STR/BV-362-C
>> ---
>>   src/shared/bap.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/src/shared/bap.c b/src/shared/bap.c
>> index deb85b264..98537de60 100644
>> --- a/src/shared/bap.c
>> +++ b/src/shared/bap.c
>> @@ -2679,6 +2679,12 @@ static int bap_ucast_io_link(struct bt_bap_stream *stream,
>>   			stream->ep->dir == link->ep->dir)
>>   		return -EINVAL;
>>   
>> +	/* Don't link until QoS Configured assigns the CIS IDs; while unset
>> +	 * the check above would pair unrelated streams.
>> +	 */
>> +	if (!stream->qos.ucast.cis_id || !link->qos.ucast.cis_id)
>> +		return -EINVAL;
> Zero is valid CIS ID?
>
>> +
>>   	if (stream->client && !(stream->locked && link->locked))
>>   		return -EINVAL;
>>   

^ permalink raw reply

* Re: [PATCH v2 4/7] dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
From: Krzysztof Kozlowski @ 2026-06-10  7:41 UTC (permalink / raw)
  To: Dmitry Baryshkov
  Cc: Manivannan Sadhasivam, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
	Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
	Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
	Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
	Rocky Liao, Bjorn Andersson, Konrad Dybcio, linux-arm-msm,
	linux-pci, linux-kernel, linux-wireless, ath11k, devicetree,
	Bartosz Golaszewski, linux-bluetooth, Bartosz Golaszewski
In-Reply-To: <20260608-sm8350-wifi-v2-4-efb68f1ff04c@oss.qualcomm.com>

On Mon, Jun 08, 2026 at 09:59:22AM +0300, Dmitry Baryshkov wrote:
> WCN6851 is an earlier version of WCN6855 WiFi/BT chip, compatible with
> it. Add a device-specific compat string with the fallback to WCN6855
> one.
> 
> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
> ---
>  .../devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml        | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>

Best regards,
Krzysztof


^ permalink raw reply

* Re: [PATCH v2] Bluetooth: qca: Add BT FW build version to kernel log
From: Xiuzhuo Shang @ 2026-06-10  7:36 UTC (permalink / raw)
  To: Bartosz Golaszewski
  Cc: linux-arm-msm, linux-bluetooth, linux-kernel, cheng.jiang,
	quic_chezhou, wei.deng, shuai.zhang, mengshi.wu, jinwang.li,
	Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz
In-Reply-To: <CAMRc=MdojC6T1RuqRNE-ssoRw1pKyUHyOS9AD0ROfCpPPOqw1A@mail.gmail.com>

Hi Bart,

The main change in v2 was the commit message — I added the motivation and an example log line as

Paul requested on v1. Carrying your Acked-by (given on v1) forward was just to avoid losing it. So

v2 wasn't sent solely to collect a tag.


Thanks,

Xiuzhuo
 

On 6/10/2026 3:07 PM, Bartosz Golaszewski wrote:
> On Wed, 10 Jun 2026 08:42:32 +0200, Xiuzhuo Shang
> <xiuzhuo.shang@oss.qualcomm.com> said:
>> Firmware version is critical for bug triage. Users reporting issues
>> typically share dmesg output rather than debugfs contents, requiring
>> extra communication rounds to collect this information. Log the FW
>> build version directly to the kernel log so it is immediately
>> available in bug reports.
>>
>> Acked-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
>> Signed-off-by: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
>> ---
> 
> Please don't send a new version if all you did is collected a single tag.
> 
> Bart


^ permalink raw reply

* Re: [PATCH v4 2/8] dt-bindings: net: wireless: qcom,ath10k: Document NVMEM cells
From: Krzysztof Kozlowski @ 2026-06-10  7:16 UTC (permalink / raw)
  To: Loic Poulain
  Cc: Ulf Hansson, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
	Bjorn Andersson, Konrad Dybcio, Jens Axboe, Johannes Berg,
	Jeff Johnson, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Srinivas Kandagatla, Andrew Lunn, Heiner Kallweit,
	Russell King, Saravana Kannan, linux-mmc, devicetree,
	linux-kernel, linux-arm-msm, linux-block, linux-wireless, ath10k,
	linux-bluetooth, netdev, daniel, Bartosz Golaszewski
In-Reply-To: <20260609-block-as-nvmem-v4-2-45712e6b22c6@oss.qualcomm.com>

On Tue, Jun 09, 2026 at 09:52:27AM +0200, Loic Poulain wrote:
> Document the NVMEM cells supported by the ath10k driver, the
> mac-address, pre-calibration data, and calibration data.
> 
> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
> Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
> ---
>  .../devicetree/bindings/net/wireless/qcom,ath10k.yaml    | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml b/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml
> index c21d66c7cd558ab792524be9afec8b79272d1c87..7391df5e7071e626af4c64b9919d48c41ac09f1e 100644
> --- a/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml
> +++ b/Documentation/devicetree/bindings/net/wireless/qcom,ath10k.yaml
> @@ -92,6 +92,22 @@ properties:
>  
>    ieee80211-freq-limit: true
>  
> +  nvmem-cells:
> +    minItems: 1
> +    maxItems: 3
> +    description: |

If there is going to be resend:
Do not need '|' unless you need to preserve formatting.

> +      References to nvmem cells for MAC address and/or calibration data.
> +      Supported cell names are mac-address, calibration, and pre-calibration.
> +
> +  nvmem-cell-names:
> +    minItems: 1
> +    maxItems: 3
> +    items:
> +      enum:
> +        - mac-address
> +        - calibration
> +        - pre-calibration

This means you expect random order with variable number of items. Is
that intentional? If yes, please provide short explanation in the commit
msg.

Best regards,
Krzysztof


^ permalink raw reply

* Re: [PATCH v2] Bluetooth: qca: Add BT FW build version to kernel log
From: Bartosz Golaszewski @ 2026-06-10  7:07 UTC (permalink / raw)
  To: Xiuzhuo Shang
  Cc: linux-arm-msm, linux-bluetooth, linux-kernel, cheng.jiang,
	quic_chezhou, wei.deng, shuai.zhang, mengshi.wu, jinwang.li,
	Bartosz Golaszewski, Bartosz Golaszewski, Marcel Holtmann,
	Luiz Augusto von Dentz
In-Reply-To: <20260610064232.2385866-1-xiuzhuo.shang@oss.qualcomm.com>

On Wed, 10 Jun 2026 08:42:32 +0200, Xiuzhuo Shang
<xiuzhuo.shang@oss.qualcomm.com> said:
> Firmware version is critical for bug triage. Users reporting issues
> typically share dmesg output rather than debugfs contents, requiring
> extra communication rounds to collect this information. Log the FW
> build version directly to the kernel log so it is immediately
> available in bug reports.
>
> Acked-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
> Signed-off-by: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
> ---

Please don't send a new version if all you did is collected a single tag.

Bart

^ permalink raw reply

* Re: [PATCH] Bluetooth: btmtksdio: fix infinite loop in btmtksdio_txrx_work()
From: Sean Wang @ 2026-06-10  6:52 UTC (permalink / raw)
  To: Sergey Senozhatsky
  Cc: Marcel Holtmann, Luiz Augusto von Dentz, Mark-yw Chen, Sean Wang,
	Tomasz Figa, linux-bluetooth, linux-kernel, linux-arm-kernel,
	linux-mediatek, stable
In-Reply-To: <20260609121329.1262170-1-senozhatsky@chromium.org>

Hi,

On Tue, Jun 9, 2026 at 7:19 AM Sergey Senozhatsky
<senozhatsky@chromium.org> wrote:
>
> Every once in a while we see a hung btmtksdio_flush() task:
>
>  INFO: task kworker/u17:0:189 blocked for more than 122 seconds.
>  __cancel_work_timer+0x3f4/0x460
>  cancel_work_sync+0x1c/0x2c
>  btmtksdio_flush+0x2c/0x40
>  hci_dev_open_sync+0x10c4/0x2190
>  [..]
>
> It all boils down to incorrect time_is_before_jiffies() usage in
> btmtksdio_txrx_work().  The btmtksdio_txrx_work() loop is expected
> to be terminated if running for longer than 5*HZ.  However the
> timeout check is twisted:  time_is_before_jiffies(old_jiffies + 5*HZ)
> evaluates to true when old_jiffies + 5*HZ is in the past i.e. when a
> timeout has occurred.  Using OR with time_is_before_jiffies(txrx_timeout)
> means that:
> - before the 5-second timeout: the condition is `int_status || false`,
>   so it loops as long as there are pending interrupts.
> - after the 5-second timeout: the condition becomes `int_status || true`,
>   which is always true.
>
> When the loop becomes infinite btmtksdio_txrx_work() loop never
> terminates and never releases the SDIO host.
>
> Fix loop termination condition to actually enforce a 5*HZ timeout.
>
> Fixes: 26270bc189ea4 ("Bluetooth: btmtksdio: move interrupt service to work")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> ---
>  drivers/bluetooth/btmtksdio.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
> index 5b0fab7b89b5..c6f80c419e90 100644
> --- a/drivers/bluetooth/btmtksdio.c
> +++ b/drivers/bluetooth/btmtksdio.c
> @@ -620,7 +620,7 @@ static void btmtksdio_txrx_work(struct work_struct *work)
>                         if (btmtksdio_rx_packet(bdev, rx_size) < 0)
>                                 bdev->hdev->stat.err_rx++;
>                 }
> -       } while (int_status || time_is_before_jiffies(txrx_timeout));
> +       } while (int_status && time_is_after_jiffies(txrx_timeout));

yes, loop continues only while there is interrupt work and the timeout
deadline is still in the future

Reviewed-by: Sean Wang <sean.wang@mediatek.com>

Thanks for fixing this long-standing  issue.

>
>         /* Enable interrupt */
>         if (bdev->func->irq_handler)
> --
> 2.54.0.1064.gd145956f57-goog
>
>

^ permalink raw reply

* [PATCH] Bluetooth: SCO: Fix use-after-free in sco_conn_ready() connect path
From: Sanghyun Park @ 2026-06-10  6:43 UTC (permalink / raw)
  To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
  Cc: Sanghyun Park, linux-bluetooth, linux-kernel

sco_conn_ready() reads conn->sk without holding the connection lock or
taking a socket reference. A concurrent close() can detach and free that
socket before sco_conn_ready() calls lock_sock(sk), resulting in a
use-after-free.

Fix this by taking the connection lock and using sco_sock_hold() to read
conn->sk with a reference held before calling lock_sock(). Drop the
reference with sock_put() after releasing the socket lock.

Race:

  CPU0 (hci_rx_work)                 CPU1 (userspace close)
  ============================       ==========================
  sco_conn_ready(conn):
    sk = conn->sk
                                     close(sco_fd)
                                       sco_sock_release()
                                         sco_sock_close()
                                           __sco_sock_close()
                                             sco_chan_del()
                                               conn->sk = NULL
                                         sock_orphan()
                                         sco_sock_kill()
                                           sock_put(sk) -> frees sk
    lock_sock(sk)
    // UAF: sk may already be freed

Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
---
 net/bluetooth/sco.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 6383db54657..c2c4b5a5b82 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -1306,16 +1306,21 @@ static int sco_sock_release(struct socket *sock)
 static void sco_conn_ready(struct sco_conn *conn)
 {
 	struct sock *parent;
-	struct sock *sk = conn->sk;
+	struct sock *sk;
 
 	BT_DBG("conn %p", conn);
 
+	sco_conn_lock(conn);
+	sk = sco_sock_hold(conn);
+	sco_conn_unlock(conn);
+
 	if (sk) {
 		lock_sock(sk);
 		sco_sock_clear_timer(sk);
 		sk->sk_state = BT_CONNECTED;
 		sk->sk_state_change(sk);
 		release_sock(sk);
+		sock_put(sk);
 	} else {
 		sco_conn_lock(conn);
 
-- 
2.48.1

^ permalink raw reply related

* [PATCH v2] Bluetooth: qca: Add BT FW build version to kernel log
From: Xiuzhuo Shang @ 2026-06-10  6:42 UTC (permalink / raw)
  To: Bartosz Golaszewski, Marcel Holtmann, Luiz Augusto von Dentz
  Cc: linux-arm-msm, linux-bluetooth, linux-kernel, cheng.jiang,
	quic_chezhou, wei.deng, shuai.zhang, mengshi.wu, jinwang.li,
	xiuzhuo.shang, Bartosz Golaszewski
In-Reply-To: <20260609075417.1160702-1-xiuzhuo.shang@oss.qualcomm.com>

Firmware version is critical for bug triage. Users reporting issues
typically share dmesg output rather than debugfs contents, requiring
extra communication rounds to collect this information. Log the FW
build version directly to the kernel log so it is immediately
available in bug reports.

Acked-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
---
Example output:
  Bluetooth: hci0: QCA FW build version: BTFW.MOSELLE.1.1.3-00106-MSL_PATCHZ-1
 drivers/bluetooth/btqca.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index dda76365726f..04ebe290bc78 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -143,6 +143,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
 
 	hci_set_fw_info(hdev, "%s", build_label);
 
+	bt_dev_info(hdev, "QCA FW build version: %s", build_label);
+
 	kfree(build_label);
 out:
 	kfree_skb(skb);
-- 
2.43.0


^ permalink raw reply related

* [bluetooth-next:master] BUILD SUCCESS e5ea095d9bd1f3cf78d56f780d0f278f77663373
From: kernel test robot @ 2026-06-10  6:12 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
branch HEAD: e5ea095d9bd1f3cf78d56f780d0f278f77663373  Bluetooth: btintel_pcie: Load IOSF debug regs by controller variant

elapsed time: 766m

configs tested: 174
configs skipped: 3

The following configs have been built successfully.
More configs may be tested in the coming days.

tested configs:
alpha                             allnoconfig    gcc-16.1.0
alpha                            allyesconfig    gcc-16.1.0
alpha                               defconfig    gcc-16.1.0
arc                              allmodconfig    clang-23
arc                               allnoconfig    gcc-16.1.0
arc                              allyesconfig    clang-23
arc                                 defconfig    gcc-16.1.0
arc                   randconfig-001-20260610    gcc-8.5.0
arc                   randconfig-002-20260610    gcc-8.5.0
arm                               allnoconfig    gcc-16.1.0
arm                              allyesconfig    clang-23
arm                                 defconfig    gcc-16.1.0
arm                   randconfig-001-20260610    gcc-8.5.0
arm                   randconfig-002-20260610    gcc-8.5.0
arm                   randconfig-003-20260610    gcc-8.5.0
arm                   randconfig-004-20260610    gcc-8.5.0
arm64                            allmodconfig    clang-23
arm64                             allnoconfig    gcc-16.1.0
arm64                               defconfig    gcc-16.1.0
arm64                 randconfig-001-20260610    gcc-11.5.0
arm64                 randconfig-002-20260610    gcc-11.5.0
arm64                 randconfig-003-20260610    gcc-11.5.0
arm64                 randconfig-004-20260610    gcc-11.5.0
csky                             allmodconfig    gcc-16.1.0
csky                              allnoconfig    gcc-16.1.0
csky                                defconfig    gcc-16.1.0
csky                  randconfig-001-20260610    gcc-11.5.0
csky                  randconfig-002-20260610    gcc-11.5.0
hexagon                          allmodconfig    gcc-16.1.0
hexagon                           allnoconfig    gcc-16.1.0
hexagon                             defconfig    gcc-16.1.0
hexagon               randconfig-001-20260610    clang-22
hexagon               randconfig-002-20260610    clang-22
i386                             allmodconfig    clang-22
i386                              allnoconfig    gcc-16.1.0
i386                             allyesconfig    clang-22
i386        buildonly-randconfig-001-20260610    gcc-14
i386        buildonly-randconfig-002-20260610    gcc-14
i386        buildonly-randconfig-003-20260610    gcc-14
i386        buildonly-randconfig-004-20260610    gcc-14
i386        buildonly-randconfig-005-20260610    gcc-14
i386        buildonly-randconfig-006-20260610    gcc-14
i386                                defconfig    gcc-16.1.0
i386                  randconfig-001-20260610    gcc-14
i386                  randconfig-002-20260610    gcc-14
i386                  randconfig-003-20260610    gcc-14
i386                  randconfig-004-20260610    gcc-14
i386                  randconfig-005-20260610    gcc-14
i386                  randconfig-006-20260610    gcc-14
i386                  randconfig-007-20260610    gcc-14
i386                  randconfig-011-20260610    gcc-14
i386                  randconfig-012-20260610    gcc-14
i386                  randconfig-013-20260610    gcc-14
i386                  randconfig-014-20260610    gcc-14
i386                  randconfig-015-20260610    gcc-14
i386                  randconfig-016-20260610    gcc-14
i386                  randconfig-017-20260610    gcc-14
loongarch                        allmodconfig    clang-23
loongarch                         allnoconfig    gcc-16.1.0
loongarch                           defconfig    clang-23
loongarch             randconfig-001-20260610    clang-22
loongarch             randconfig-002-20260610    clang-22
m68k                             allmodconfig    gcc-16.1.0
m68k                              allnoconfig    gcc-16.1.0
m68k                             allyesconfig    clang-23
m68k                                defconfig    clang-23
microblaze                        allnoconfig    gcc-16.1.0
microblaze                       allyesconfig    gcc-16.1.0
microblaze                          defconfig    clang-23
mips                             allmodconfig    gcc-16.1.0
mips                              allnoconfig    gcc-16.1.0
mips                             allyesconfig    gcc-16.1.0
nios2                            allmodconfig    clang-20
nios2                             allnoconfig    clang-23
nios2                               defconfig    clang-23
nios2                 randconfig-001-20260610    clang-22
nios2                 randconfig-002-20260610    clang-22
openrisc                         allmodconfig    clang-20
openrisc                          allnoconfig    clang-23
openrisc                            defconfig    gcc-16.1.0
parisc                           allmodconfig    gcc-16.1.0
parisc                            allnoconfig    clang-23
parisc                           allyesconfig    clang-17
parisc                              defconfig    gcc-16.1.0
parisc                randconfig-001-20260610    gcc-8.5.0
parisc                randconfig-002-20260610    gcc-8.5.0
parisc64                            defconfig    clang-23
powerpc                          allmodconfig    gcc-16.1.0
powerpc                           allnoconfig    clang-23
powerpc                   microwatt_defconfig    gcc-16.1.0
powerpc               randconfig-001-20260610    gcc-8.5.0
powerpc               randconfig-002-20260610    gcc-8.5.0
powerpc64             randconfig-001-20260610    gcc-8.5.0
powerpc64             randconfig-002-20260610    gcc-8.5.0
riscv                            allmodconfig    clang-23
riscv                             allnoconfig    clang-23
riscv                            allyesconfig    clang-23
riscv                               defconfig    gcc-16.1.0
riscv                          randconfig-001    gcc-16.1.0
riscv                 randconfig-001-20260610    gcc-16.1.0
riscv                          randconfig-002    gcc-16.1.0
riscv                 randconfig-002-20260610    gcc-16.1.0
s390                             allmodconfig    clang-17
s390                              allnoconfig    clang-23
s390                             allyesconfig    gcc-16.1.0
s390                                defconfig    gcc-16.1.0
s390                           randconfig-001    gcc-16.1.0
s390                  randconfig-001-20260610    gcc-16.1.0
s390                           randconfig-002    gcc-16.1.0
s390                  randconfig-002-20260610    gcc-16.1.0
sh                               allmodconfig    gcc-16.1.0
sh                                allnoconfig    clang-23
sh                               allyesconfig    clang-17
sh                                  defconfig    gcc-14
sh                             randconfig-001    gcc-16.1.0
sh                    randconfig-001-20260610    gcc-16.1.0
sh                             randconfig-002    gcc-16.1.0
sh                    randconfig-002-20260610    gcc-16.1.0
sparc                             allnoconfig    clang-23
sparc                               defconfig    gcc-16.1.0
sparc                 randconfig-001-20260610    gcc-14.3.0
sparc                 randconfig-002-20260610    gcc-14.3.0
sparc64                          allmodconfig    clang-20
sparc64                             defconfig    gcc-14
sparc64               randconfig-001-20260610    gcc-14.3.0
sparc64               randconfig-002-20260610    gcc-14.3.0
um                               allmodconfig    clang-17
um                                allnoconfig    clang-23
um                               allyesconfig    gcc-16.1.0
um                                  defconfig    gcc-14
um                             i386_defconfig    gcc-14
um                    randconfig-001-20260610    gcc-14.3.0
um                    randconfig-002-20260610    gcc-14.3.0
um                           x86_64_defconfig    gcc-14
x86_64                           allmodconfig    clang-22
x86_64                            allnoconfig    clang-23
x86_64                           allyesconfig    clang-22
x86_64      buildonly-randconfig-001-20260610    gcc-14
x86_64      buildonly-randconfig-002-20260610    gcc-14
x86_64      buildonly-randconfig-003-20260610    gcc-14
x86_64      buildonly-randconfig-004-20260610    gcc-14
x86_64      buildonly-randconfig-005-20260610    gcc-14
x86_64      buildonly-randconfig-006-20260610    gcc-14
x86_64                              defconfig    gcc-14
x86_64                                  kexec    clang-22
x86_64                randconfig-001-20260610    gcc-13
x86_64                randconfig-002-20260610    gcc-13
x86_64                randconfig-003-20260610    gcc-13
x86_64                randconfig-004-20260610    gcc-13
x86_64                randconfig-005-20260610    gcc-13
x86_64                randconfig-006-20260610    gcc-13
x86_64                randconfig-011-20260610    gcc-14
x86_64                randconfig-012-20260610    gcc-14
x86_64                randconfig-013-20260610    gcc-14
x86_64                randconfig-014-20260610    gcc-14
x86_64                randconfig-015-20260610    gcc-14
x86_64                randconfig-016-20260610    gcc-14
x86_64                randconfig-071-20260610    gcc-14
x86_64                randconfig-072-20260610    gcc-14
x86_64                randconfig-073-20260610    gcc-14
x86_64                randconfig-074-20260610    gcc-14
x86_64                randconfig-075-20260610    gcc-14
x86_64                randconfig-076-20260610    gcc-14
x86_64                               rhel-9.4    clang-22
x86_64                           rhel-9.4-bpf    gcc-14
x86_64                          rhel-9.4-func    clang-22
x86_64                    rhel-9.4-kselftests    clang-22
x86_64                         rhel-9.4-kunit    gcc-14
x86_64                           rhel-9.4-ltp    gcc-14
x86_64                          rhel-9.4-rust    clang-22
xtensa                            allnoconfig    clang-23
xtensa                           allyesconfig    clang-20
xtensa                randconfig-001-20260610    gcc-14.3.0
xtensa                randconfig-002-20260610    gcc-14.3.0

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply

* [PATCH v2] Bluetooth: SCO: Fix use-after-free on listening socket in sco_conn_ready()
From: Sanghyun Park @ 2026-06-10  6:08 UTC (permalink / raw)
  To: marcel, johan.hedberg, luiz.dentz
  Cc: Sanghyun Park, linux-bluetooth, linux-kernel

sco_conn_ready() calls sco_get_sock_listen() which returns a raw
pointer to a listening socket without taking a reference. After
releasing sco_sk_list.lock, a concurrent close() of the listening socket
can free it between the list lookup return and lock_sock(parent),
resulting in a use-after-free.

Fix by taking a reference with sock_hold() inside sco_get_sock_listen()
while the list lock is still held, and dropping it with sock_put() in
sco_conn_ready() after release_sock().

Race:

  CPU0 (HCI event workqueue)         CPU1 (userspace)
  ============================       ==========================
  sco_conn_ready():
    parent = sco_get_sock_listen()
      // returns parent without a reference
                                     close(listen_fd):
                                       sco_sock_release()
                                         sco_sock_kill()
                                           sock_put(parent) -> frees parent
    lock_sock(parent)
    // UAF: parent may already be freed

Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
---
Changes in v2:
 - Move sock_hold() from sco_conn_ready() into sco_get_sock_listen() so
   the reference is taken while sco_sk_list.lock is still held.
 - Drop the verbose reproduction/KASAN text, personal note, and unverified
   Fixes tag from the commit message.
 - Fix whitespace damage.

 net/bluetooth/sco.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 6383db54657..20518bbc93a 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -410,6 +410,11 @@ static struct sock *sco_get_sock_listen(bdaddr_t *src)
 			sk1 = sk;
 	}
 
+	if (sk)
+		sock_hold(sk);
+	else if (sk1)
+		sock_hold(sk1);
+
 	read_unlock(&sco_sk_list.lock);
 
 	return sk ? sk : sk1;
@@ -1336,6 +1341,7 @@ static void sco_conn_ready(struct sco_conn *conn)
 				    BTPROTO_SCO, GFP_ATOMIC, 0);
 		if (!sk) {
 			release_sock(parent);
+			sock_put(parent);
 			sco_conn_unlock(conn);
 			return;
 		}
@@ -1357,6 +1363,7 @@ static void sco_conn_ready(struct sco_conn *conn)
 		parent->sk_data_ready(parent);
 
 		release_sock(parent);
+		sock_put(parent);
 
 		sco_conn_unlock(conn);
 	}

^ permalink raw reply related

* Re: [PATCH v1] Bluetooth: qca: Add BT FW build version log
From: Xiuzhuo Shang @ 2026-06-10  5:49 UTC (permalink / raw)
  To: Paul Menzel, Bartosz Golaszewski
  Cc: Marcel Holtmann, Luiz Augusto von Dentz, linux-arm-msm,
	linux-bluetooth, linux-kernel, cheng.jiang, quic_chezhou,
	wei.deng, shuai.zhang, mengshi.wu, jinwang.li
In-Reply-To: <8697f148-5e21-44b4-a949-9d348e39c2ea@molgen.mpg.de>


Hi,Paul,

On 6/9/2026 6:29 PM, Paul Menzel wrote:
> Dear Xiuzhuo, dear Bartosz
> 
> 
> Am 09.06.26 um 11:39 schrieb Bartosz Golaszewski:
>> On Tue, 9 Jun 2026 09:54:17 +0200, Xiuzhuo Shang said:
>>> Printf BT FW build version log after BT FW downloaded.
> 
> Please paste the new lines, so reviewers see how it is going to look like. Please also document a motivation (answering Why?).
Thanks for your suggestion, I will send PATCH v2.

> 
>>> Signed-off-by: Xiuzhuo Shang <xiuzhuo.shang@oss.qualcomm.com>
>>> ---
>>>   drivers/bluetooth/btqca.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
>>> index dda76365726f..04ebe290bc78 100644
>>> --- a/drivers/bluetooth/btqca.c
>>> +++ b/drivers/bluetooth/btqca.c
>>> @@ -143,6 +143,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
>>>
>>>       hci_set_fw_info(hdev, "%s", build_label);
>>>
>>> +    bt_dev_info(hdev, "QCA FW build version: %s", build_label);
>>> +
>>>       kfree(build_label);
>>>   out:
>>>       kfree_skb(skb);
>>
>> This string can be read from debugfs, do we need an additional message in the
>> kernel log?
> 
> In my opinion the firmware version should be part of the Linux logs, as that is what users share with bug reports, and you do not want to have several cycles collecting information. For example, currently for QCA6174 it’s currently:
> 
>     Bluetooth: hci0: QCA: patch rome 0x302 build 0x3e8, firmware rome 0x302 build 0x111
> 
> 
> Kind regards,
> 
> Paul
> 
> 
> PS:
> 
> ```
> $ sudo dmesg | grep -e ath10k -e Bluetooth
> [   17.880668] ath10k_pci 0000:3a:00.0: enabling device (0000 -> 0002)
> [   17.883428] ath10k_pci 0000:3a:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
> [   18.138972] ath10k_pci 0000:3a:00.0: qca6174 hw3.2 target 0x05030000 chip_id 0x00340aff sub 1a56:1535
> [   18.138977] ath10k_pci 0000:3a:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 0 testmode 0
> [   18.139068] ath10k_pci 0000:3a:00.0: firmware ver WLAN.RM.4.4.1-00309- api 6 features wowlan,ignore-otp,mfp crc32 0793bcf2
> [   18.206593] ath10k_pci 0000:3a:00.0: board_file api 2 bmi_id N/A crc32 d2863f91
> [   18.221145] Bluetooth: Core ver 2.22
> [   18.221802] Bluetooth: HCI device and connection manager initialized
> [   18.221807] Bluetooth: HCI socket layer initialized
> [   18.221808] Bluetooth: L2CAP socket layer initialized
> [   18.221813] Bluetooth: SCO socket layer initialized
> [   18.258187] Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00000302.bin
> [   18.258192] Bluetooth: hci0: QCA: patch rome 0x302 build 0x3e8, firmware rome 0x302 build 0x111
> [   18.301557] ath10k_pci 0000:3a:00.0: htt-ver 3.87 wmi-op 4 htt-op 3 cal otp max-sta 32 raw 0 hwcrypto 1
> [   18.381567] ath10k_pci 0000:3a:00.0 wlp58s0: renamed from wlan0
> [   18.619003] Bluetooth: hci0: using NVM file: qca/nvm_usb_00000302.bin
> [   18.643646] Bluetooth: hci0: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
> ```


^ permalink raw reply

* RE: [BlueZ] avrcp: Abort continuing response on fragmented CT replies
From: bluez.test.bot @ 2026-06-09 23:06 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609212656.3900190-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108830

---Test result---

Test Summary:
CheckPatch                    PASS      0.47 seconds
GitLint                       PASS      0.32 seconds
BuildEll                      PASS      20.54 seconds
BluezMake                     PASS      650.26 seconds
MakeCheck                     PASS      3.37 seconds
MakeDistcheck                 PASS      248.95 seconds
CheckValgrind                 PASS      225.60 seconds
CheckSmatch                   PASS      353.04 seconds
bluezmakeextell               PASS      182.32 seconds
IncrementalBuild              PASS      659.64 seconds
ScanBuild                     PASS      1039.95 seconds



https://github.com/bluez/bluez/pull/2211

---
Regards,
Linux Bluetooth


^ permalink raw reply

* RE: [BlueZ] avdtp: Return correct error when SEP is inuse
From: bluez.test.bot @ 2026-06-09 23:06 UTC (permalink / raw)
  To: linux-bluetooth, simon.mikuda
In-Reply-To: <20260609213013.3900808-1-simon.mikuda@streamunlimited.com>

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108834

---Test result---

Test Summary:
CheckPatch                    PASS      0.28 seconds
GitLint                       PASS      0.20 seconds
BuildEll                      PASS      20.53 seconds
BluezMake                     PASS      669.66 seconds
MakeCheck                     PASS      2.95 seconds
MakeDistcheck                 PASS      247.75 seconds
CheckValgrind                 PASS      228.75 seconds
CheckSmatch                   PASS      352.15 seconds
bluezmakeextell               PASS      184.12 seconds
IncrementalBuild              PASS      662.09 seconds
ScanBuild                     PASS      1053.81 seconds



https://github.com/bluez/bluez/pull/2212

---
Regards,
Linux Bluetooth


^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox