* [syzbot] [bluetooth?] INFO: trying to register non-static key in bt_accept_unlink
From: syzbot @ 2026-06-13 8:24 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, luiz.dentz, marcel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 2d3090a8aeb5 Merge tag 'v7.1-p5' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=157291b6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=65472e27d1590a04
dashboard link: https://syzkaller.appspot.com/bug?extid=534002670dd34a114fdc
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/90834e94de32/disk-2d3090a8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e27c57900a9a/vmlinux-2d3090a8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/210244c0b7d3/bzImage-2d3090a8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+534002670dd34a114fdc@syzkaller.appspotmail.com
Bluetooth: hci1: hardware error 0x00
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 1 UID: 0 PID: 5637 Comm: kworker/u9:3 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: hci1 hci_error_reset
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0xcc/0x2e0 kernel/locking/lockdep.c:1299
__lock_acquire+0xad/0x2cf0 kernel/locking/lockdep.c:5112
lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
_raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:182
spin_lock_bh include/linux/spinlock.h:348 [inline]
bt_accept_unlink+0x65/0x2c0 net/bluetooth/af_bluetooth.c:265
l2cap_sock_teardown_cb+0x17e/0x490 net/bluetooth/l2cap_sock.c:1682
l2cap_chan_del+0xb5/0x610 net/bluetooth/l2cap_core.c:658
l2cap_conn_del+0x33d/0x570 net/bluetooth/l2cap_core.c:1804
hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
hci_conn_hash_flush+0x10d/0x260 net/bluetooth/hci_conn.c:2736
hci_dev_close_sync+0x85d/0x1150 net/bluetooth/hci_sync.c:5383
hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
hci_error_reset+0x127/0x4c0 net/bluetooth/hci_core.c:998
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478
kthread+0x389/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
slab kmalloc-2k start ffff888029aaa000 pointer offset 1400 size 2048
list_del corruption. prev->next should be ffff8880682f5578, but was 0000000000000001. (prev=ffff888029aaa578)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:64!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 5637 Comm: kworker/u9:3 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: hci1 hci_error_reset
RIP: 0010:__list_del_entry_valid_or_report+0x15a/0x190 lib/list_debug.c:62
Code: e8 6b e7 52 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 3c 8a 74 fd 49 8b 17 48 c7 c7 a0 be 28 8c 48 89 de 4c 89 f9 e8 e7 26 6b fc 90 <0f> 0b 4c 89 f7 e8 3c e7 52 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 0d
RSP: 0018:ffffc9000202f800 EFLAGS: 00010246
RAX: 000000000000006d RBX: ffff8880682f5578 RCX: 5386ffdc73148000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1cfd240 R12: 1ffff110053554af
R13: dffffc0000000000 R14: ffff888029aaa578 R15: ffff888029aaa578
FS: 0000000000000000(0000) GS:ffff8881253a0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1552dd9062 CR3: 000000001f339000 CR4: 0000000000350ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:246 [inline]
list_del_init include/linux/list.h:318 [inline]
bt_accept_unlink+0x74/0x2c0 net/bluetooth/af_bluetooth.c:266
l2cap_sock_teardown_cb+0x17e/0x490 net/bluetooth/l2cap_sock.c:1682
l2cap_chan_del+0xb5/0x610 net/bluetooth/l2cap_core.c:658
l2cap_conn_del+0x33d/0x570 net/bluetooth/l2cap_core.c:1804
hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
hci_conn_hash_flush+0x10d/0x260 net/bluetooth/hci_conn.c:2736
hci_dev_close_sync+0x85d/0x1150 net/bluetooth/hci_sync.c:5383
hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
hci_error_reset+0x127/0x4c0 net/bluetooth/hci_core.c:998
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478
kthread+0x389/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x15a/0x190 lib/list_debug.c:62
Code: e8 6b e7 52 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 3c 8a 74 fd 49 8b 17 48 c7 c7 a0 be 28 8c 48 89 de 4c 89 f9 e8 e7 26 6b fc 90 <0f> 0b 4c 89 f7 e8 3c e7 52 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 0d
RSP: 0018:ffffc9000202f800 EFLAGS: 00010246
RAX: 000000000000006d RBX: ffff8880682f5578 RCX: 5386ffdc73148000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1cfd240 R12: 1ffff110053554af
R13: dffffc0000000000 R14: ffff888029aaa578 R15: ffff888029aaa578
FS: 0000000000000000(0000) GS:ffff8881253a0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1552dd9062 CR3: 000000001f339000 CR4: 0000000000350ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply
* [Bug 73081] Fail to setup Bluetooth on Dell Venue 11 Pro
From: bugzilla-daemon @ 2026-06-13 7:16 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-73081-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=73081
--- Comment #10 from Dmitry Khromov (icechrome@gmail.com) ---
My apologies for misleading, that was a hunch from back then.
From your dmesg log I notice the kernel fails to find the WiFi/Bluetooth chip
firmware. You should grab it from
https://github.com/qca/ath6kl-firmware/tree/master/ath6k/AR6004/hw3.0
which is where I got it the last time and put into
`/lib/firmware/ath6k/AR6004/hw3.0` if you haven't done so already.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [Bug 73081] Fail to setup Bluetooth on Dell Venue 11 Pro
From: bugzilla-daemon @ 2026-06-13 6:57 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-73081-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=73081
--- Comment #9 from Hytham (hytham@gmail.com) ---
Hi Paul,
Yes, I confirmed that the kernel I already have in /boot has
CONFIG_SERIAL_DEV_BUG=y.
Thanks,
Hytham
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [Bug 73081] Fail to setup Bluetooth on Dell Venue 11 Pro
From: bugzilla-daemon @ 2026-06-13 6:32 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-73081-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=73081
--- Comment #8 from Paul Menzel (pmenzel+bugzilla.kernel.org@molgen.mpg.de) ---
At least Debian’s Linux kernel (6.1 and 7.1 from suite *experimental*) have it
set to `CONFIG_SERIAL_DEV_BUS=y`. @Hytham, please check your Ubuntu Linux
kernel config in `/boot/`, for example with `grep CONFIG_SERIAL_DEV_BUS
/boot/config*`.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [Bug 73081] Fail to setup Bluetooth on Dell Venue 11 Pro
From: bugzilla-daemon @ 2026-06-13 3:24 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-73081-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=73081
--- Comment #7 from Dmitry Khromov (icechrome@gmail.com) ---
If memory serves, the MMIO-mapped UART requires
CONFIG_SERIAL_DEV_CTRL_TTYPORT=y for a port to be picked up by BlueZ. This, in
turn, requires CONFIG_SERIAL_DEV_BUS=y, but most desktop distros ship a kernel
with CONFIG_SERIAL_DEV_BUS=m.
Long story short, I was successful in bringing Bluetooth up and running on
Venue 8 Pro back in the day, so try compiling a kernel with the configuration
flags mentioned. No further action should be required -- BlueZ should
automatically pick the port up and attach the HCI.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* [bluetooth-next:master] BUILD SUCCESS f70f7f2512c6b9113dc78f6a25361166afd1412e
From: kernel test robot @ 2026-06-13 1:07 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
branch HEAD: f70f7f2512c6b9113dc78f6a25361166afd1412e Bluetooth: btintel_pcie: Separate coredump work from RX work
elapsed time: 1399m
configs tested: 321
configs skipped: 13
The following configs have been built successfully.
More configs may be tested in the coming days.
tested configs:
alpha allnoconfig gcc-16.1.0
alpha allyesconfig gcc-16.1.0
alpha defconfig gcc-16.1.0
arc allmodconfig clang-23
arc allnoconfig gcc-16.1.0
arc allyesconfig clang-23
arc allyesconfig gcc-16.1.0
arc defconfig gcc-16.1.0
arc nsim_700_defconfig gcc-16.1.0
arc randconfig-001-20260612 gcc-13.4.0
arc randconfig-001-20260613 gcc-12.5.0
arc randconfig-002-20260612 gcc-13.4.0
arc randconfig-002-20260613 gcc-12.5.0
arm allnoconfig gcc-16.1.0
arm allyesconfig clang-23
arm axm55xx_defconfig clang-23
arm defconfig gcc-16.1.0
arm randconfig-001-20260612 gcc-13.4.0
arm randconfig-001-20260613 gcc-12.5.0
arm randconfig-002-20260612 gcc-13.4.0
arm randconfig-002-20260613 gcc-12.5.0
arm randconfig-003-20260612 gcc-13.4.0
arm randconfig-003-20260613 gcc-12.5.0
arm randconfig-004-20260612 gcc-13.4.0
arm randconfig-004-20260613 gcc-12.5.0
arm spear13xx_defconfig gcc-16.1.0
arm64 allmodconfig clang-23
arm64 allnoconfig gcc-16.1.0
arm64 defconfig gcc-16.1.0
arm64 randconfig-001 gcc-13.4.0
arm64 randconfig-001-20260612 gcc-13.4.0
arm64 randconfig-001-20260613 gcc-16.1.0
arm64 randconfig-002 gcc-13.4.0
arm64 randconfig-002-20260612 gcc-13.4.0
arm64 randconfig-002-20260613 gcc-16.1.0
arm64 randconfig-003 gcc-13.4.0
arm64 randconfig-003-20260612 gcc-13.4.0
arm64 randconfig-003-20260613 gcc-16.1.0
arm64 randconfig-004 gcc-13.4.0
arm64 randconfig-004-20260612 gcc-13.4.0
arm64 randconfig-004-20260613 gcc-16.1.0
csky allmodconfig gcc-16.1.0
csky allnoconfig gcc-16.1.0
csky defconfig gcc-16.1.0
csky randconfig-001 gcc-13.4.0
csky randconfig-001-20260612 gcc-13.4.0
csky randconfig-001-20260613 gcc-16.1.0
csky randconfig-002 gcc-13.4.0
csky randconfig-002-20260612 gcc-13.4.0
csky randconfig-002-20260613 gcc-16.1.0
hexagon allmodconfig clang-23
hexagon allmodconfig gcc-16.1.0
hexagon allnoconfig gcc-16.1.0
hexagon defconfig gcc-16.1.0
hexagon randconfig-001 gcc-11.5.0
hexagon randconfig-001-20260612 clang-23
hexagon randconfig-001-20260612 gcc-11.5.0
hexagon randconfig-001-20260613 clang-23
hexagon randconfig-002 gcc-11.5.0
hexagon randconfig-002-20260612 clang-23
hexagon randconfig-002-20260612 gcc-11.5.0
hexagon randconfig-002-20260613 clang-23
i386 allmodconfig clang-22
i386 allmodconfig gcc-14
i386 allnoconfig gcc-16.1.0
i386 allyesconfig clang-22
i386 allyesconfig gcc-14
i386 buildonly-randconfig-001 gcc-14
i386 buildonly-randconfig-001-20260612 gcc-14
i386 buildonly-randconfig-001-20260613 gcc-14
i386 buildonly-randconfig-002 gcc-14
i386 buildonly-randconfig-002-20260612 gcc-14
i386 buildonly-randconfig-002-20260613 gcc-14
i386 buildonly-randconfig-003 gcc-14
i386 buildonly-randconfig-003-20260612 gcc-14
i386 buildonly-randconfig-003-20260613 gcc-14
i386 buildonly-randconfig-004 gcc-14
i386 buildonly-randconfig-004-20260612 gcc-14
i386 buildonly-randconfig-004-20260613 gcc-14
i386 buildonly-randconfig-005 gcc-14
i386 buildonly-randconfig-005-20260612 gcc-14
i386 buildonly-randconfig-005-20260613 gcc-14
i386 buildonly-randconfig-006 gcc-14
i386 buildonly-randconfig-006-20260612 gcc-14
i386 buildonly-randconfig-006-20260613 gcc-14
i386 defconfig gcc-16.1.0
i386 randconfig-001-20260612 clang-22
i386 randconfig-001-20260613 clang-22
i386 randconfig-002-20260612 clang-22
i386 randconfig-002-20260613 clang-22
i386 randconfig-003-20260612 clang-22
i386 randconfig-003-20260613 clang-22
i386 randconfig-004-20260612 clang-22
i386 randconfig-004-20260613 clang-22
i386 randconfig-005-20260612 clang-22
i386 randconfig-005-20260613 clang-22
i386 randconfig-006-20260612 clang-22
i386 randconfig-006-20260613 clang-22
i386 randconfig-007-20260612 clang-22
i386 randconfig-007-20260613 clang-22
i386 randconfig-011 clang-22
i386 randconfig-011-20260612 clang-22
i386 randconfig-011-20260613 gcc-14
i386 randconfig-012 clang-22
i386 randconfig-012-20260612 clang-22
i386 randconfig-012-20260613 gcc-14
i386 randconfig-013 clang-22
i386 randconfig-013-20260612 clang-22
i386 randconfig-013-20260613 gcc-14
i386 randconfig-014 clang-22
i386 randconfig-014-20260612 clang-22
i386 randconfig-014-20260613 gcc-14
i386 randconfig-015 clang-22
i386 randconfig-015-20260612 clang-22
i386 randconfig-015-20260613 gcc-14
i386 randconfig-016 clang-22
i386 randconfig-016-20260612 clang-22
i386 randconfig-016-20260613 gcc-14
i386 randconfig-017 clang-22
i386 randconfig-017-20260612 clang-22
i386 randconfig-017-20260613 gcc-14
loongarch allmodconfig clang-19
loongarch allmodconfig clang-23
loongarch allnoconfig gcc-16.1.0
loongarch defconfig clang-23
loongarch randconfig-001 gcc-11.5.0
loongarch randconfig-001-20260612 clang-23
loongarch randconfig-001-20260612 gcc-11.5.0
loongarch randconfig-001-20260613 clang-23
loongarch randconfig-002 gcc-11.5.0
loongarch randconfig-002-20260612 clang-23
loongarch randconfig-002-20260612 gcc-11.5.0
loongarch randconfig-002-20260613 clang-23
m68k allmodconfig gcc-16.1.0
m68k allnoconfig gcc-16.1.0
m68k allyesconfig clang-23
m68k atari_defconfig gcc-16.1.0
m68k defconfig clang-23
microblaze allnoconfig gcc-16.1.0
microblaze allyesconfig gcc-16.1.0
microblaze defconfig clang-23
mips allmodconfig gcc-16.1.0
mips allnoconfig gcc-16.1.0
mips allyesconfig gcc-16.1.0
nios2 allmodconfig clang-20
nios2 allmodconfig gcc-11.5.0
nios2 allnoconfig clang-23
nios2 defconfig clang-23
nios2 randconfig-001 gcc-11.5.0
nios2 randconfig-001-20260612 clang-23
nios2 randconfig-001-20260612 gcc-11.5.0
nios2 randconfig-001-20260613 clang-23
nios2 randconfig-002 gcc-11.5.0
nios2 randconfig-002-20260612 clang-23
nios2 randconfig-002-20260612 gcc-11.5.0
nios2 randconfig-002-20260613 clang-23
openrisc allmodconfig clang-20
openrisc allmodconfig gcc-16.1.0
openrisc allnoconfig clang-23
openrisc defconfig gcc-16.1.0
parisc allmodconfig gcc-16.1.0
parisc allnoconfig clang-23
parisc allyesconfig clang-23
parisc allyesconfig gcc-16.1.0
parisc defconfig gcc-16.1.0
parisc randconfig-001-20260612 gcc-14.3.0
parisc randconfig-001-20260613 gcc-15.2.0
parisc randconfig-002-20260612 gcc-14.3.0
parisc randconfig-002-20260613 gcc-15.2.0
parisc64 defconfig clang-23
powerpc allmodconfig gcc-16.1.0
powerpc allnoconfig clang-23
powerpc mpc885_ads_defconfig clang-23
powerpc ppc64e_defconfig gcc-16.1.0
powerpc randconfig-001-20260613 gcc-15.2.0
powerpc randconfig-002-20260613 gcc-15.2.0
powerpc64 randconfig-001-20260612 gcc-14.3.0
powerpc64 randconfig-001-20260613 gcc-15.2.0
powerpc64 randconfig-002-20260612 gcc-14.3.0
powerpc64 randconfig-002-20260613 gcc-15.2.0
riscv allmodconfig clang-23
riscv allnoconfig clang-23
riscv allyesconfig clang-23
riscv defconfig gcc-16.1.0
riscv randconfig-001 gcc-11.5.0
riscv randconfig-001-20260612 gcc-11.5.0
riscv randconfig-001-20260613 gcc-10.5.0
riscv randconfig-002 gcc-11.5.0
riscv randconfig-002-20260612 gcc-11.5.0
riscv randconfig-002-20260613 gcc-10.5.0
s390 allmodconfig clang-23
s390 allnoconfig clang-23
s390 allyesconfig gcc-16.1.0
s390 defconfig gcc-16.1.0
s390 randconfig-001 gcc-11.5.0
s390 randconfig-001-20260612 gcc-11.5.0
s390 randconfig-001-20260613 gcc-10.5.0
s390 randconfig-002 gcc-11.5.0
s390 randconfig-002-20260612 gcc-11.5.0
s390 randconfig-002-20260613 gcc-10.5.0
sh allmodconfig gcc-16.1.0
sh allnoconfig clang-23
sh allyesconfig clang-23
sh allyesconfig gcc-16.1.0
sh defconfig gcc-14
sh randconfig-001 gcc-11.5.0
sh randconfig-001-20260612 gcc-11.5.0
sh randconfig-001-20260613 gcc-10.5.0
sh randconfig-002 gcc-11.5.0
sh randconfig-002-20260612 gcc-11.5.0
sh randconfig-002-20260613 gcc-10.5.0
sparc allnoconfig clang-23
sparc defconfig gcc-16.1.0
sparc randconfig-001 gcc-8.5.0
sparc randconfig-001-20260612 gcc-8.5.0
sparc randconfig-001-20260613 gcc-13.4.0
sparc randconfig-002 gcc-8.5.0
sparc randconfig-002-20260612 gcc-8.5.0
sparc randconfig-002-20260613 gcc-13.4.0
sparc sparc64_defconfig gcc-16.1.0
sparc64 allmodconfig clang-20
sparc64 defconfig gcc-14
sparc64 randconfig-001 gcc-8.5.0
sparc64 randconfig-001-20260612 gcc-8.5.0
sparc64 randconfig-001-20260613 gcc-13.4.0
sparc64 randconfig-002 gcc-8.5.0
sparc64 randconfig-002-20260612 gcc-8.5.0
sparc64 randconfig-002-20260613 gcc-13.4.0
um allmodconfig clang-23
um allnoconfig clang-23
um allyesconfig gcc-14
um allyesconfig gcc-16.1.0
um defconfig gcc-14
um i386_defconfig gcc-14
um randconfig-001 gcc-8.5.0
um randconfig-001-20260612 gcc-8.5.0
um randconfig-001-20260613 gcc-13.4.0
um randconfig-002 gcc-8.5.0
um randconfig-002-20260612 gcc-8.5.0
um randconfig-002-20260613 gcc-13.4.0
um x86_64_defconfig gcc-14
x86_64 allmodconfig clang-22
x86_64 allnoconfig clang-23
x86_64 allyesconfig clang-22
x86_64 buildonly-randconfig-001 gcc-14
x86_64 buildonly-randconfig-001-20260612 gcc-14
x86_64 buildonly-randconfig-001-20260613 clang-22
x86_64 buildonly-randconfig-002 gcc-14
x86_64 buildonly-randconfig-002-20260612 gcc-14
x86_64 buildonly-randconfig-002-20260613 clang-22
x86_64 buildonly-randconfig-003 gcc-14
x86_64 buildonly-randconfig-003-20260612 gcc-14
x86_64 buildonly-randconfig-003-20260613 clang-22
x86_64 buildonly-randconfig-004 gcc-14
x86_64 buildonly-randconfig-004-20260612 gcc-14
x86_64 buildonly-randconfig-004-20260613 clang-22
x86_64 buildonly-randconfig-005 gcc-14
x86_64 buildonly-randconfig-005-20260612 gcc-14
x86_64 buildonly-randconfig-005-20260613 clang-22
x86_64 buildonly-randconfig-006 gcc-14
x86_64 buildonly-randconfig-006-20260612 gcc-14
x86_64 buildonly-randconfig-006-20260613 clang-22
x86_64 defconfig gcc-14
x86_64 kexec clang-22
x86_64 randconfig-001-20260612 clang-22
x86_64 randconfig-001-20260613 clang-22
x86_64 randconfig-002-20260612 clang-22
x86_64 randconfig-002-20260613 clang-22
x86_64 randconfig-003-20260612 clang-22
x86_64 randconfig-003-20260613 clang-22
x86_64 randconfig-004-20260612 clang-22
x86_64 randconfig-004-20260613 clang-22
x86_64 randconfig-005-20260612 clang-22
x86_64 randconfig-005-20260613 clang-22
x86_64 randconfig-006-20260612 clang-22
x86_64 randconfig-006-20260613 clang-22
x86_64 randconfig-011 clang-22
x86_64 randconfig-011-20260612 clang-22
x86_64 randconfig-011-20260613 clang-22
x86_64 randconfig-012 clang-22
x86_64 randconfig-012-20260612 clang-22
x86_64 randconfig-012-20260613 clang-22
x86_64 randconfig-013 clang-22
x86_64 randconfig-013-20260612 clang-22
x86_64 randconfig-013-20260613 clang-22
x86_64 randconfig-014 clang-22
x86_64 randconfig-014-20260612 clang-22
x86_64 randconfig-014-20260613 clang-22
x86_64 randconfig-015 clang-22
x86_64 randconfig-015-20260612 clang-22
x86_64 randconfig-015-20260613 clang-22
x86_64 randconfig-016 clang-22
x86_64 randconfig-016-20260612 clang-22
x86_64 randconfig-016-20260613 clang-22
x86_64 randconfig-071-20260612 gcc-14
x86_64 randconfig-071-20260613 clang-22
x86_64 randconfig-072-20260612 gcc-14
x86_64 randconfig-072-20260613 clang-22
x86_64 randconfig-073-20260612 gcc-14
x86_64 randconfig-073-20260613 clang-22
x86_64 randconfig-074-20260612 gcc-14
x86_64 randconfig-074-20260613 clang-22
x86_64 randconfig-075-20260612 gcc-14
x86_64 randconfig-075-20260613 clang-22
x86_64 randconfig-076-20260612 gcc-14
x86_64 randconfig-076-20260613 clang-22
x86_64 rhel-9.4 clang-22
x86_64 rhel-9.4-bpf gcc-14
x86_64 rhel-9.4-func clang-22
x86_64 rhel-9.4-kselftests clang-22
x86_64 rhel-9.4-kunit gcc-14
x86_64 rhel-9.4-ltp gcc-14
x86_64 rhel-9.4-rust clang-22
xtensa allnoconfig clang-23
xtensa allyesconfig clang-20
xtensa randconfig-001 gcc-8.5.0
xtensa randconfig-001-20260612 gcc-8.5.0
xtensa randconfig-001-20260613 gcc-13.4.0
xtensa randconfig-002 gcc-8.5.0
xtensa randconfig-002-20260612 gcc-8.5.0
xtensa randconfig-002-20260613 gcc-13.4.0
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply
* [Bug 73081] Fail to setup Bluetooth on Dell Venue 11 Pro
From: bugzilla-daemon @ 2026-06-12 21:34 UTC (permalink / raw)
To: linux-bluetooth
In-Reply-To: <bug-73081-62941@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=73081
--- Comment #6 from Hytham (hytham@gmail.com) ---
Thanks Paul, please find my dmesg.log and new issue here:
https://github.com/bluez/bluez/issues/2222
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply
* Re: [PATCH BlueZ v5 00/16] Functional/integration testing
From: Luiz Augusto von Dentz @ 2026-06-12 20:13 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
In-Reply-To: <cover.1778688966.git.pav@iki.fi>
Hi Pauli,
On Wed, May 13, 2026 at 1:35 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Add framework for writing tests simulating "real" environments where
> BlueZ and other parts of the stack run on different virtual machine
> hosts that communicate with each other.
>
> *** v5 ***
>
> https://github.com/pv/bluez/compare/func-test-v4-r..func-test-v5
>
> * Factor out the pytest-bluezenv plugin, to be maintained separately.
> https://pypi.org/project/pytest-bluezenv/
>
> It could in principle be moved under the BlueZ organization, but
> there's no particular reason why it should be in bluez repository.
>
> Generally, it's better to have the pytest plugin separate so it's
> easier to reuse and can have its own version cycle.
>
> * Pipewire tests are moved to pipewire repository where they probably
> belong to.
>
> They can be run easily vs. given BlueZ build dir.
>
> We are currently running them in Pipewire CI, but at frozen
> kernel/BlueZ version, so it is not testing BlueZ/kernel upstream
> development.
>
> * No changes in the emulator/test-runner patches since v4
>
> They are stand-alone bug fixes / improvements, and make sense
> also separately from the rest.
>
> *** v4 ***
>
> https://github.com/pv/bluez/compare/func-test-v3-r..func-test-v4
>
> * Use virtconsole for simpler HCI forwarding to the vm
>
> * Fix typoed vm_module -> vm_once
>
> * Skip tests for some pipewire versions
>
> *** v3 ***
>
> https://github.com/pv/bluez/compare/func-test-v2-r..func-test-v3
>
> * fix configure.ac openpty() detection to match TOOLS conditional,
> to fix make distcheck
>
> * properly retry virtio RPC connection if it fails initially
>
> * properly restart VM if previous test hangs
>
> * allow custom parent host side proxy objects, use them for pexpect
>
> * improve --list with out-of-tree test files
>
> * fix missing bus.set_exit_on_disconnect(False) for obex tests
>
> * have --vm-timeout etc. change values also on VM host side
>
> * use larger-memory VM instances for Pipewire, in case ASAN enabled
>
> * set reasonable inside-VM ASAN_OPTION default values
>
> * don't run btvirt under stdbuf, since not compatible with ASAN
>
> *** v2 ***
>
> https://github.com/pv/bluez/compare/func-test-v1-r..func-test-v2
>
> * move unit/func_test -> test/functional & test/pytest_bluez
>
> The pytest_bluez plugin is in principle reusable for other projects,
> so we can eg. have more complete Pipewire integration tests that can
> live in Pipewire repository.
>
> * openpty() is in -lutil on some platforms, detect this in autoconf
>
> * more emulator adjustments:
>
> - fix SCO data packet support in btvirt
> - more complete Reset command
>
> * improve logging: get timestamps from kernel, and reorder logs
> to timestamp order, so that lines from different hosts, btmon,
> and parent tester appear in right order regardless of whether
> VM console / btmon is lagging
>
> - this requires accurate clock sync in the VM, so enable KVM PTP in
> config and run chronyd inside the VMs
> - use virtio port instead of qemu console to export logs, since the
> console has fixed baud rate and is too slow
>
> * add --btmon & export btsnoop dumps from VM hosts
>
> * fix compatibility with older Python versions
>
> * add parametrized_host_config()
>
> * split Pipewire test to A2DP/BAP/HFP and really stream audio.
> These catch the 5.86 regression fixed in 066a164a524e498 and
> the 5.84 one in 6b0a08776a
>
> * add support for tests that reuse tester environment, so they can run
> faster without needing Bluetoothd teardown/setup in between
>
> * add HostPlugin.presetup (mainly for test skipping)
>
> * deal with RPC virtio port buffer possibly containing unflushed
> commands from previous failed test
>
> * add some Agent1 interface tests
>
> * add basic Obex file transfer tests
>
> * add support for logging in to a running test instance (for gdb etc)
>
> * export any core dumps out from test environ
>
> Some bells & whistles:
>
> * add --kernel-build for kernel image build
>
> * test suite Python code formatting checks
>
> ***
>
> Implements:
>
> - RPC communication with tester instances running each of the VM hosts.
> Tests run on parent host, which instructs VM hosts what to do.
>
> - Extensible way to add stateful test-specific code inside the VM
> instances
>
> - Logging control: output from different processes running inside the VM
> are separated and can be filtered.
>
> - Test runner framework with Pytest (more convenient than Python/unittest)
>
> - Automatic grouping of tests to minimize VM reboots
>
> - Redirecting USB controllers to use for testing in addition to btvirt
>
> - Fairly straightforward, ~1600 sloc for the framework
>
> There is no requirement that the tests spawn VM instances, the test
> runner can be used for any tests written in Python.
>
> See doc/test-functional.rst for various examples.
>
> Also test/functional/test_bluetoothctl_vm.py has some simple cases, and
> test/functional/test_pipewire.py for a more complicated setup
>
> host0(qemu): Pipewire <-> BlueZ <-> kernel
> <-> btvirt
> host1(qemu): kernel <-> BlueZ <-> Pipewire
>
> The framework allows easily passing any data and code between the parent
> and VM hosts, so writing tests is straightforward.
>
> ***
>
> Some examples:
>
> $ test/test-functional --list -q
>
> test/functional/lib/tests/test_rpc.py::test_basic
> test/functional/test_bluetoothctl_vm.py::test_bluetoothctl_pair[hosts0-vm2]
> test/functional/test_bluetoothctl_vm.py::test_bluetoothctl_script_show[hosts1-vm1]
> test/functional/test_btmgmt_vm.py::test_btmgmt_info[hosts2-vm1]
> test/functional/test_pipewire.py::test_pipewire[hosts3-vm2]
>
> $ test/test-functional -v --no-header
> ======================================= test session starts ========================================
> collected 5 items
>
> test/functional/lib/tests/test_rpc.py::test_basic PASSED [ 20%]
> test/functional/test_bluetoothctl_vm.py::test_bluetoothctl_script_show[hosts1-vm1] SKIPPED [ 40%]
> test/functional/test_btmgmt_vm.py::test_btmgmt_info[hosts2-vm1] SKIPPED (No kernel image) [ 60%]
> test/functional/test_bluetoothctl_vm.py::test_bluetoothctl_pair[hosts0-vm2] SKIPPED (No k...) [ 80%]
> test/functional/test_pipewire.py::test_pipewire[hosts3-vm2] SKIPPED (No kernel image) [100%]
>
> =================================== 1 passed, 4 skipped in 0.19s ===================================
>
> $ test/test-functional --kernel=../linux
> ============================= test session starts ==============================
> platform linux -- Python 3.14.3, pytest-8.3.5, pluggy-1.6.0
> rootdir: /home/pauli/prj/external/bluez/unit
> configfile: pytest.ini
> plugins: cov-5.0.0, forked-1.6.0, rerunfailures-15.0, timeout-2.4.0, xdist-3.7.0, hypothesis-6.123.0, flaky-3.8.1, anyio-4.12.1
> collected 5 items
>
> test/functional/lib/tests/test_rpc.py . [ 20%]
> test/functional/test_bluetoothctl_vm.py . [ 40%]
> test/functional/test_btmgmt_vm.py . [ 60%]
> test/functional/test_bluetoothctl_vm.py . [ 80%]
> test/functional/test_pipewire.py . [100%]
>
> ============================== 5 passed in 41.92s ==============================
>
> $ test/test-functional --kernel=../linux -k test_btmgmt
> ============================= test session starts ==============================
> platform linux -- Python 3.14.3, pytest-8.3.5, pluggy-1.6.0
> rootdir: /home/pauli/prj/external/bluez/unit
> configfile: pytest.ini
> plugins: cov-5.0.0, forked-1.6.0, rerunfailures-15.0, timeout-2.4.0, xdist-3.7.0, hypothesis-6.123.0, flaky-3.8.1, anyio-4.12.1
> collected 5 items / 4 deselected / 1 selected
>
> test/functional/test_btmgmt_vm.py . [100%]
>
> ======================= 1 passed, 4 deselected in 9.15s ========================
>
> $ grep btmgmt test-functional.log
> 13:15:42 INFO rpc.host.0.0 : client: call_plugin ('call', '__call__', <function run at 0x7f27b81ce140>, ['/home/pauli/prj/external/bluez/build/tools/btmgmt', '--index', '0', 'info']) {'stdout': -1, 'stdin': -3, 'encoding': 'utf-8'}
> 13:15:42 INFO host.0.0.rpc : server: call_plugin ('call', '__call__', <function run at 0x7fd5e35a1010>, ['/home/pauli/prj/external/bluez/build/tools/btmgmt', '--index', '0', 'info']) {'stdout': -1, 'stdin': -3, 'encoding': 'utf-8'}
> 13:15:42 INFO host.0.0.run : $ /home/pauli/prj/external/bluez/build/tools/btmgmt --index 0 info
>
> $ test/test-functional --kernel=../linux -k test_btmgmt --log-cli-level=0
> ============================= test session starts ==============================
> platform linux -- Python 3.14.3, pytest-8.3.5, pluggy-1.6.0
> rootdir: /home/pauli/prj/external/bluez/unit
> configfile: pytest.ini
> plugins: cov-5.0.0, forked-1.6.0, rerunfailures-15.0, timeout-2.4.0, xdist-3.7.0, hypothesis-6.123.0, flaky-3.8.1, anyio-4.12.1
> collected 5 items / 4 deselected / 1 selected
>
> test/functional/test_btmgmt_vm.py::test_btmgmt_info[hosts2-vm1]
> -------------------------------- live log setup --------------------------------
> 13:00:31 INFO func_test.lib.env : Starting btvirt: /usr/bin/stdbuf -o L -e L /home/pauli/prj/external/bluez/build/emulator/btvirt --server=/tmp/bluez-func-test-8t6ychy8
> 13:00:31 OUT btvirt : Bluetooth emulator ver 5.86
> 13:00:31 INFO func_test.lib.env : Starting host: /home/pauli/prj/external/bluez/build/tools/test-runner --kernel=../linux/arch/x86/boot/bzImage -u/tmp/bluez-func-test-8t6ychy8/bt-server-bredrle -o -chardev -o socket,id=ser0,path=/tmp/bluez-func-test-8t6ychy8/bluez-func-test-rpc-0,server=on,wait=off -o -device -o virtio-serial -o -device -o virtserialport,chardev=ser0,name=bluez-func-test-rpc -H -- /usr/bin/python3 -P /home/pauli/prj/external/bluez/test/functional/lib/runner.py /dev/ttyS2
> 13:00:31 OUT btvirt : Request for /tmp/bluez-func-test-8t6ychy8/bt-server-bredrle
> 13:00:32 OUT host.0.0 : early console in extract_kernel
> 13:00:32 OUT host.0.0 : input_data: 0x000000000425c2c4
> ...
> 13:00:39 INFO rpc.host.0.0 : client: call_plugin ('call', '__call__', <function run at 0x7f7547472140>, ['/home/pauli/prj/external/bluez/build/tools/btmgmt', '--index', '0', 'info']) {'stdout': -1, 'stdin': -3, 'encoding': 'utf-8'}
> 13:00:39 DEBUG host.0.0.rpc : server: done
> 13:00:39 INFO host.0.0.rpc : server: call_plugin ('call', '__call__', <function run at 0x7f77dcc81010>, ['/home/pauli/prj/external/bluez/build/tools/btmgmt', '--index', '0', 'info']) {'stdout': -1, 'stdin': -3, 'encoding': 'utf-8'}
> 13:00:39 INFO host.0.0.run : $ /home/pauli/prj/external/bluez/build/tools/btmgmt --index 0 info
> 13:00:40 OUT host.0.0.run.out : hci0: Primary controller
> 13:00:40 OUT host.0.0.run.out : addr 00:AA:01:00:00:42 version 11 manufacturer 1521 class 0x000000
> 13:00:40 OUT host.0.0.run.out : supported settings: powered connectable fast-connectable discoverable bondable link-security ssp br/edr le advertising secure-conn debug-keys privacy static-addr phy-configuration cis-central cis-peripheral iso-broadcaster sync-receiver ll-privacy past-sender past-receiver
> 13:00:40 OUT host.0.0.run.out : current settings: br/edr
> 13:00:40 OUT host.0.0.run.out : name
> 13:00:40 OUT host.0.0.run.out : short name
> 13:00:40 INFO host.0.0.run : (return code 0)
> 13:00:40 DEBUG rpc.host.0.0 : client-reply
> PASSED [100%]
> 13:00:40 OUT host.0.0 : qemu-system-x86_64: terminating on signal 15 from pid 149047 (python3)
> ======================= 1 passed, 4 deselected in 8.84s ========================
>
> $ test/test-functional --kernel=../linux -k test_bluetoothctl_pair --log-cli-level=0 --log-filter=*.bluetoothctl,rpc.* --force-usb
> ============================= test session starts ==============================
> platform linux -- Python 3.14.3, pytest-8.3.5, pluggy-1.6.0
> rootdir: /home/pauli/prj/external/bluez/unit
> configfile: pytest.ini
> plugins: cov-5.0.0, forked-1.6.0, rerunfailures-15.0, timeout-2.4.0, xdist-3.7.0, hypothesis-6.123.0, flaky-3.8.1, anyio-4.12.1
> collected 5 items / 4 deselected / 1 selected
>
> test/functional/test_bluetoothctl_vm.py::test_bluetoothctl_pair[hosts0-vm2]
> -------------------------------- live log setup --------------------------------
> 13:03:20 INFO rpc.host.0.0 : client: start_load (<func_test.lib.host_plugins.Bdaddr object at 0x7f268712d160>,) {}
> 13:03:20 INFO rpc.host.0.0 : client: start_load (<func_test.lib.host_plugins.Call object at 0x7f268712d2b0>,) {}
> 13:03:20 INFO rpc.host.0.0 : client: start_load (<func_test.lib.host_plugins.DbusSystem object at 0x7f2687aa30e0>,) {}
> 13:03:20 INFO rpc.host.0.0 : client: start_load (<func_test.lib.host_plugins.Bluetoothd object at 0x7f2687aa3230>,) {}
> 13:03:20 INFO rpc.host.0.0 : client: start_load (<func_test.lib.host_plugins.Bluetoothctl object at 0x7f268712d010>,) {}
> 13:03:20 INFO rpc.host.0.1 : client: start_load (<func_test.lib.host_plugins.Bdaddr object at 0x7f26871542d0>,) {}
> 13:03:20 INFO rpc.host.0.1 : client: start_load (<func_test.lib.host_plugins.Call object at 0x7f2687154410>,) {}
> 13:03:20 INFO rpc.host.0.1 : client: start_load (<func_test.lib.host_plugins.DbusSystem object at 0x7f2687aa30e0>,) {}
> 13:03:20 INFO rpc.host.0.1 : client: start_load (<func_test.lib.host_plugins.Bluetoothd object at 0x7f2687aa3230>,) {}
> 13:03:20 INFO rpc.host.0.1 : client: start_load (<func_test.lib.host_plugins.Bluetoothctl object at 0x7f2687154190>,) {}
> 13:03:20 INFO rpc.host.0.0 : client: wait_load () {}
> 13:03:21 DEBUG rpc.host.0.0 : client-reply
> 13:03:21 INFO rpc.host.0.1 : client: wait_load () {}
> 13:03:21 DEBUG rpc.host.0.1 : client-reply
> -------------------------------- live log call ---------------------------------
> 13:03:21 INFO rpc.host.0.0 : client: call_plugin ('bluetoothctl', 'send', 'show\n') {}
> 13:03:21 DEBUG rpc.host.0.0 : client-reply
> 13:03:21 INFO rpc.host.0.0 : client: call_plugin ('bluetoothctl', 'expect', 'Powered: yes') {}
> ...
> 13:03:23 INFO rpc.host.0.0 : client: call_plugin ('bluetoothctl', 'send', 'pair 70:1a:b8:73:99:bb\n') {}
> 13:03:23 OUT host.0.0.bluetoothctl: pair 70:1a:b8:73:99:bb
> 13:03:23 DEBUG rpc.host.0.0 : client-reply
> 13:03:23 INFO rpc.host.0.0 : client: call_plugin ('bluetoothctl', 'expect', 'Confirm passkey (\\d+).*:') {}
> 13:03:23 OUT host.0.0.bluetoothctl: [bluetoothctl]> pair 70:1a:b8:73:99:bb
> 13:03:23 OUT host.0.0.bluetoothctl: Attempting to pair with 70:1A:B8:73:99:BB
> 13:03:23 OUT host.0.0.bluetoothctl: [bluetoothctl]> hci0 device_flags_changed: 70:1A:B8:73:99:BB (BR/EDR)
> 13:03:23 OUT host.0.0.bluetoothctl: [bluetoothctl]> supp: 0x00000007 curr: 0x00000000
> 13:03:23 OUT host.0.0.bluetoothctl: [bluetoothctl]> hci0 type 7 discovering off
> 13:03:25 OUT host.0.0.bluetoothctl: [bluetoothctl]> hci0 70:1A:B8:73:99:BB type BR/EDR connected eir_len 12
> 13:03:25 OUT host.0.0.bluetoothctl: [bluetoothctl]> [BlueZ 5.86]> [CHG] Device 70:1A:B8:73:99:BB Connected: yes
> 13:03:25 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> Request confirmation
> 13:03:25 DEBUG rpc.host.0.0 : client-reply
> 13:03:25 INFO rpc.host.0.1 : client: call_plugin ('bluetoothctl', 'expect', 'Confirm passkey 237345') {}
> 13:03:25 OUT host.0.1.bluetoothctl: [bluetoothctl]> hci0 84:5C:F3:77:31:19 type BR/EDR connected eir_len 12
> 13:03:25 OUT host.0.1.bluetoothctl: [bluetoothctl]> [NEW] Device 84:5C:F3:77:31:19 BlueZ 5.86
> 13:03:25 DEBUG rpc.host.0.1 : client-reply
> 13:03:25 INFO rpc.host.0.0 : client: call_plugin ('bluetoothctl', 'send', 'yes\n') {}
> 13:03:25 OUT host.0.1.bluetoothctl: [bluetoothctl]> [BlueZ 5.86]> Request confirmation
> 13:03:25 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> [agent] Confirm passkey 237345 (yes/no): yes
> 13:03:25 DEBUG rpc.host.0.0 : client-reply
> 13:03:25 INFO rpc.host.0.1 : client: call_plugin ('bluetoothctl', 'send', 'yes\n') {}
> 13:03:25 OUT host.0.1.bluetoothctl: [BlueZ 5.86]> [agent] Confirm passkey 237345 (yes/no): yes
> 13:03:25 DEBUG rpc.host.0.1 : client-reply
> 13:03:25 INFO rpc.host.0.0 : client: call_plugin ('bluetoothctl', 'expect', 'Pairing successful') {}
> 13:03:25 OUT host.0.0.bluetoothctl: yes
> 13:03:25 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> hci0 new_link_key 70:1A:B8:73:99:BB type 0x08 pin_len 0 store_hint 1
> 13:03:25 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> [CHG] Device 70:1A:B8:73:99:BB Bonded: yes
> 13:03:26 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> [CHG] Device 70:1A:B8:73:99:BB AddressType: public
> 13:03:26 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> [CHG] Device 70:1A:B8:73:99:BB UUIDs: 0000110c-0000-1000-8000-00805f9b34fb
> 13:03:26 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> [CHG] Device 70:1A:B8:73:99:BB UUIDs: 0000110e-0000-1000-8000-00805f9b34fb
> 13:03:26 DEBUG rpc.host.0.0 : client-reply
> PASSED [100%]
> ------------------------------ live log teardown -------------------------------
> 13:03:26 OUT host.0.0.bluetoothctl: [BlueZ 5.86]> [CHG] Device 70:1A:B8:98:FF:qemu-system-x86_64: terminating on signal 15 from pid 149357 (python3)
>
> ======================= 1 passed, 4 deselected in 13.22s =======================
>
> $ test/test-functional -k test_btmgmt --kernel=../linux --trace
> ============================= test session starts ==============================
> platform linux -- Python 3.14.3, pytest-8.3.5, pluggy-1.6.0
> rootdir: /home/pauli/prj/external/bluez/unit
> configfile: pytest.ini
> plugins: cov-5.0.0, forked-1.6.0, rerunfailures-15.0, timeout-2.4.0, xdist-3.7.0, hypothesis-6.123.0, flaky-3.8.1, anyio-4.12.1
> collected 5 items / 4 deselected / 1 selected
>
> test/functional/test_btmgmt_vm.py
> >>>>>>>>>>>>>>>>>>>> PDB runcall (IO-capturing turned off) >>>>>>>>>>>>>>>>>>>>>
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(19)test_btmgmt_info()
> -> (host,) = hosts
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(21)test_btmgmt_info()
> -> result = host.call(
> (Pdb) p host.bdaddr
> '00:aa:01:00:00:42'
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(22)test_btmgmt_info()
> -> run,
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(23)test_btmgmt_info()
> -> [btmgmt, "--index", "0", "info"],
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(24)test_btmgmt_info()
> -> stdout=subprocess.PIPE,
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(25)test_btmgmt_info()
> -> stdin=subprocess.DEVNULL,
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(26)test_btmgmt_info()
> -> encoding="utf-8",
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(21)test_btmgmt_info()
> -> result = host.call(
> (Pdb) n
> > /home/pauli/prj/external/bluez/test/functional/test_btmgmt_vm.py(28)test_btmgmt_info()
> -> assert result.returncode == 0
> (Pdb) p result
> CompletedProcess(args=['/home/pauli/prj/external/bluez/build/tools/btmgmt', '--index', '0', 'info'], returncode=0, stdout='hci0:\tPrimary controller\n\taddr 00:AA:01:00:00:42 version 11 manufacturer 1521 class 0x000000\n\tsupported settings: powered connectable fast-connectable discoverable bondable link-security ssp br/edr le advertising secure-conn debug-keys privacy static-addr phy-configuration cis-central cis-peripheral iso-broadcaster sync-receiver ll-privacy past-sender past-receiver \n\tcurrent settings: br/edr \n\tname \n\tshort name \n')
> (Pdb) print(result.stdout)
> hci0: Primary controller
> addr 00:AA:01:00:00:42 version 11 manufacturer 1521 class 0x000000
> supported settings: powered connectable fast-connectable discoverable bondable link-security ssp br/edr le advertising secure-conn debug-keys privacy static-addr phy-configuration cis-central cis-peripheral iso-broadcaster sync-receiver ll-privacy past-sender past-receiver
> current settings: br/edr
> name
> short name
> (Pdb) q
>
> !!!!!!!!!!!!!!!!!!! _pytest.outcomes.Exit: Quitting debugger !!!!!!!!!!!!!!!!!!!
> ======================= 4 deselected in 75.91s (0:01:15) =======================
>
> Pauli Virtanen (16):
> emulator: btvirt: check pkt lengths, don't get stuck on malformed
> emulator: btvirt: allow specifying where server unix sockets are made
> emulator: btvirt: support SCO data packets
> emulator: btdev: clear more state on Reset
> test-runner: enable path argument for --unix
> test-runner: Add -o/--option option
> test-runner: allow source tree root for -k
> test-runner: use virtio-serial for implementing -u device forwarding
> doc: enable CONFIG_VIRTIO_CONSOLE in tester config
> doc: enable KVM paravirtualization & clock support in tester kernel
> config
> doc: add functional/integration testing documentation
> test: add functional/integration testing framework
> build: add functional testing target
> test: functional: impose Python code formatting
> test: functional: add some Agent1 interface tests
> test: functional: add basic obex file transfer tests
>
> Makefile.am | 10 +
> configure.ac | 22 ++
> doc/ci.config | 9 +
> doc/test-functional.rst | 299 ++++++++++++++++++++++++
> doc/test-runner.rst | 17 ++
> doc/tester.config | 9 +
> emulator/btdev.c | 117 ++++++----
> emulator/main.c | 37 +--
> emulator/server.c | 21 ++
> test/functional/__init__.py | 2 +
> test/functional/conftest.py | 48 ++++
> test/functional/requirements.txt | 2 +
> test/functional/test_agent.py | 46 ++++
> test/functional/test_bluetoothctl_vm.py | 152 ++++++++++++
> test/functional/test_btmgmt_vm.py | 30 +++
> test/functional/test_obex.py | 285 ++++++++++++++++++++++
> test/functional/test_tests.py | 23 ++
> test/pytest.ini | 17 ++
> test/test-functional | 21 ++
> test/test-functional-attach | 7 +
> tools/test-runner.c | 89 ++++---
> 21 files changed, 1177 insertions(+), 86 deletions(-)
> create mode 100644 doc/test-functional.rst
> create mode 100644 test/functional/__init__.py
> create mode 100644 test/functional/conftest.py
> create mode 100644 test/functional/requirements.txt
> create mode 100644 test/functional/test_agent.py
> create mode 100644 test/functional/test_bluetoothctl_vm.py
> create mode 100644 test/functional/test_btmgmt_vm.py
> create mode 100644 test/functional/test_obex.py
> create mode 100644 test/functional/test_tests.py
> create mode 100644 test/pytest.ini
> create mode 100755 test/test-functional
> create mode 100755 test/test-functional-attach
>
> --
> 2.54.0
Do you mind resending the remaining changes? I'd like to see how it
works; it seems you've already integrated with things like `make
check`, right?
--
Luiz Augusto von Dentz
^ permalink raw reply
* RE: [v4,1/2] Bluetooth: hci_conn: Fix null ptr deref in hci_abort_conn()
From: bluez.test.bot @ 2026-06-12 18:32 UTC (permalink / raw)
To: linux-bluetooth, oss
In-Reply-To: <20260612161753.3140707-1-oss@fourdim.xyz>
[-- Attachment #1: Type: text/plain, Size: 2794 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1110757
---Test result---
Test Summary:
CheckPatch PASS 2.09 seconds
VerifyFixes PASS 0.13 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 0.64 seconds
SubjectPrefix PASS 0.24 seconds
BuildKernel PASS 31.25 seconds
CheckAllWarning PASS 29.22 seconds
CheckSparse PASS 27.09 seconds
BuildKernel32 PASS 24.86 seconds
TestRunnerSetup PASS 539.28 seconds
TestRunner_l2cap-tester PASS 59.68 seconds
TestRunner_iso-tester PASS 85.37 seconds
TestRunner_bnep-tester PASS 18.81 seconds
TestRunner_mgmt-tester FAIL 211.24 seconds
TestRunner_rfcomm-tester PASS 25.31 seconds
TestRunner_sco-tester PASS 32.96 seconds
TestRunner_ioctl-tester PASS 26.06 seconds
TestRunner_mesh-tester FAIL 25.94 seconds
TestRunner_smp-tester PASS 23.50 seconds
TestRunner_userchan-tester PASS 20.60 seconds
TestRunner_6lowpan-tester FAIL 46.95 seconds
IncrementalBuild PASS 42.35 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.247 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.773 seconds
Mesh - Send cancel - 2 Timed out 1.990 seconds
##############################
Test: TestRunner_6lowpan-tester - FAIL
Desc: Run 6lowpan-tester with test-runner
Output:
Total: 8, Passed: 3 (37.5%), Failed: 5, Not Run: 0
Failed Test Cases
Client Connect - Disconnect Timed out 5.128 seconds
Client Recv Dgram - Success Timed out 4.988 seconds
Client Recv Raw - Success Timed out 4.994 seconds
Client Recv IPHC Dgram - Success Timed out 4.996 seconds
Client Recv IPHC Raw - Success Timed out 4.994 seconds
https://github.com/bluez/bluetooth-next/pull/311
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [bluez/bluez]
From: BluezTestBot @ 2026-06-12 18:26 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1094320
Home: https://github.com/bluez/bluez
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* Re: [PATCH v1] Bluetooth: 6lowpan: Fix using chan->conn as indication to no remote netdev
From: Siwei Zhang @ 2026-06-12 16:42 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
In-Reply-To: <20260612142957.524526-1-luiz.dentz@gmail.com>
Hi Luiz,
On Fri, Jun 12, 2026, at 10:29 AM, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by holding
> conn ref") don't reset the chan->conn to NULL anymore making the bt#
> netdev not be remove once the last l2cap_chan_del is removed.
>
> Instead of restoring the original behavior this remove the logic of
> keeping the interface after the last channel is removed because it
> never worked as intended and the l2cap_chan_del always detach its
> l2cap_conn which results in always removing the channel anyway.
>
> Fixes: b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by
> holding conn ref")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
I think the 6lowpan CI failed because of this.
What about backporting it to stable here?
b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by holding
conn ref") has a cc to stable.
> ---
> net/bluetooth/6lowpan.c | 10 ----------
> 1 file changed, 10 deletions(-)
>
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index cb1e329d66fd..dba0c9128cf6 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -801,16 +801,6 @@ static void chan_close_cb(struct l2cap_chan *chan)
>
> BT_DBG("chan %p conn %p", chan, chan->conn);
>
> - if (chan->conn && chan->conn->hcon) {
> - if (!is_bt_6lowpan(chan->conn->hcon))
> - return;
> -
> - /* If conn is set, then the netdev is also there and we should
> - * not remove it.
> - */
> - remove = false;
After removing this, the remove var will always be true,
leaving the var and the corresponding checking redundant.
> - }
> -
> spin_lock(&devices_lock);
>
> list_for_each_entry_rcu(entry, &bt_6lowpan_devices, list) {
> --
> 2.54.0
Best,
Siwei
^ permalink raw reply
* RE: Support for block device NVMEM providers
From: bluez.test.bot @ 2026-06-12 16:24 UTC (permalink / raw)
To: linux-bluetooth, loic.poulain
In-Reply-To: <20260612-block-as-nvmem-v5-1-95e0b30fff90@oss.qualcomm.com>
[-- Attachment #1: Type: text/plain, Size: 4924 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1110666
---Test result---
Test Summary:
CheckPatch FAIL 6.99 seconds
VerifyFixes PASS 0.08 seconds
VerifySignedoff PASS 0.09 seconds
GitLint FAIL 2.10 seconds
SubjectPrefix FAIL 0.68 seconds
BuildKernel PASS 25.13 seconds
CheckAllWarning PASS 28.06 seconds
CheckSparse PASS 26.89 seconds
BuildKernel32 PASS 24.22 seconds
TestRunnerSetup PASS 522.99 seconds
TestRunner_l2cap-tester FAIL 57.69 seconds
TestRunner_iso-tester PASS 82.59 seconds
TestRunner_bnep-tester PASS 19.28 seconds
TestRunner_mgmt-tester FAIL 207.46 seconds
TestRunner_rfcomm-tester PASS 24.85 seconds
TestRunner_sco-tester PASS 31.83 seconds
TestRunner_ioctl-tester PASS 25.95 seconds
TestRunner_mesh-tester FAIL 25.88 seconds
TestRunner_smp-tester PASS 22.98 seconds
TestRunner_userchan-tester PASS 20.31 seconds
TestRunner_6lowpan-tester FAIL 45.85 seconds
IncrementalBuild PASS 67.81 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v5,5/9] block: implement NVMEM provider
WARNING: please write a help paragraph that fully describes the config symbol with at least 4 lines
#209: FILE: block/Kconfig:212:
+config BLK_NVMEM
+ bool "Block device NVMEM provider"
+ depends on OF
+ depends on NVMEM
+ help
+ Allow block devices (or partitions) to act as NVMEM providers,
+ typically used with eMMC to store MAC addresses or Wi-Fi
+ calibration data on embedded devices.
+
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#231:
new file mode 100644
total: 0 errors, 2 warnings, 172 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14626125.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[v5,9/9] arm64: dts: qcom: arduino-imola: Describe NVMEM layout for WiFi/BT addresses
1: T1 Title exceeds max length (85>80): "[v5,9/9] arm64: dts: qcom: arduino-imola: Describe NVMEM layout for WiFi/BT addresses"
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
"Bluetooth: " prefix is not specified in the subject
"Bluetooth: " prefix is not specified in the subject
"Bluetooth: " prefix is not specified in the subject
"Bluetooth: " prefix is not specified in the subject
"Bluetooth: " prefix is not specified in the subject
"Bluetooth: " prefix is not specified in the subject
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0
Failed Test Cases
L2CAP BR/EDR Server - Set PHY 1M Failed 0.249 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.236 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.479 seconds
Mesh - Send cancel - 2 Timed out 1.988 seconds
##############################
Test: TestRunner_6lowpan-tester - FAIL
Desc: Run 6lowpan-tester with test-runner
Output:
Total: 8, Passed: 3 (37.5%), Failed: 5, Not Run: 0
Failed Test Cases
Client Connect - Disconnect Timed out 5.433 seconds
Client Recv Dgram - Success Timed out 4.987 seconds
Client Recv Raw - Success Timed out 4.992 seconds
Client Recv IPHC Dgram - Success Timed out 4.997 seconds
Client Recv IPHC Raw - Success Timed out 4.998 seconds
https://github.com/bluez/bluetooth-next/pull/307
---
Regards,
Linux Bluetooth
^ permalink raw reply
* [PATCH v4 2/2] Bluetooth: hci_sync: Remove unused hci_cmd_sync_dequeue_once()
From: Siwei Zhang @ 2026-06-12 16:16 UTC (permalink / raw)
To: Luiz Augusto von Dentz, Pauli Virtanen; +Cc: linux-bluetooth, Siwei Zhang
In-Reply-To: <20260612161753.3140707-1-oss@fourdim.xyz>
hci_cmd_sync_dequeue_once() had a single in-tree caller,
hci_cancel_connect_sync(), which now holds cmd_sync_work_lock across the
in-flight create flag test and the dequeue and so open-codes the lookup
and cancel under that lock. That leaves the exported
hci_cmd_sync_dequeue_once() with no in-tree user, so remove it along with
its declaration.
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
---
include/net/bluetooth/hci_sync.h | 3 ---
net/bluetooth/hci_sync.c | 26 --------------------------
2 files changed, 29 deletions(-)
diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
index 73e494b2591d..818e62d9fe9e 100644
--- a/include/net/bluetooth/hci_sync.h
+++ b/include/net/bluetooth/hci_sync.h
@@ -84,9 +84,6 @@ void hci_cmd_sync_cancel_entry(struct hci_dev *hdev,
struct hci_cmd_sync_work_entry *entry);
bool hci_cmd_sync_dequeue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
void *data, hci_cmd_sync_work_destroy_t destroy);
-bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
- hci_cmd_sync_work_func_t func, void *data,
- hci_cmd_sync_work_destroy_t destroy);
int hci_update_eir_sync(struct hci_dev *hdev);
int hci_update_class_sync(struct hci_dev *hdev);
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 5a6ffdb84c88..0e44489c5309 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -860,32 +860,6 @@ void hci_cmd_sync_cancel_entry(struct hci_dev *hdev,
}
EXPORT_SYMBOL(hci_cmd_sync_cancel_entry);
-/* Dequeue one HCI command entry:
- *
- * - Lookup and cancel first entry that matches.
- */
-bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
- hci_cmd_sync_work_func_t func,
- void *data, hci_cmd_sync_work_destroy_t destroy)
-{
- struct hci_cmd_sync_work_entry *entry;
-
- mutex_lock(&hdev->cmd_sync_work_lock);
-
- entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
- if (!entry) {
- mutex_unlock(&hdev->cmd_sync_work_lock);
- return false;
- }
-
- _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
-
- mutex_unlock(&hdev->cmd_sync_work_lock);
-
- return true;
-}
-EXPORT_SYMBOL(hci_cmd_sync_dequeue_once);
-
/* Dequeue HCI command entry:
*
* - Lookup and cancel any entry that matches by function callback or data or
--
2.54.0
^ permalink raw reply related
* [PATCH v4 1/2] Bluetooth: hci_conn: Fix null ptr deref in hci_abort_conn()
From: Siwei Zhang @ 2026-06-12 16:16 UTC (permalink / raw)
To: Luiz Augusto von Dentz, Pauli Virtanen; +Cc: linux-bluetooth, Siwei Zhang
hci_abort_conn() read hci_skb_event(hdev->sent_cmd) when a connection
was pending, but hdev->sent_cmd can be NULL while req_status is still
HCI_REQ_PEND, leading to a NULL pointer dereference and a general
protection fault from the hci_rx_work() receive path.
Instead of inspecting hdev->sent_cmd, track the in-flight create
connection command with a new per-connection HCI_CONN_CREATE flag and
route all cancellation through hci_cancel_connect_sync(). The create
command is in exactly one of two states: still queued, or in flight.
hci_cancel_connect_sync() holds cmd_sync_work_lock across the whole
decision: the worker takes this lock to dequeue every entry, so while it
is held a queued command cannot start running and an in-flight command
cannot complete and let the next command become pending. This keeps the
flag test and hci_cmd_sync_cancel() atomic with respect to the worker,
so a queued command is simply dequeued, and an in-flight command owned
by this connection is cancelled without the risk of cancelling an
unrelated command that became pending in the meantime. CIS uses the same
path via the existing HCI_CONN_CREATE_CIS flag.
Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
---
include/net/bluetooth/hci_core.h | 1 +
net/bluetooth/hci_conn.c | 21 ++------
net/bluetooth/hci_sync.c | 83 +++++++++++++++++++++++++++-----
3 files changed, 75 insertions(+), 30 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index aa600fbf9a53..aa554c34f9ec 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -988,6 +988,7 @@ enum {
HCI_CONN_AUTH_FAILURE,
HCI_CONN_PER_ADV,
HCI_CONN_BIG_CREATED,
+ HCI_CONN_CREATE,
HCI_CONN_CREATE_CIS,
HCI_CONN_CREATE_BIG_SYNC,
HCI_CONN_BIG_SYNC,
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 54eabaa46960..eba4a548bef5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -3181,26 +3181,11 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
conn->abort_reason = reason;
- /* If the connection is pending check the command opcode since that
- * might be blocking on hci_cmd_sync_work while waiting its respective
- * event so we need to hci_cmd_sync_cancel to cancel it.
- *
- * hci_connect_le serializes the connection attempts so only one
- * connection can be in BT_CONNECT at time.
+ /* Cancel the connect attempt. A return of 0 means the create command
+ * was still queued and got dequeued, so there is nothing to disconnect.
*/
- if (conn->state == BT_CONNECT && READ_ONCE(hdev->req_status) == HCI_REQ_PEND) {
- switch (hci_skb_event(hdev->sent_cmd)) {
- case HCI_EV_CONN_COMPLETE:
- case HCI_EV_LE_CONN_COMPLETE:
- case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
- case HCI_EVT_LE_CIS_ESTABLISHED:
- hci_cmd_sync_cancel(hdev, ECANCELED);
- break;
- }
- /* Cancel connect attempt if still queued/pending */
- } else if (!hci_cancel_connect_sync(hdev, conn)) {
+ if (!hci_cancel_connect_sync(hdev, conn))
return 0;
- }
/* Run immediately if on cmd_sync_work since this may be called
* as a result to MGMT_OP_DISCONNECT/MGMT_OP_UNPAIR which does
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index df23245d6ccd..5a6ffdb84c88 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6668,6 +6668,12 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
&own_addr_type);
if (err)
goto done;
+
+ /* Mark create connection in flight so hci_cancel_connect_sync() can
+ * cancel it while blocking on the connection complete event.
+ */
+ set_bit(HCI_CONN_CREATE, &conn->flags);
+
/* Send command LE Extended Create Connection if supported */
if (use_ext_conn(hdev)) {
err = hci_le_ext_create_conn_sync(hdev, conn, own_addr_type);
@@ -6703,6 +6709,8 @@ static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
conn->conn_timeout, NULL);
done:
+ clear_bit(HCI_CONN_CREATE, &conn->flags);
+
if (err == -ETIMEDOUT)
hci_le_connect_cancel_sync(hdev, conn, 0x00);
@@ -6982,10 +6990,19 @@ static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data)
else
cp.role_switch = 0x00;
- return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
- sizeof(cp), &cp,
- HCI_EV_CONN_COMPLETE,
- conn->conn_timeout, NULL);
+ /* Mark create connection in flight so hci_cancel_connect_sync() can
+ * cancel it while blocking on the connection complete event.
+ */
+ set_bit(HCI_CONN_CREATE, &conn->flags);
+
+ err = __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
+ sizeof(cp), &cp,
+ HCI_EV_CONN_COMPLETE,
+ conn->conn_timeout, NULL);
+
+ clear_bit(HCI_CONN_CREATE, &conn->flags);
+
+ return err;
}
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
@@ -7039,20 +7056,62 @@ int hci_connect_le_sync(struct hci_dev *hdev, struct hci_conn *conn)
int hci_cancel_connect_sync(struct hci_dev *hdev, struct hci_conn *conn)
{
- if (conn->state != BT_OPEN)
- return -EINVAL;
+ struct hci_cmd_sync_work_entry *entry;
+ hci_cmd_sync_work_func_t func = NULL;
+ hci_cmd_sync_work_destroy_t destroy = NULL;
+ int create_flag = -1;
+ int err = -EBUSY;
switch (conn->type) {
case ACL_LINK:
- return !hci_cmd_sync_dequeue_once(hdev,
- hci_acl_create_conn_sync,
- conn, NULL);
+ func = hci_acl_create_conn_sync;
+ create_flag = HCI_CONN_CREATE;
+ break;
case LE_LINK:
- return !hci_cmd_sync_dequeue_once(hdev, hci_le_create_conn_sync,
- conn, create_le_conn_complete);
+ func = hci_le_create_conn_sync;
+ destroy = create_le_conn_complete;
+ create_flag = HCI_CONN_CREATE;
+ break;
+ case CIS_LINK:
+ /* LE Create CIS is shared by the whole CIG and cannot be
+ * dequeued per-connection; only cancel it in-flight below.
+ */
+ create_flag = HCI_CONN_CREATE_CIS;
+ break;
+ default:
+ return -ENOENT;
}
- return -ENOENT;
+ /* The create command is either still queued or in flight. Hold
+ * cmd_sync_work_lock across the test and the cancel: the worker takes
+ * this lock to dequeue every entry, so while it is held no other command
+ * can become pending, which keeps hci_cmd_sync_cancel() from racing with
+ * completion and cancelling an unrelated command.
+ */
+ mutex_lock(&hdev->cmd_sync_work_lock);
+
+ /* The flag is set while the worker blocks on the connection complete
+ * event, so if it is set this connection owns the pending request.
+ */
+ if (create_flag >= 0 && test_bit(create_flag, &conn->flags)) {
+ hci_cmd_sync_cancel(hdev, ECANCELED);
+ goto unlock;
+ }
+
+ /* Otherwise it may still be queued; dequeue it. A successful dequeue
+ * means it never started, so there is nothing to disconnect.
+ */
+ if (func) {
+ entry = _hci_cmd_sync_lookup_entry(hdev, func, conn, destroy);
+ if (entry) {
+ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+ err = 0;
+ }
+ }
+
+unlock:
+ mutex_unlock(&hdev->cmd_sync_work_lock);
+ return err;
}
int hci_le_conn_update_sync(struct hci_dev *hdev, struct hci_conn *conn,
--
2.54.0
^ permalink raw reply related
* RE: Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: bluez.test.bot @ 2026-06-12 16:17 UTC (permalink / raw)
To: linux-bluetooth, oss
In-Reply-To: <20260612143449.3045055-2-oss@fourdim.xyz>
[-- Attachment #1: Type: text/plain, Size: 1748 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1110715
---Test result---
Test Summary:
CheckPatch PASS 1.69 seconds
VerifyFixes PASS 0.13 seconds
VerifySignedoff PASS 0.13 seconds
GitLint PASS 0.32 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 27.75 seconds
CheckAllWarning PASS 30.27 seconds
CheckSparse PASS 28.78 seconds
BuildKernel32 PASS 26.04 seconds
TestRunnerSetup PASS 593.41 seconds
TestRunner_l2cap-tester PASS 59.89 seconds
TestRunner_smp-tester PASS 23.36 seconds
TestRunner_6lowpan-tester FAIL 45.88 seconds
IncrementalBuild PASS 25.58 seconds
Details
##############################
Test: TestRunner_6lowpan-tester - FAIL
Desc: Run 6lowpan-tester with test-runner
Output:
Total: 8, Passed: 3 (37.5%), Failed: 5, Not Run: 0
Failed Test Cases
Client Connect - Disconnect Timed out 4.974 seconds
Client Recv Dgram - Success Timed out 4.990 seconds
Client Recv Raw - Success Timed out 5.000 seconds
Client Recv IPHC Dgram - Success Timed out 4.991 seconds
Client Recv IPHC Raw - Success Timed out 4.997 seconds
https://github.com/bluez/bluetooth-next/pull/309
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: [v1] Bluetooth: 6lowpan: Fix using chan->conn as indication to no remote netdev
From: bluez.test.bot @ 2026-06-12 16:15 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
In-Reply-To: <20260612142957.524526-1-luiz.dentz@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1946 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1110712
---Test result---
Test Summary:
CheckPatch FAIL 0.65 seconds
VerifyFixes PASS 0.11 seconds
VerifySignedoff PASS 0.11 seconds
GitLint PASS 0.29 seconds
SubjectPrefix PASS 0.10 seconds
BuildKernel PASS 27.16 seconds
CheckAllWarning PASS 30.27 seconds
CheckSparse PASS 28.60 seconds
BuildKernel32 PASS 26.79 seconds
TestRunnerSetup PASS 591.54 seconds
TestRunner_6lowpan-tester PASS 23.04 seconds
IncrementalBuild PASS 26.01 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[v1] Bluetooth: 6lowpan: Fix using chan->conn as indication to no remote netdev
ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref")'
#98:
b66774b48dd9 ("Bluetooth: L2CAP: Fix UAF in channel timeout by holding
total: 1 errors, 0 warnings, 0 checks, 16 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14626271.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluetooth-next/pull/308
---
Regards,
Linux Bluetooth
^ permalink raw reply
* RE: Bluetooth: L2CAP: fix tx ident leak for commands without a response
From: bluez.test.bot @ 2026-06-12 16:11 UTC (permalink / raw)
To: linux-bluetooth, stig
In-Reply-To: <20260612143818.167643-1-stig@hornang.me>
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1110718
---Test result---
Test Summary:
CheckPatch PASS 0.46 seconds
VerifyFixes PASS 0.07 seconds
VerifySignedoff PASS 0.07 seconds
GitLint PASS 0.18 seconds
SubjectPrefix PASS 0.06 seconds
BuildKernel PASS 19.74 seconds
CheckAllWarning PASS 23.06 seconds
CheckSparse PASS 21.28 seconds
BuildKernel32 PASS 20.47 seconds
TestRunnerSetup PASS 415.18 seconds
TestRunner_l2cap-tester PASS 47.98 seconds
IncrementalBuild PASS 20.41 seconds
https://github.com/bluez/bluetooth-next/pull/310
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH v2 2/7] dt-bindings: bluetooth: qcom,wcn6750-bt: Document WCN6755 Bluetooth
From: Luiz Augusto von Dentz @ 2026-06-12 15:46 UTC (permalink / raw)
To: Luca Weiss
Cc: Bjorn Andersson, Konrad Dybcio, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Alexander Koskovich, Liam Girdwood, Mark Brown,
Bartosz Golaszewski, Marcel Holtmann, Balakrishna Godavarthi,
Rocky Liao, Johannes Berg, Jeff Johnson,
~postmarketos/upstreaming, phone-devel, linux-arm-msm,
linux-kernel, devicetree, linux-bluetooth, linux-wireless, ath11k
In-Reply-To: <DJ757RE8OYHO.2XEXNTLVIJ497@fairphone.com>
Hi Luca,
On Fri, Jun 12, 2026 at 11:33 AM Luca Weiss <luca.weiss@fairphone.com> wrote:
>
> Hi Luiz,
>
> On Fri Apr 3, 2026 at 3:52 PM CEST, Luca Weiss wrote:
> > Document the WCN6755 Bluetooth using a fallback to WCN6750 since the two
> > chips seem to be completely pin and software compatible. In fact the
> > original downstream kernel just pretends the WCN6755 is a WCN6750.
>
> Could you please pick up this patch (or provide an Ack if you want Bjorn
> to pick this up with the rest of the series).
>
> Regards
> Luca
>
> >
> > Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
> > ---
> > .../devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml
> > index 8606a45ac9b9..79522409d709 100644
> > --- a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml
> > +++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml
> > @@ -12,8 +12,14 @@ maintainers:
> >
> > properties:
> > compatible:
> > - enum:
> > - - qcom,wcn6750-bt
> > + oneOf:
> > + - items:
> > + - enum:
> > + - qcom,wcn6755-bt
> > + - const: qcom,wcn6750-bt
> > +
> > + - enum:
> > + - qcom,wcn6750-bt
> >
> > enable-gpios:
> > maxItems: 1
>
Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
--
Luiz Augusto von Dentz
^ permalink raw reply
* Re: [PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response
From: Luiz Augusto von Dentz @ 2026-06-12 15:00 UTC (permalink / raw)
To: Stig Hornang; +Cc: linux-bluetooth, marcel
In-Reply-To: <20260612145809.181685-2-stig@hornang.me>
Hi Stig,
On Fri, Jun 12, 2026 at 11:58 AM Stig Hornang <stig@hornang.me> wrote:
>
> Found out it was already reported and suggested fix here: https://bugzilla.kernel.org/show_bug.cgi?id=221629
There was not a proper patch though so Id just add a Reported-by.
--
Luiz Augusto von Dentz
^ permalink raw reply
* Re: [PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response
From: Stig Hornang @ 2026-06-12 14:58 UTC (permalink / raw)
To: stig; +Cc: linux-bluetooth, luiz.dentz, marcel
In-Reply-To: <20260612143818.167643-1-stig@hornang.me>
Found out it was already reported and suggested fix here: https://bugzilla.kernel.org/show_bug.cgi?id=221629
^ permalink raw reply
* Re: [PATCH v1 1/2] Bluetooth: hci_core: Add reset_type parameter to hdev->reset() callback
From: Luiz Augusto von Dentz @ 2026-06-12 14:43 UTC (permalink / raw)
To: Bjorn Helgaas
Cc: Chandrashekar Devegowda, linux-bluetooth, linux-pci, bhelgaas,
ravishankar.srivatsa, chethan.tumkur.narayan
In-Reply-To: <20260612142839.GA598449@bhelgaas>
Hi Bjorn,
On Fri, Jun 12, 2026 at 11:28 AM Bjorn Helgaas <helgaas@kernel.org> wrote:
>
> On Fri, Jun 12, 2026 at 11:08:06AM -0300, Luiz Augusto von Dentz wrote:
> > On Thu, Jun 11, 2026 at 10:29 PM Chandrashekar Devegowda
> > <chandrashekar.devegowda@intel.com> wrote:
> > >
> > > Add a u8 reset_type parameter to the hdev->reset() callback to allow
> > > userspace to select the reset method via sysfs. Writing 1 to
> > > /sys/class/bluetooth/hci0/reset triggers a Product Level Device
> > > Reset (PLDR), while any other value triggers a Function Level Reset
> > > (FLR).
> > >
> > > The reset_type values are:
> > > 0 - Function Level Reset (FLR)
> > > 1 - Product Level Device Reset (PLDR)
> >
> > This should probably be treated as a generic level at the sysfs level,
> > then each vendor can interpret according to its own needs, for
> > btintel_pcie that would result in the above levels.
>
> Are you suggesting that this should be implemented in the
> pci_dev_reset_methods[] framework in drivers/pci/quirks.c, so the
> PCI-generic /sys/bus/pci/devices/.../reset interface could do the
> PLDR?
This is the Bluetooth sysfs reset entry, not the PCI one, which was
created for Bluetooth-specific reset methods like the one above. If
you think the generic level could be applied to the PCI sysfs level
that is perhaps a different suggestion.
> That sounds worth exploring, although I really don't know anything
> about the unusual multi-function model of some of these devices.
> And the /sys/class/bluetooth/hci<index>/reset attribute already exists
> and probably couldn't be removed.
Yeah, I suggested just treating the parameter as generic levels, so we
don't define its domain and leave it for each driver to decide how to
interpret it. The sysfs entry is not transport-specific (pci, usb,
uart), so using pci terminology in the documentation may lead to the
assumption that it is PCI-specific when it is not.
--
Luiz Augusto von Dentz
^ permalink raw reply
* [PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response
From: Stig Hornang @ 2026-06-12 14:38 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, marcel, Stig Hornang
Commit 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding
TX ident") changed ident allocation to use an IDA, releasing idents in
l2cap_put_ident() when the matching response command is received.
But identifiers allocated for commands that have no response defined
are never released. In particular L2CAP_LE_CREDITS is sent repeatedly for
the lifetime of an LE CoC channel, so a peer streaming data to the
host exhausts the 1-255 ident range after 254 credit packets. From
then on l2cap_get_ident() fails:
kernel: Bluetooth: Unable to allocate ident: -28
and every subsequent L2CAP_LE_CREDITS packet is sent with ident 0,
which is invalid (Core Spec, Vol 3, Part A, Section 4: "Signaling
identifier 0x00 is an invalid identifier and shall never be used in
any command"). Remote stacks that validate the ident drop these
commands, never receive new credits, and the channel stalls
permanently. With default socket buffers this happens after roughly 0.5 MB
of received data (the exact amount depends on the socket receive buffer):
< ACL Data TX: Handle 2048 flags 0x00 dlen 12
LE L2CAP: LE Flow Control Credit (0x16) ident 0 len 4
Source CID: 64
Credits: 1
Release the ident immediately after sending L2CAP_LE_CREDITS since no
response will ever release it. Use a local variable instead of
chan->ident so that an ident that an EXT_FLOWCTL channel may be waiting on
(e.g. a pending reconfigure) is not overwritten by a credit packet.
Also add the missing L2CAP_LE_CONN_RSP case to l2cap_put_ident() so
idents allocated for outgoing L2CAP_LE_CONN_REQ commands are released
when the response arrives.
Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
Assisted-by: Claude:claude-opus-4.8
Assisted-by: Fable:5
Signed-off-by: Stig Hornang <stig@hornang.me>
---
net/bluetooth/l2cap_core.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4810,6 +4810,7 @@ static void l2cap_put_ident(struct l2cap
case L2CAP_ECHO_RSP:
case L2CAP_INFO_RSP:
case L2CAP_CONN_PARAM_UPDATE_RSP:
+ case L2CAP_LE_CONN_RSP:
case L2CAP_ECRED_CONN_RSP:
case L2CAP_ECRED_RECONF_RSP:
/* First do a lookup since the remote may send bogus ids that
@@ -6632,6 +6633,7 @@ static void l2cap_chan_le_send_credits(s
struct l2cap_conn *conn = chan->conn;
struct l2cap_le_credits pkt;
u16 return_credits = l2cap_le_rx_credits(chan);
+ int ident;
if (chan->mode != L2CAP_MODE_LE_FLOWCTL &&
chan->mode != L2CAP_MODE_EXT_FLOWCTL)
@@ -6649,9 +6651,18 @@ static void l2cap_chan_le_send_credits(s
pkt.cid = cpu_to_le16(chan->scid);
pkt.credits = cpu_to_le16(return_credits);
- chan->ident = l2cap_get_ident(conn);
+ ident = l2cap_get_ident(conn);
+
+ l2cap_send_cmd(conn, ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
- l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
+ /* L2CAP_LE_CREDITS has no response so the ident is never released by
+ * l2cap_put_ident() - release it right away, otherwise the tx_ida
+ * range is exhausted after 254 packets and from then on credits are
+ * sent with the invalid ident 0, which some remote stacks ignore,
+ * stalling the channel.
+ */
+ if (ident > 0)
+ ida_free(&conn->tx_ida, ident);
}
void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail)
^ permalink raw reply
* [PATCH v11 1/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: Siwei Zhang @ 2026-06-12 14:34 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, Siwei Zhang
In-Reply-To: <20260612143449.3045055-1-oss@fourdim.xyz>
l2cap_sock_new_connection_cb() returned l2cap_pi(sk)->chan after
release_sock(parent). Once the parent lock is dropped the newly
enqueued child socket sk is reachable via the accept queue, so another
task can accept and free it before the callback dereferences sk,
resulting in a use-after-free.
Rework the ->new_connection() op so the core, rather than the callback,
owns the child channel's lifetime. The op now receives a pre-allocated
new_chan and returns an errno instead of allocating and returning a
channel. l2cap_new_connection() allocates the child channel and links
it into the conn list via __l2cap_chan_add() before invoking the
callback, so the conn-list reference keeps the channel alive once
release_sock(parent) exposes the socket to other tasks.
Channel configuration that was duplicated in l2cap_sock_init() and the
various new_connection callbacks is consolidated into
l2cap_chan_set_defaults(), which now inherits from the parent channel
when one is supplied.
Fixes: 8ffb929098a5 ("Bluetooth: Remove parent socket usage from l2cap_core.c")
Cc: stable@kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
---
include/net/bluetooth/l2cap.h | 10 ++--
net/bluetooth/6lowpan.c | 18 +-----
net/bluetooth/l2cap_core.c | 78 ++++++++++++++++++++-----
net/bluetooth/l2cap_sock.c | 103 ++++++++++++++++------------------
net/bluetooth/smp.c | 27 ++-------
5 files changed, 127 insertions(+), 109 deletions(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 1640cc9bf83a..ef6ce1c20a4f 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -617,7 +617,8 @@ struct l2cap_chan {
struct l2cap_ops {
char *name;
- struct l2cap_chan *(*new_connection) (struct l2cap_chan *chan);
+ int (*new_connection)(struct l2cap_chan *chan,
+ struct l2cap_chan *new_chan);
int (*recv) (struct l2cap_chan * chan,
struct sk_buff *skb);
void (*teardown) (struct l2cap_chan *chan, int err);
@@ -882,9 +883,10 @@ static inline __u16 __next_seq(struct l2cap_chan *chan, __u16 seq)
return (seq + 1) % (chan->tx_win_max + 1);
}
-static inline struct l2cap_chan *l2cap_chan_no_new_connection(struct l2cap_chan *chan)
+static inline int l2cap_chan_no_new_connection(struct l2cap_chan *chan,
+ struct l2cap_chan *new_chan)
{
- return NULL;
+ return -EOPNOTSUPP;
}
static inline int l2cap_chan_no_recv(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -961,7 +963,7 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
void l2cap_chan_busy(struct l2cap_chan *chan, int busy);
void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail);
int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator);
-void l2cap_chan_set_defaults(struct l2cap_chan *chan);
+void l2cap_chan_set_defaults(struct l2cap_chan *chan, struct l2cap_chan *pchan);
int l2cap_ertm_init(struct l2cap_chan *chan);
void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan);
void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan);
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index cb1e329d66fd..6e57b4b95c94 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -632,7 +632,7 @@ static struct l2cap_chan *chan_create(void)
if (!chan)
return NULL;
- l2cap_chan_set_defaults(chan);
+ l2cap_chan_set_defaults(chan, NULL);
chan->chan_type = L2CAP_CHAN_CONN_ORIENTED;
chan->mode = L2CAP_MODE_LE_FLOWCTL;
@@ -745,21 +745,6 @@ static inline void chan_ready_cb(struct l2cap_chan *chan)
ifup(dev->netdev);
}
-static inline struct l2cap_chan *chan_new_conn_cb(struct l2cap_chan *pchan)
-{
- struct l2cap_chan *chan;
-
- chan = chan_create();
- if (!chan)
- return NULL;
-
- chan->ops = pchan->ops;
-
- BT_DBG("chan %p pchan %p", chan, pchan);
-
- return chan;
-}
-
static void unregister_dev(struct lowpan_btle_dev *dev)
{
struct hci_dev *hdev = READ_ONCE(dev->hdev);
@@ -901,7 +886,6 @@ static long chan_get_sndtimeo_cb(struct l2cap_chan *chan)
static const struct l2cap_ops bt_6lowpan_chan_ops = {
.name = "L2CAP 6LoWPAN channel",
- .new_connection = chan_new_conn_cb,
.recv = chan_recv_cb,
.close = chan_close_cb,
.state_change = chan_state_change_cb,
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 62133eef9d2f..fab942661fb0 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -522,7 +522,10 @@ void l2cap_chan_put(struct l2cap_chan *c)
}
EXPORT_SYMBOL_GPL(l2cap_chan_put);
-void l2cap_chan_set_defaults(struct l2cap_chan *chan)
+/* Initialise @chan with default values, inheriting from the parent channel
+ * @pchan when it is given.
+ */
+void l2cap_chan_set_defaults(struct l2cap_chan *chan, struct l2cap_chan *pchan)
{
chan->fcs = L2CAP_FCS_CRC16;
chan->max_tx = L2CAP_DEFAULT_MAX_TX;
@@ -536,6 +539,31 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
+ if (pchan) {
+ BT_DBG("chan %p pchan %p", chan, pchan);
+
+ chan->chan_type = pchan->chan_type;
+ chan->imtu = pchan->imtu;
+ chan->omtu = pchan->omtu;
+ chan->mode = pchan->mode;
+ chan->fcs = pchan->fcs;
+ chan->max_tx = pchan->max_tx;
+ chan->tx_win = pchan->tx_win;
+ chan->tx_win_max = pchan->tx_win_max;
+ chan->sec_level = pchan->sec_level;
+ chan->conf_state = pchan->conf_state;
+ chan->flags = pchan->flags;
+ chan->tx_credits = pchan->tx_credits;
+ chan->rx_credits = pchan->rx_credits;
+
+ if (chan->chan_type == L2CAP_CHAN_FIXED) {
+ chan->scid = pchan->scid;
+ chan->dcid = pchan->scid;
+ }
+
+ return;
+ }
+
chan->conf_state = 0;
set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
@@ -4010,6 +4038,38 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn,
return 0;
}
+/* Allocate and initialise a channel for an incoming connection.
+ *
+ * The channel inherits its configuration from @pchan and is linked into @conn
+ * before ->new_connection() runs, so the conn list reference keeps it alive if
+ * the callback exposes it (e.g. via the socket accept queue) before this
+ * returns. The l2cap_chan_create() reference is taken over by the subsystem on
+ * success and dropped here on failure.
+ */
+static struct l2cap_chan *l2cap_new_connection(struct l2cap_conn *conn,
+ struct l2cap_chan *pchan)
+{
+ struct l2cap_chan *chan;
+
+ chan = l2cap_chan_create();
+ if (!chan)
+ return NULL;
+
+ l2cap_chan_set_defaults(chan, pchan);
+ chan->ops = pchan->ops;
+
+ __l2cap_chan_add(conn, chan);
+
+ if (pchan->ops->new_connection &&
+ pchan->ops->new_connection(pchan, chan) < 0) {
+ l2cap_chan_del(chan, 0);
+ l2cap_chan_put(chan);
+ return NULL;
+ }
+
+ return chan;
+}
+
static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
u8 *data, u8 rsp_code)
{
@@ -4056,7 +4116,7 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
goto response;
}
- chan = pchan->ops->new_connection(pchan);
+ chan = l2cap_new_connection(conn, pchan);
if (!chan)
goto response;
@@ -4074,8 +4134,6 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
chan->psm = psm;
chan->dcid = scid;
- __l2cap_chan_add(conn, chan);
-
dcid = chan->scid;
__set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
@@ -4958,7 +5016,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
goto response_unlock;
}
- chan = pchan->ops->new_connection(pchan);
+ chan = l2cap_new_connection(conn, pchan);
if (!chan) {
result = L2CAP_CR_LE_NO_MEM;
goto response_unlock;
@@ -4973,8 +5031,6 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
chan->omtu = mtu;
chan->remote_mps = mps;
- __l2cap_chan_add(conn, chan);
-
l2cap_le_flowctl_init(chan, __le16_to_cpu(req->credits));
dcid = chan->scid;
@@ -5182,7 +5238,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
continue;
}
- chan = pchan->ops->new_connection(pchan);
+ chan = l2cap_new_connection(conn, pchan);
if (!chan) {
result = L2CAP_CR_LE_NO_MEM;
continue;
@@ -5197,8 +5253,6 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
chan->omtu = mtu;
chan->remote_mps = mps;
- __l2cap_chan_add(conn, chan);
-
l2cap_ecred_init(chan, __le16_to_cpu(req->credits));
/* Init response */
@@ -7478,14 +7532,12 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
goto next;
l2cap_chan_lock(pchan);
- chan = pchan->ops->new_connection(pchan);
+ chan = l2cap_new_connection(conn, pchan);
if (chan) {
bacpy(&chan->src, &hcon->src);
bacpy(&chan->dst, &hcon->dst);
chan->src_type = bdaddr_src_type(hcon);
chan->dst_type = dst_type;
-
- __l2cap_chan_add(conn, chan);
}
l2cap_chan_unlock(pchan);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 4853f1b33449..6d34d8470a80 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -43,7 +43,8 @@ static struct bt_sock_list l2cap_sk_list = {
static const struct proto_ops l2cap_sock_ops;
static void l2cap_sock_init(struct sock *sk, struct sock *parent);
static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
- int proto, gfp_t prio, int kern);
+ int proto, gfp_t prio, int kern,
+ struct l2cap_chan *chan);
static void l2cap_sock_cleanup_listen(struct sock *parent);
bool l2cap_is_socket(struct socket *sock)
@@ -1284,6 +1285,23 @@ static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg,
return err;
}
+/* Release the sock's ref on chan and clear the pointer so that the ref is
+ * dropped exactly once even if both l2cap_sock_kill() and
+ * l2cap_sock_destruct() run. Setting chan->data to NULL first stops any other
+ * task from dereferencing the now-dead sock pointer.
+ */
+static void l2cap_sock_put_chan(struct sock *sk)
+{
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+
+ if (!chan)
+ return;
+
+ chan->data = NULL;
+ l2cap_pi(sk)->chan = NULL;
+ l2cap_chan_put(chan);
+}
+
/* Kill socket (only if zapped and orphan)
* Must be called on unlocked socket, with l2cap channel lock.
*/
@@ -1294,13 +1312,9 @@ static void l2cap_sock_kill(struct sock *sk)
BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
- /* Sock is dead, so set chan data to NULL, avoid other task use invalid
- * sock pointer.
- */
- l2cap_pi(sk)->chan->data = NULL;
- /* Kill poor orphan */
+ l2cap_sock_put_chan(sk);
- l2cap_chan_put(l2cap_pi(sk)->chan);
+ /* Kill poor orphan */
sock_set_flag(sk, SOCK_DEAD);
sock_put(sk);
}
@@ -1543,12 +1557,13 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
}
}
-static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
+static int l2cap_sock_new_connection_cb(struct l2cap_chan *chan,
+ struct l2cap_chan *new_chan)
{
struct sock *sk, *parent = chan->data;
if (!parent)
- return NULL;
+ return -EINVAL;
lock_sock(parent);
@@ -1556,25 +1571,28 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
if (sk_acceptq_is_full(parent)) {
BT_DBG("backlog full %d", parent->sk_ack_backlog);
release_sock(parent);
- return NULL;
+ return -ENOBUFS;
}
sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
- GFP_ATOMIC, 0);
+ GFP_ATOMIC, 0, new_chan);
if (!sk) {
release_sock(parent);
- return NULL;
- }
+ return -ENOMEM;
+ }
bt_sock_reclassify_lock(sk, BTPROTO_L2CAP);
l2cap_sock_init(sk, parent);
+ /* The conn list reference taken by l2cap_new_connection() keeps new_chan
+ * alive once release_sock() lets another task free this socket.
+ */
bt_accept_enqueue(parent, sk, false);
release_sock(parent);
- return l2cap_pi(sk)->chan;
+ return 0;
}
static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
@@ -1871,10 +1889,7 @@ static void l2cap_sock_destruct(struct sock *sk)
BT_DBG("sk %p", sk);
- if (l2cap_pi(sk)->chan) {
- l2cap_pi(sk)->chan->data = NULL;
- l2cap_chan_put(l2cap_pi(sk)->chan);
- }
+ l2cap_sock_put_chan(sk);
list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) {
kfree_skb(rx_busy->skb);
@@ -1907,30 +1922,12 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
BT_DBG("sk %p", sk);
if (parent) {
- struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
-
sk->sk_type = parent->sk_type;
bt_sk(sk)->flags = bt_sk(parent)->flags;
- chan->chan_type = pchan->chan_type;
- chan->imtu = pchan->imtu;
- chan->omtu = pchan->omtu;
- chan->conf_state = pchan->conf_state;
- chan->mode = pchan->mode;
- chan->fcs = pchan->fcs;
- chan->max_tx = pchan->max_tx;
- chan->tx_win = pchan->tx_win;
- chan->tx_win_max = pchan->tx_win_max;
- chan->sec_level = pchan->sec_level;
- chan->flags = pchan->flags;
- chan->tx_credits = pchan->tx_credits;
- chan->rx_credits = pchan->rx_credits;
-
- if (chan->chan_type == L2CAP_CHAN_FIXED) {
- chan->scid = pchan->scid;
- chan->dcid = pchan->scid;
- }
-
+ /* Channel configuration is inherited from the parent by
+ * l2cap_new_connection().
+ */
security_sk_clone(parent, sk);
} else {
switch (sk->sk_type) {
@@ -1956,7 +1953,7 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent)
chan->mode = L2CAP_MODE_BASIC;
}
- l2cap_chan_set_defaults(chan);
+ l2cap_chan_set_defaults(chan, NULL);
}
/* Default config options */
@@ -1975,10 +1972,10 @@ static struct proto l2cap_proto = {
};
static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
- int proto, gfp_t prio, int kern)
+ int proto, gfp_t prio, int kern,
+ struct l2cap_chan *chan)
{
struct sock *sk;
- struct l2cap_chan *chan;
sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
if (!sk)
@@ -1989,16 +1986,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy);
- chan = l2cap_chan_create();
- if (!chan) {
- sk_free(sk);
- if (sock)
- sock->sk = NULL;
- return NULL;
- }
-
- l2cap_chan_hold(chan);
-
+ /* The sock takes ownership of the caller's reference on chan. */
l2cap_pi(sk)->chan = chan;
return sk;
@@ -2008,6 +1996,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
int kern)
{
struct sock *sk;
+ struct l2cap_chan *chan;
BT_DBG("sock %p", sock);
@@ -2022,10 +2011,16 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
sock->ops = &l2cap_sock_ops;
- sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
- if (!sk)
+ chan = l2cap_chan_create();
+ if (!chan)
return -ENOMEM;
+ sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern, chan);
+ if (!sk) {
+ l2cap_chan_put(chan);
+ return -ENOMEM;
+ }
+
l2cap_sock_init(sk, NULL);
bt_sock_link(&l2cap_sk_list, sk);
return 0;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 031d3022cb1e..c4470958b0d5 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -3201,34 +3201,19 @@ static const struct l2cap_ops smp_chan_ops = {
.get_sndtimeo = l2cap_chan_no_get_sndtimeo,
};
-static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
+static inline int smp_new_conn_cb(struct l2cap_chan *chan,
+ struct l2cap_chan *new_chan)
{
- struct l2cap_chan *chan;
-
- BT_DBG("pchan %p", pchan);
-
- chan = l2cap_chan_create();
- if (!chan)
- return NULL;
-
- chan->chan_type = pchan->chan_type;
- chan->ops = &smp_chan_ops;
- chan->scid = pchan->scid;
- chan->dcid = chan->scid;
- chan->imtu = pchan->imtu;
- chan->omtu = pchan->omtu;
- chan->mode = pchan->mode;
+ new_chan->ops = &smp_chan_ops;
/* Other L2CAP channels may request SMP routines in order to
* change the security level. This means that the SMP channel
* lock must be considered in its own category to avoid lockdep
* warnings.
*/
- atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
-
- BT_DBG("created chan %p", chan);
+ atomic_set(&new_chan->nesting, L2CAP_NESTING_SMP);
- return chan;
+ return 0;
}
static const struct l2cap_ops smp_root_chan_ops = {
@@ -3288,7 +3273,7 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
l2cap_add_scid(chan, cid);
- l2cap_chan_set_defaults(chan);
+ l2cap_chan_set_defaults(chan, NULL);
if (cid == L2CAP_CID_SMP) {
u8 bdaddr_type;
--
2.54.0
^ permalink raw reply related
* [PATCH v11 0/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
From: Siwei Zhang @ 2026-06-12 14:34 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, Siwei Zhang
Compared to v2, addresses comments on https://sashiko.dev/#/patchset/20260415204842.2363950-1-oss%40fourdim.xyz .
Compared to v3, rebase against bluetooth-next.
Compared to v4, allocate the channel outside the function and pass it in as an argument to avoid the use-after-free.
Compared to v5, extract the channel init to a separate function.
Compared to v6, balance puts and holds on chans.
Compared to v7, rebase against bluetooth-next and refactor the chan refcounting.
Compared to v8, adopt the philosophy of one assignment one reference. Make refcounting easier to follow.
Compared to v9, rework on l2cap_chan_set_defaults so that new chan's default comes from pchan and
can be used by __l2cap_chan_add.
Compared to v10, rebase against bluetooth-next.
Siwei Zhang (1):
Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()
include/net/bluetooth/l2cap.h | 10 ++--
net/bluetooth/6lowpan.c | 18 +-----
net/bluetooth/l2cap_core.c | 78 ++++++++++++++++++++-----
net/bluetooth/l2cap_sock.c | 103 ++++++++++++++++------------------
net/bluetooth/smp.c | 27 ++-------
5 files changed, 127 insertions(+), 109 deletions(-)
--
2.54.0
^ permalink raw reply
* Re: [PATCH v2 2/7] dt-bindings: bluetooth: qcom,wcn6750-bt: Document WCN6755 Bluetooth
From: Luca Weiss @ 2026-06-12 14:33 UTC (permalink / raw)
To: Luca Weiss, Bjorn Andersson, Konrad Dybcio, Rob Herring,
Krzysztof Kozlowski, Conor Dooley, Alexander Koskovich,
Liam Girdwood, Mark Brown, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
Johannes Berg, Jeff Johnson
Cc: ~postmarketos/upstreaming, phone-devel, linux-arm-msm,
linux-kernel, devicetree, linux-bluetooth, linux-wireless, ath11k
In-Reply-To: <20260403-milos-fp6-bt-wifi-v2-2-393322b27c5f@fairphone.com>
Hi Luiz,
On Fri Apr 3, 2026 at 3:52 PM CEST, Luca Weiss wrote:
> Document the WCN6755 Bluetooth using a fallback to WCN6750 since the two
> chips seem to be completely pin and software compatible. In fact the
> original downstream kernel just pretends the WCN6755 is a WCN6750.
Could you please pick up this patch (or provide an Ack if you want Bjorn
to pick this up with the rest of the series).
Regards
Luca
>
> Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
> ---
> .../devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml
> index 8606a45ac9b9..79522409d709 100644
> --- a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml
> +++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6750-bt.yaml
> @@ -12,8 +12,14 @@ maintainers:
>
> properties:
> compatible:
> - enum:
> - - qcom,wcn6750-bt
> + oneOf:
> + - items:
> + - enum:
> + - qcom,wcn6755-bt
> + - const: qcom,wcn6750-bt
> +
> + - enum:
> + - qcom,wcn6750-bt
>
> enable-gpios:
> maxItems: 1
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox