* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
From: Luiz Augusto von Dentz @ 2026-06-23 14:30 UTC (permalink / raw)
To: Bastien Nocera; +Cc: linux-bluetooth
In-Reply-To: <95343429b8f06e1c88e2c642471f6f8495e11280.camel@hadess.net>
Hi Bastien,
On Tue, Jun 23, 2026 at 8:18 AM Bastien Nocera <hadess@hadess.net> wrote:
>
> On Mon, 2026-06-22 at 11:56 -0400, Luiz Augusto von Dentz wrote:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > Codec capability is one byte long (max 255) the storage format is
> > 02hhx which means each byte ends up as 2 characters so the buffer
> > needs to be doubled in order to handle capabilities of that size.
> >
> > Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero
> > Day Initiative
> > Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
> > ---
> > profiles/audio/a2dp.c | 10 +++++-----
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> > index a5e002784c02..c8adc3122563 100644
> > --- a/profiles/audio/a2dp.c
> > +++ b/profiles/audio/a2dp.c
> > @@ -971,7 +971,7 @@ static void store_remote_sep(void *data, void
> > *user_data)
> > {
> > struct a2dp_remote_sep *sep = data;
> > GKeyFile *key_file = user_data;
> > - char seid[4], value[256];
> > + char seid[4], value[9 + 512];
>
> What's the "9" value from? Shouldn't it be 11 for the length of:
> "%02hhx:%02hhx:%02hhx:"
3 * 2 (%02hhx) + 3 (:) = 9
> The "Try loading with delay_reporting first" variant?
>
> > struct avdtp_service_capability *service =
> > avdtp_get_codec(sep->sep);
> > struct avdtp_media_codec_capability *codec;
> > unsigned int i;
> > @@ -2373,7 +2373,7 @@ static void load_remote_sep(struct a2dp_channel
> > *chan, GKeyFile *key_file,
> > uint8_t codec;
> > uint8_t delay_reporting;
> > GSList *l = NULL;
> > - char caps[256];
> > + char caps[513];
> > uint8_t data[128];
> > int i, size;
> >
> > @@ -2386,10 +2386,10 @@ static void load_remote_sep(struct
> > a2dp_channel *chan, GKeyFile *key_file,
> > continue;
> >
> > /* Try loading with delay_reporting first */
> > - if (sscanf(value, "%02hhx:%02hhx:%02hhx:%s", &type,
> > &codec,
> > + if (sscanf(value, "%02hhx:%02hhx:%02hhx:%512s",
> > &type, &codec,
> > &delay_reporting, caps) !=
> > 4) {
> > /* Try old format */
> > - if (sscanf(value, "%02hhx:%02hhx:%s", &type,
> > &codec,
> > + if (sscanf(value, "%02hhx:%02hhx:%512s",
> > &type, &codec,
> > caps
> > ) != 3) {
> > warn("Unable to load Endpoint: seid
> > %u", rseid);
> > g_free(value);
> > @@ -2398,7 +2398,7 @@ static void load_remote_sep(struct a2dp_channel
> > *chan, GKeyFile *key_file,
> > delay_reporting = false;
> > }
> >
> > - for (i = 0, size = strlen(caps); i < size; i += 2) {
> > + for (i = 0, size = strlen(caps); i < size && i >= 2;
> > i += 2) {
> > uint8_t *tmp = data + i / 2;
> >
> > if (sscanf(caps + i, "%02hhx", tmp) != 1) {
--
Luiz Augusto von Dentz
^ permalink raw reply
* Re: [PATCH V2 3/8] Bluetooth: btnxpuart: Add M.2 Bluetooth device support using pwrseq
From: Frank Li @ 2026-06-23 14:24 UTC (permalink / raw)
To: Sherry Sun (OSS)
Cc: robh, krzk+dt, conor+dt, Frank.Li, s.hauer, kernel, festevam,
amitkumar.karwar, neeraj.sanjaykale, marcel, luiz.dentz,
hongxing.zhu, l.stach, lpieralisi, kwilczynski, mani, bhelgaas,
brgl, imx, linux-pci, linux-arm-kernel, devicetree, linux-kernel,
linux-bluetooth, linux-pm, sherry.sun
In-Reply-To: <20260623030736.1421537-4-sherry.sun@oss.nxp.com>
On Tue, Jun 23, 2026 at 11:07:30AM +0800, Sherry Sun (OSS) wrote:
> From: Sherry Sun <sherry.sun@nxp.com>
>
> Power supply to the M.2 Bluetooth device attached to the host using M.2
> connector is controlled using the 'uart' pwrseq device. So add support for
> getting the pwrseq device if the OF graph link is present. Once obtained,
> pwrseq_power_on() is called to power up the M.2 Bluetooth card. The power
> sequencer descriptor is obtained via devm_pwrseq_get(), so the power-off
> and cleanup are handled automatically when the device is unbound.
>
> Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
> ---
Reviewed-by: Frank Li <Frank.Li@nxp.com>
> drivers/bluetooth/btnxpuart.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
> index e7036a48ce48..438ccaa2b56d 100644
> --- a/drivers/bluetooth/btnxpuart.c
> +++ b/drivers/bluetooth/btnxpuart.c
> @@ -9,6 +9,8 @@
>
> #include <linux/serdev.h>
> #include <linux/of.h>
> +#include <linux/of_graph.h>
> +#include <linux/pwrseq/consumer.h>
> #include <linux/skbuff.h>
> #include <linux/unaligned.h>
> #include <linux/firmware.h>
> @@ -1866,6 +1868,18 @@ static int nxp_serdev_probe(struct serdev_device *serdev)
> return err;
> }
>
> + if (of_graph_is_present(dev_of_node(&serdev->ctrl->dev))) {
> + struct pwrseq_desc *pwrseq;
> +
> + pwrseq = devm_pwrseq_get(&serdev->ctrl->dev, "uart");
> + if (IS_ERR(pwrseq))
> + return PTR_ERR(pwrseq);
> +
> + err = pwrseq_power_on(pwrseq);
> + if (err)
> + return err;
> + }
> +
> /* Initialize and register HCI device */
> hdev = hci_alloc_dev();
> if (!hdev) {
> --
> 2.50.1
>
>
^ permalink raw reply
* RE: Bluetooth: btusb: Add IMC Networks MT7922 device 0x13d3:0x3625
From: bluez.test.bot @ 2026-06-23 12:46 UTC (permalink / raw)
To: linux-bluetooth, monesss315
In-Reply-To: <20260623114937.6385-1-monesss315@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1181 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1115344
---Test result---
Test Summary:
CheckPatch PASS 0.91 seconds
VerifyFixes PASS 0.15 seconds
VerifySignedoff PASS 0.17 seconds
GitLint PASS 0.46 seconds
SubjectPrefix PASS 0.23 seconds
BuildKernel PASS 19.93 seconds
CheckAllWarning PASS 21.83 seconds
CheckSparse PASS 27.75 seconds
BuildKernel32 PASS 19.44 seconds
CheckKernelLLVM SKIP 0.00 seconds
TestRunnerSetup PASS 417.08 seconds
IncrementalBuild PASS 19.35 seconds
Details
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found
https://github.com/bluez/bluetooth-next/pull/339
---
Regards,
Linux Bluetooth
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Document the deprecation of AF_ALG
From: Bastien Nocera @ 2026-06-23 12:44 UTC (permalink / raw)
To: Eric Biggers, linux-crypto, Herbert Xu, Marcel Holtmann,
Luiz Augusto von Dentz
Cc: linux-doc, linux-api, linux-kernel, netdev, Linus Torvalds,
linux-bluetooth, ell
In-Reply-To: <20260430011544.31823-1-ebiggers@kernel.org>
Hey,
Replying to this older patch.
On Wed, 2026-04-29 at 18:15 -0700, Eric Biggers wrote:
<snip>
> This isn't intended to change anything overnight. After all, most Linux
> distros won't be able to disable the kconfig options quite yet, mainly
> because of iwd. But this should create a bit more impetus for these
> userspace programs to be fixed, and the documentation update should also
> help prevent more users from appearing.
There are 2 other users that I know of: bluez, and the ell library
(used by iwd and bluez).
From what I could tell, bluetoothd uses AF_ALG for cryptography:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/src/shared/crypto.c
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/tools/mesh-gatt/crypto.c
It uses "ecb(aes)" and "cmac(aes)" as algorithms.
Finally, it also uses them both again:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/mesh/crypto.c
through ell:
https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/cipher.c
Because that's a question that also came up, bluetoothd also uses the
CAP_NET_ADMIN capability.
I'll let Luiz and Marcel take it over from here.
Cheers
^ permalink raw reply
* Re: [PATCH BlueZ v2] a2dp: Fix handling of codec capability storage
From: Bastien Nocera @ 2026-06-23 12:18 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth
In-Reply-To: <20260622155621.675255-1-luiz.dentz@gmail.com>
On Mon, 2026-06-22 at 11:56 -0400, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> Codec capability is one byte long (max 255) the storage format is
> 02hhx which means each byte ends up as 2 characters so the buffer
> needs to be doubled in order to handle capabilities of that size.
>
> Reported-by: p0her (_@p0her_) in TeamH4C working with TrendAI Zero
> Day Initiative
> Reported-by: Michael Bommarito <michael.bommarito@gmail.com>
> ---
> profiles/audio/a2dp.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> index a5e002784c02..c8adc3122563 100644
> --- a/profiles/audio/a2dp.c
> +++ b/profiles/audio/a2dp.c
> @@ -971,7 +971,7 @@ static void store_remote_sep(void *data, void
> *user_data)
> {
> struct a2dp_remote_sep *sep = data;
> GKeyFile *key_file = user_data;
> - char seid[4], value[256];
> + char seid[4], value[9 + 512];
What's the "9" value from? Shouldn't it be 11 for the length of:
"%02hhx:%02hhx:%02hhx:"
The "Try loading with delay_reporting first" variant?
> struct avdtp_service_capability *service =
> avdtp_get_codec(sep->sep);
> struct avdtp_media_codec_capability *codec;
> unsigned int i;
> @@ -2373,7 +2373,7 @@ static void load_remote_sep(struct a2dp_channel
> *chan, GKeyFile *key_file,
> uint8_t codec;
> uint8_t delay_reporting;
> GSList *l = NULL;
> - char caps[256];
> + char caps[513];
> uint8_t data[128];
> int i, size;
>
> @@ -2386,10 +2386,10 @@ static void load_remote_sep(struct
> a2dp_channel *chan, GKeyFile *key_file,
> continue;
>
> /* Try loading with delay_reporting first */
> - if (sscanf(value, "%02hhx:%02hhx:%02hhx:%s", &type,
> &codec,
> + if (sscanf(value, "%02hhx:%02hhx:%02hhx:%512s",
> &type, &codec,
> &delay_reporting, caps) !=
> 4) {
> /* Try old format */
> - if (sscanf(value, "%02hhx:%02hhx:%s", &type,
> &codec,
> + if (sscanf(value, "%02hhx:%02hhx:%512s",
> &type, &codec,
> caps
> ) != 3) {
> warn("Unable to load Endpoint: seid
> %u", rseid);
> g_free(value);
> @@ -2398,7 +2398,7 @@ static void load_remote_sep(struct a2dp_channel
> *chan, GKeyFile *key_file,
> delay_reporting = false;
> }
>
> - for (i = 0, size = strlen(caps); i < size; i += 2) {
> + for (i = 0, size = strlen(caps); i < size && i >= 2;
> i += 2) {
> uint8_t *tmp = data + i / 2;
>
> if (sscanf(caps + i, "%02hhx", tmp) != 1) {
^ permalink raw reply
* [PATCH] Bluetooth: btusb: Add IMC Networks MT7922 device 0x13d3:0x3625
From: monesss315 @ 2026-06-23 11:49 UTC (permalink / raw)
To: linux-bluetooth; +Cc: marcel, Gustavo Evgucci
From: Gustavo Evgucci <monesss315@gmail.com>
The IMC Networks MT7922 Bluetooth adapter with USB ID 13d3:3625 is not
recognized as a MediaTek device because it is missing from the btusb
device ID table. As a result, btmtk firmware loading is never triggered
and the HCI reset command times out with -ETIMEDOUT.
Add the device with BTUSB_MEDIATEK | BTUSB_WIDEBAND_SPEECH flags,
consistent with the neighboring 13d3:3627, 13d3:3628 and 13d3:3630
entries which use the same chip.
Tested on: MediaTek MT7922 (Wi-Fi 6E combo card, IMC Networks BT USB
interface), kernel 7.0.11-arch1-1.
Signed-off-by: Gustavo Evgucci <monesss315@gmail.com>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -755,6 +755,8 @@ static const struct usb_device_id btusb_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3613), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x13d3, 0x3625), .driver_info = BTUSB_MEDIATEK |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3627), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3628), .driver_info = BTUSB_MEDIATEK |
--
2.x.x
^ permalink raw reply
* [bluez/bluez] c62fba: shared/rap: Fix step payload pointer in parse_step
From: prathibhamadugonde @ 2026-06-23 11:47 UTC (permalink / raw)
To: linux-bluetooth
Branch: refs/heads/1115319
Home: https://github.com/bluez/bluez
Commit: c62fba1e317d2fd3e80682726ddf4a275db2ae85
https://github.com/bluez/bluez/commit/c62fba1e317d2fd3e80682726ddf4a275db2ae85
Author: Prathibha Madugonde <prathibha.madugonde@oss.qualcomm.com>
Date: 2026-06-23 (Tue, 23 Jun 2026)
Changed paths:
M src/shared/rap.c
Log Message:
-----------
shared/rap: Fix step payload pointer in parse_step
util_iov_pull advances iov_base before returning the new pointer, so
mode_iov.iov_base was set to the start of the *next* step's data.
Every step was therefore parsed using its successor's bytes.
Switch to util_iov_pull_mem which saves the original base, advances
iov, and returns the pre-advance pointer — correctly pointing to the
current step's payload.
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
^ permalink raw reply
* [PATCH BlueZ v1] shared/rap: Fix step payload pointer in parse_step
From: Prathibha Madugonde @ 2026-06-23 11:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, quic_mohamull, quic_hbandi, quic_anubhavg
From: Prathibha Madugonde <prathibha.madugonde@oss.qualcomm.com>
util_iov_pull advances iov_base before returning the new pointer, so
mode_iov.iov_base was set to the start of the *next* step's data.
Every step was therefore parsed using its successor's bytes.
Switch to util_iov_pull_mem which saves the original base, advances
iov, and returns the pre-advance pointer — correctly pointing to the
current step's payload.
---
src/shared/rap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/rap.c b/src/shared/rap.c
index ecf7df5a7..dfb272d3a 100644
--- a/src/shared/rap.c
+++ b/src/shared/rap.c
@@ -2326,7 +2326,7 @@ static bool parse_step(struct bt_rap *rap, struct iovec *iov,
DBG(rap, " Step %u: mode=%u payload_len=%zu",
step_idx, step_mode, step_payload_len);
- payload = util_iov_pull(iov, step_payload_len);
+ payload = util_iov_pull_mem(iov, step_payload_len);
if (!payload) {
DBG(rap, "Insufficient data for step %u payload "
"(need %zu, have %zu)",
--
2.34.1
^ permalink raw reply related
* Re: [PATCH 08/13] Bluetooth: hci_sync: Fix return value of hci_reset_sync()
From: Zijun Hu @ 2026-06-23 10:48 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: Marcel Holtmann, Rocky Liao, Bartosz Golaszewski,
Ben Young Tae Kim, Balakrishna Godavarthi, Matthias Kaehlcke,
Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm
In-Reply-To: <CABBYNZ+z6XcZXejs18fbX-MSFBmaGC0Reoqn549N-8sn==z2Ug@mail.gmail.com>
On 6/22/2026 11:35 PM, Luiz Augusto von Dentz wrote:
>> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
>> index fce9f9526cb5..601d44ef975f 100644
>> --- a/net/bluetooth/hci_sync.c
>> +++ b/net/bluetooth/hci_sync.c
>> @@ -3678,8 +3678,10 @@ int hci_reset_sync(struct hci_dev *hdev)
>>
>> err = __hci_cmd_sync_status(hdev, HCI_OP_RESET, 0, NULL,
>> HCI_CMD_TIMEOUT);
>> + if (err < 0)
>> + return err;
>>
>> - return err;
>> + return -bt_to_errno(err);
>> }
> There seem to be 2 consecutive changes to hci_reset_sync that conflict
> with each other, also the expectation should be that positive errors
> are HCI errors and negative errors are stack generated ones, so the
> callers should really check `err` and not `err < 0`.
Hi Luiz,
Checking the full call chains:
- hci_reset_sync() → hci_init0_sync() [if (err)] → hci_unconf_init_sync() [if (err < 0)]
- hci_reset_sync() → hci_init1_sync() [if (err)] → hci_init_sync() [if (err < 0)]
A positive HCI status from hci_reset_sync() propagates through
hci_init0_sync()/hci_init1_sync() but is then silently ignored by
hci_unconf_init_sync()/hci_init_sync() due to their if (err < 0)
checks.
Will not change hci_reset_sync(). Any suggestion on how to fix it?
^ permalink raw reply
* Re: [PATCH 13/13] Bluetooth: btqca: Fix qca_set_bdaddr() using wrong HCI event type
From: Zijun Hu @ 2026-06-23 10:16 UTC (permalink / raw)
To: Bartosz Golaszewski
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Ben Young Tae Kim, Balakrishna Godavarthi,
Matthias Kaehlcke
In-Reply-To: <CAMRc=Mc_hjCPe+aLQhK-ProNuh=4-43mPqqmQNQ81Lu4Do=fGA@mail.gmail.com>
On 6/23/2026 5:04 PM, Bartosz Golaszewski wrote:
> Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
>
> Looks good but should go in the front of the series and land upstream earlier.
Thanks for the R-b. Will do it in v2.
^ permalink raw reply
* Re: [PATCH 12/13] Bluetooth: btqca: Fix undetected error HCI status in qca_send_reset()
From: Zijun Hu @ 2026-06-23 10:13 UTC (permalink / raw)
To: Bartosz Golaszewski
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Ben Young Tae Kim, Balakrishna Godavarthi,
Matthias Kaehlcke
In-Reply-To: <CAMRc=MemaY=ON2q-Cuzis0sZ9WfqjvBsFzxxCYRZrXeFPNJ0_w@mail.gmail.com>
On 6/23/2026 5:03 PM, Bartosz Golaszewski wrote:
>> Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support")
>> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
>> ---
> I think the fix should go in the front of the series. Even if it requires the
> new function.
Agreed on the reordering. However, handling HCI status errors for the
reset command needs more discussion before we can finalize the approach,
so the fix may be further optimized accordingly.
^ permalink raw reply
* Re: [PATCH 11/13] Bluetooth: btusb: Move struct btusb_data and macros into btusb.h
From: Zijun Hu @ 2026-06-23 10:09 UTC (permalink / raw)
To: Bartosz Golaszewski
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Ben Young Tae Kim, Balakrishna Godavarthi,
Matthias Kaehlcke
In-Reply-To: <CAMRc=McmkN=Oho2A+XWgvrRG3QfF61HaPkeCperSaiCzqOc1Dw@mail.gmail.com>
On 6/23/2026 5:02 PM, Bartosz Golaszewski wrote:
> On Mon, 22 Jun 2026 16:52:24 +0200, Zijun Hu <zijun.hu@oss.qualcomm.com> said:
>> btusb.c is growing large as vendor-specific code accumulates. Ideally,
>> btusb.c contains only the default implementation while vendor-specific
>> code lives in separate files for easier maintenance.
>>
>> The newly added btusb.h also reduces unnecessary data copies in hooks
>> like btusb_mtk_setup().
>>
>> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
>> ---
> I would be ok with this if you added a user of this new header in the subsequent
> patches but I don't see these so I'll hold off my R-b until you can show the
> need for one.
Right. Will drop this patch in v2 and bring it back together with its user
when necessary.
^ permalink raw reply
* Re: [PATCH 04/13] Bluetooth: btusb: QCA: Do not populate devcoredump fields on ATH3012 or QCA_ROME
From: Zijun Hu @ 2026-06-23 9:50 UTC (permalink / raw)
To: Dmitry Baryshkov
Cc: Marcel Holtmann, Luiz Augusto von Dentz, Rocky Liao,
Bartosz Golaszewski, Ben Young Tae Kim, Balakrishna Godavarthi,
Matthias Kaehlcke, Zijun Hu, linux-bluetooth, linux-kernel,
Luiz Augusto von Dentz, linux-arm-msm
In-Reply-To: <l2ri4yxwtxv3r2upconhgsblespvushzeaqcvwvqulracmvfr4@qsmzp36emi7x>
On 6/22/2026 11:31 PM, Dmitry Baryshkov wrote:
>> Devcoredump is disabled on ATH3012 or QCA_ROME, but btusb_setup_qca()
>> used by both unconditionally populates those two devcoredump fields.
>>
>> Fix by populating devcoredump fields only for BTUSB_QCA_WCN6855 devices,
>> which are the only ones that enable devcoredump.
> Why? Wouldn't it be better to enable devcoredump for all platforms?
BTUSB_QCA_WCN6855 marks the first generation of QCA BT SoCs for which
devcoredump is enabled; all later generations are enabled too. ATH3012
and QCA_ROME are much older chips that predate devcoredump in the
Bluetooth core driver — there is no requirement to enable it for them
and it is not clear whether they even support it.
Will optimize the commit message in v2.
^ permalink raw reply
* Re: [PATCH 01/13] Bluetooth: btusb: Initialize @priv_size at declaration in btusb_probe()
From: Zijun Hu @ 2026-06-23 9:33 UTC (permalink / raw)
To: Dmitry Baryshkov
Cc: Marcel Holtmann, Luiz Augusto von Dentz, Rocky Liao,
Bartosz Golaszewski, Ben Young Tae Kim, Balakrishna Godavarthi,
Matthias Kaehlcke, Zijun Hu, linux-bluetooth, linux-kernel,
Luiz Augusto von Dentz, linux-arm-msm
In-Reply-To: <xzps6lqo2k2w2onzleg4baycsnzsejiwhhefilk5rt5e547u6y@orl7l3yklhuh>
On 6/22/2026 11:30 PM, Dmitry Baryshkov wrote:
> On Mon, Jun 22, 2026 at 07:52:14AM -0700, Zijun Hu wrote:
>> Initialize @priv_size at declaration to reduce a redundant assignment.
> This is obvious from the commit. Please tell us, why?
It is simpler: one statement completes both declaration and assignment.
More flexible: initializing at declaration makes the variable immediately
usable from that point, so any new priv_size += can be freely inserted
without caring about where the separate priv_size = 0 sits.
Will improve the commit message in v2.
^ permalink raw reply
* [bluetooth-next:master] BUILD SUCCESS 8047d832767fdefd118b56be37ab550db56a443c
From: kernel test robot @ 2026-06-23 9:27 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
branch HEAD: 8047d832767fdefd118b56be37ab550db56a443c Bluetooth: hci_sync: Remove unused hci_cmd_sync_dequeue_once()
elapsed time: 823m
configs tested: 201
configs skipped: 2
The following configs have been built successfully.
More configs may be tested in the coming days.
tested configs:
alpha allnoconfig gcc-16.1.0
alpha allyesconfig gcc-16.1.0
alpha defconfig gcc-16.1.0
arc allmodconfig clang-23
arc allnoconfig gcc-16.1.0
arc allyesconfig clang-23
arc allyesconfig gcc-16.1.0
arc defconfig gcc-16.1.0
arc randconfig-001-20260623 clang-23
arc randconfig-002-20260623 clang-23
arm allnoconfig gcc-16.1.0
arm allyesconfig clang-23
arm defconfig gcc-16.1.0
arm randconfig-001-20260623 clang-23
arm randconfig-002-20260623 clang-23
arm randconfig-003-20260623 clang-23
arm randconfig-004-20260623 clang-23
arm spitz_defconfig gcc-16.1.0
arm64 allmodconfig clang-23
arm64 allnoconfig gcc-16.1.0
arm64 defconfig gcc-16.1.0
arm64 randconfig-001-20260623 gcc-14.3.0
arm64 randconfig-002-20260623 gcc-14.3.0
arm64 randconfig-003-20260623 gcc-14.3.0
arm64 randconfig-004-20260623 gcc-14.3.0
csky allmodconfig gcc-16.1.0
csky allnoconfig gcc-16.1.0
csky defconfig gcc-16.1.0
csky randconfig-001-20260623 gcc-14.3.0
csky randconfig-002-20260623 gcc-14.3.0
hexagon allmodconfig gcc-16.1.0
hexagon allnoconfig gcc-16.1.0
hexagon defconfig gcc-16.1.0
hexagon randconfig-001 gcc-11.5.0
hexagon randconfig-001-20260623 gcc-11.5.0
hexagon randconfig-001-20260623 gcc-8.5.0
hexagon randconfig-002 gcc-11.5.0
hexagon randconfig-002-20260623 gcc-11.5.0
hexagon randconfig-002-20260623 gcc-8.5.0
i386 allmodconfig clang-22
i386 allnoconfig gcc-16.1.0
i386 allyesconfig clang-22
i386 buildonly-randconfig-001-20260623 gcc-14
i386 buildonly-randconfig-002-20260623 gcc-14
i386 buildonly-randconfig-003-20260623 gcc-14
i386 buildonly-randconfig-004-20260623 gcc-14
i386 buildonly-randconfig-005-20260623 gcc-14
i386 buildonly-randconfig-006-20260623 gcc-14
i386 defconfig gcc-16.1.0
i386 randconfig-001-20260623 clang-22
i386 randconfig-002-20260623 clang-22
i386 randconfig-003-20260623 clang-22
i386 randconfig-004-20260623 clang-22
i386 randconfig-005-20260623 clang-22
i386 randconfig-006-20260623 clang-22
i386 randconfig-007-20260623 clang-22
i386 randconfig-011 gcc-14
i386 randconfig-011-20260623 gcc-14
i386 randconfig-012 gcc-14
i386 randconfig-012-20260623 gcc-14
i386 randconfig-013 gcc-14
i386 randconfig-013-20260623 gcc-14
i386 randconfig-014 gcc-14
i386 randconfig-014-20260623 gcc-14
i386 randconfig-015 gcc-14
i386 randconfig-015-20260623 gcc-14
i386 randconfig-016 gcc-14
i386 randconfig-016-20260623 gcc-14
i386 randconfig-017 gcc-14
i386 randconfig-017-20260623 gcc-14
loongarch allmodconfig clang-19
loongarch allmodconfig clang-23
loongarch allnoconfig gcc-16.1.0
loongarch defconfig clang-23
loongarch randconfig-001 gcc-11.5.0
loongarch randconfig-001-20260623 gcc-11.5.0
loongarch randconfig-001-20260623 gcc-8.5.0
loongarch randconfig-002 gcc-11.5.0
loongarch randconfig-002-20260623 gcc-11.5.0
loongarch randconfig-002-20260623 gcc-8.5.0
m68k allmodconfig gcc-16.1.0
m68k allnoconfig gcc-16.1.0
m68k allyesconfig clang-23
m68k defconfig clang-23
m68k m5249evb_defconfig gcc-16.1.0
microblaze allnoconfig gcc-16.1.0
microblaze allyesconfig gcc-16.1.0
microblaze defconfig clang-23
mips allmodconfig gcc-16.1.0
mips allnoconfig gcc-16.1.0
mips allyesconfig gcc-16.1.0
nios2 allmodconfig clang-20
nios2 allnoconfig clang-23
nios2 defconfig clang-23
nios2 randconfig-001 gcc-11.5.0
nios2 randconfig-001-20260623 gcc-11.5.0
nios2 randconfig-001-20260623 gcc-8.5.0
nios2 randconfig-002 gcc-11.5.0
nios2 randconfig-002-20260623 gcc-11.5.0
nios2 randconfig-002-20260623 gcc-8.5.0
openrisc allmodconfig clang-20
openrisc allnoconfig clang-23
openrisc defconfig gcc-16.1.0
parisc allmodconfig gcc-16.1.0
parisc allnoconfig clang-23
parisc allyesconfig clang-17
parisc allyesconfig gcc-16.1.0
parisc defconfig gcc-16.1.0
parisc randconfig-001-20260623 gcc-11.5.0
parisc randconfig-002-20260623 gcc-11.5.0
parisc64 defconfig clang-23
powerpc allmodconfig gcc-16.1.0
powerpc allnoconfig clang-23
powerpc ppc44x_defconfig clang-17
powerpc randconfig-001-20260623 gcc-11.5.0
powerpc randconfig-002-20260623 gcc-11.5.0
powerpc64 randconfig-001-20260623 gcc-11.5.0
powerpc64 randconfig-002-20260623 gcc-11.5.0
riscv allmodconfig clang-23
riscv allnoconfig clang-23
riscv allyesconfig clang-23
riscv defconfig gcc-16.1.0
riscv randconfig-001-20260623 gcc-8.5.0
riscv randconfig-002-20260623 gcc-8.5.0
s390 allmodconfig clang-17
s390 allmodconfig clang-23
s390 allnoconfig clang-23
s390 allyesconfig gcc-16.1.0
s390 defconfig gcc-16.1.0
s390 randconfig-001-20260623 gcc-8.5.0
s390 randconfig-002-20260623 gcc-8.5.0
sh allmodconfig gcc-16.1.0
sh allnoconfig clang-23
sh allyesconfig clang-17
sh allyesconfig gcc-16.1.0
sh defconfig gcc-14
sh randconfig-001-20260623 gcc-8.5.0
sh randconfig-002-20260623 gcc-8.5.0
sparc allnoconfig clang-23
sparc defconfig gcc-16.1.0
sparc randconfig-001-20260623 gcc-8.5.0
sparc randconfig-002-20260623 gcc-8.5.0
sparc64 allmodconfig clang-20
sparc64 defconfig gcc-14
sparc64 randconfig-001-20260623 gcc-8.5.0
sparc64 randconfig-002-20260623 gcc-8.5.0
um allmodconfig clang-17
um allmodconfig clang-23
um allnoconfig clang-23
um allyesconfig gcc-16.1.0
um defconfig gcc-14
um i386_defconfig gcc-14
um randconfig-001-20260623 gcc-8.5.0
um randconfig-002-20260623 gcc-8.5.0
um x86_64_defconfig gcc-14
x86_64 allmodconfig clang-22
x86_64 allnoconfig clang-23
x86_64 allyesconfig clang-22
x86_64 buildonly-randconfig-001-20260623 clang-22
x86_64 buildonly-randconfig-002-20260623 clang-22
x86_64 buildonly-randconfig-003-20260623 clang-22
x86_64 buildonly-randconfig-004-20260623 clang-22
x86_64 buildonly-randconfig-005-20260623 clang-22
x86_64 buildonly-randconfig-006-20260623 clang-22
x86_64 defconfig gcc-14
x86_64 kexec clang-22
x86_64 randconfig-001 gcc-14
x86_64 randconfig-001-20260623 gcc-14
x86_64 randconfig-002 gcc-14
x86_64 randconfig-002-20260623 gcc-14
x86_64 randconfig-003 gcc-14
x86_64 randconfig-003-20260623 gcc-14
x86_64 randconfig-004 gcc-14
x86_64 randconfig-004-20260623 gcc-14
x86_64 randconfig-005 gcc-14
x86_64 randconfig-005-20260623 gcc-14
x86_64 randconfig-006 gcc-14
x86_64 randconfig-006-20260623 gcc-14
x86_64 randconfig-011-20260623 gcc-14
x86_64 randconfig-012-20260623 gcc-14
x86_64 randconfig-013-20260623 gcc-14
x86_64 randconfig-014-20260623 gcc-14
x86_64 randconfig-015-20260623 gcc-14
x86_64 randconfig-016-20260623 gcc-14
x86_64 randconfig-071-20260623 gcc-14
x86_64 randconfig-072-20260623 gcc-14
x86_64 randconfig-073-20260623 gcc-14
x86_64 randconfig-074-20260623 gcc-14
x86_64 randconfig-075-20260623 gcc-14
x86_64 randconfig-076-20260623 gcc-14
x86_64 rhel-9.4 clang-22
x86_64 rhel-9.4-bpf gcc-14
x86_64 rhel-9.4-func clang-22
x86_64 rhel-9.4-kselftests clang-22
x86_64 rhel-9.4-kunit gcc-14
x86_64 rhel-9.4-ltp gcc-14
x86_64 rhel-9.4-rust clang-22
xtensa allnoconfig clang-23
xtensa allyesconfig clang-20
xtensa randconfig-001-20260623 gcc-8.5.0
xtensa randconfig-002-20260623 gcc-8.5.0
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply
* Re: [PATCH 13/13] Bluetooth: btqca: Fix qca_set_bdaddr() using wrong HCI event type
From: Bartosz Golaszewski @ 2026-06-23 9:04 UTC (permalink / raw)
To: Zijun Hu
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Bartosz Golaszewski, Ben Young Tae Kim,
Balakrishna Godavarthi, Matthias Kaehlcke
In-Reply-To: <20260622-bt_bugfix-v1-13-11f936d84e72@oss.qualcomm.com>
On Mon, 22 Jun 2026 16:52:26 +0200, Zijun Hu <zijun.hu@oss.qualcomm.com> said:
> EDL_WRITE_BD_ADDR_OPCODE (0xFC14) returns a command complete event,
> not a VSE, but qca_set_bdaddr() waits for HCI_EV_VENDOR.
>
> Fix by passing 0 as the event parameter to __hci_cmd_sync_ev() to
> wait for the command complete event instead.
>
> Fixes: 5c0a1001c8be ("Bluetooth: hci_qca: Add helper to set device address")
> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
> ---
> drivers/bluetooth/btqca.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
> index 875216e15603..f3487de813c2 100644
> --- a/drivers/bluetooth/btqca.c
> +++ b/drivers/bluetooth/btqca.c
> @@ -1011,8 +1011,7 @@ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
> baswap(&bdaddr_swapped, bdaddr);
>
> skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6,
> - &bdaddr_swapped, HCI_EV_VENDOR,
> - HCI_INIT_TIMEOUT);
> + &bdaddr_swapped, 0, HCI_INIT_TIMEOUT);
> if (IS_ERR(skb)) {
> err = PTR_ERR(skb);
> bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err);
>
> --
> 2.34.1
>
>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Looks good but should go in the front of the series and land upstream earlier.
Bart
^ permalink raw reply
* Re: [PATCH 12/13] Bluetooth: btqca: Fix undetected error HCI status in qca_send_reset()
From: Bartosz Golaszewski @ 2026-06-23 9:03 UTC (permalink / raw)
To: Zijun Hu
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Bartosz Golaszewski, Ben Young Tae Kim,
Balakrishna Godavarthi, Matthias Kaehlcke
In-Reply-To: <20260622-bt_bugfix-v1-12-11f936d84e72@oss.qualcomm.com>
On Mon, 22 Jun 2026 16:52:25 +0200, Zijun Hu <zijun.hu@oss.qualcomm.com> said:
> qca_send_reset() uses __hci_cmd_sync() which returns an skb but never
> reads the HCI status byte from skb->data[0], so a non-zero error status
> returned by the controller is silently ignored.
>
> Fix by replacing qca_send_reset() with __hci_reset_sync() which
> properly extracts and converts the HCI status byte to a negative errno.
>
> Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support")
> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
> ---
I think the fix should go in the front of the series. Even if it requires the
new function.
Bart
^ permalink raw reply
* Re: [PATCH 11/13] Bluetooth: btusb: Move struct btusb_data and macros into btusb.h
From: Bartosz Golaszewski @ 2026-06-23 9:02 UTC (permalink / raw)
To: Zijun Hu
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Bartosz Golaszewski, Ben Young Tae Kim,
Balakrishna Godavarthi, Matthias Kaehlcke
In-Reply-To: <20260622-bt_bugfix-v1-11-11f936d84e72@oss.qualcomm.com>
On Mon, 22 Jun 2026 16:52:24 +0200, Zijun Hu <zijun.hu@oss.qualcomm.com> said:
> btusb.c is growing large as vendor-specific code accumulates. Ideally,
> btusb.c contains only the default implementation while vendor-specific
> code lives in separate files for easier maintenance.
>
> The newly added btusb.h also reduces unnecessary data copies in hooks
> like btusb_mtk_setup().
>
> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
> ---
I would be ok with this if you added a user of this new header in the subsequent
patches but I don't see these so I'll hold off my R-b until you can show the
need for one.
Bart
^ permalink raw reply
* Re: [PATCH 07/13] Bluetooth: hci_sync: Simplify hci_reset_sync()
From: Bartosz Golaszewski @ 2026-06-23 8:56 UTC (permalink / raw)
To: Zijun Hu
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Bartosz Golaszewski, Ben Young Tae Kim,
Balakrishna Godavarthi, Matthias Kaehlcke
In-Reply-To: <20260622-bt_bugfix-v1-7-11f936d84e72@oss.qualcomm.com>
On Mon, 22 Jun 2026 16:52:20 +0200, Zijun Hu <zijun.hu@oss.qualcomm.com> said:
> Return err directly instead of using an if/return pattern.
>
> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
> ---
> net/bluetooth/hci_sync.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index 3be8c3581c6c..fce9f9526cb5 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -3678,10 +3678,8 @@ int hci_reset_sync(struct hci_dev *hdev)
>
> err = __hci_cmd_sync_status(hdev, HCI_OP_RESET, 0, NULL,
> HCI_CMD_TIMEOUT);
> - if (err)
> - return err;
>
> - return 0;
> + return err;
> }
>
> static int hci_init0_sync(struct hci_dev *hdev)
>
> --
> 2.34.1
>
>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH 02/13] Bluetooth: btusb: Use & instead of == to test bitflag BTUSB_IGNORE
From: Bartosz Golaszewski @ 2026-06-23 8:51 UTC (permalink / raw)
To: Zijun Hu
Cc: Zijun Hu, linux-bluetooth, linux-kernel, Luiz Augusto von Dentz,
linux-arm-msm, Marcel Holtmann, Luiz Augusto von Dentz,
Rocky Liao, Bartosz Golaszewski, Ben Young Tae Kim,
Balakrishna Godavarthi, Matthias Kaehlcke
In-Reply-To: <20260622-bt_bugfix-v1-2-11f936d84e72@oss.qualcomm.com>
On Mon, 22 Jun 2026 16:52:15 +0200, Zijun Hu <zijun.hu@oss.qualcomm.com> said:
> The driver_info field is a bitmask, so use & instead of == to test the
> BTUSB_IGNORE bitflag against it, which is consistent with how the other
> flags are tested.
>
> Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
> ---
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH 01/13] Bluetooth: btusb: Initialize @priv_size at declaration in btusb_probe()
From: Bartosz Golaszewski @ 2026-06-23 8:50 UTC (permalink / raw)
To: Dmitry Baryshkov
Cc: Marcel Holtmann, Luiz Augusto von Dentz, Rocky Liao,
Bartosz Golaszewski, Ben Young Tae Kim, Balakrishna Godavarthi,
Matthias Kaehlcke, Zijun Hu, linux-bluetooth, linux-kernel,
Luiz Augusto von Dentz, linux-arm-msm, Zijun Hu
In-Reply-To: <xzps6lqo2k2w2onzleg4baycsnzsejiwhhefilk5rt5e547u6y@orl7l3yklhuh>
On Mon, 22 Jun 2026 17:30:25 +0200, Dmitry Baryshkov
<dmitry.baryshkov@oss.qualcomm.com> said:
> On Mon, Jun 22, 2026 at 07:52:14AM -0700, Zijun Hu wrote:
>> Initialize @priv_size at declaration to reduce a redundant assignment.
>
> This is obvious from the commit. Please tell us, why?
>
I think this is what "to reduce a redundant assignment" says.
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH] crypto: af_alg - Add af_alg_restrict sysctl, defaulting to 1
From: Bastien Nocera @ 2026-06-23 8:42 UTC (permalink / raw)
To: Eric Biggers, linux-crypto, Herbert Xu
Cc: linux-kernel, linux-doc, linux-bluetooth, iwd, linux-hardening,
Milan Broz, Demi Marie Obenour, Andy Lutomirski, ell
In-Reply-To: <20260622234803.6982-1-ebiggers@kernel.org>
Hello Eric,
On Mon, 2026-06-22 at 16:48 -0700, Eric Biggers wrote:
> AF_ALG is a frequent source of vulnerabilities and a maintenance
> nightmare. It exposes far more functionality to userspace than ever
> should have been exposed, especially to unprivileged processes.
> Recent
> exploits have targeted kernel internal implementation details like
> "authencesn" that have zero use case for userspace access.
You should also CC: ell@lists.linux.dev for AF_ALG related changes, as
ell uses AF_ALG extensively for crypto and checksumming.
Cheers
>
> Fortunately, AF_ALG is rarely used in practice, as userspace crypto
> libraries exist. And when it is used, only some functionality is
> known
> to be used, and many users are known to hold capabilities already.
> iwd for example requires CAP_NET_ADMIN and has a known algorithm list
> (
> https://lore.kernel.org/linux-crypto/bcbbef00-5881-421b-8892-7be6c04b832d@gmail.com
> /).
>
> Thus, let's restrict the set of allowed algorithms by default,
> depending
> on the capabilities held.
>
> Add a sysctl /proc/sys/crypto/af_alg_restrict with meaning:
>
> 0: unrestricted
> 1: limited functionality
> 2: completely disabled
>
> Set the default value to 1, which enables an algorithm allowlist for
> unprivileged processes and a slightly longer allowlist for privileged
> processes.
>
> Note that the list may be tweaked in the future. However, the common
> use cases such as iwd and bluez are taken into account already. I've
> tested that iwd still works with the default value of 1.
>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
> Documentation/admin-guide/sysctl/crypto.rst | 36 +++++++++++
> Documentation/crypto/userspace-if.rst | 13 +++-
> crypto/af_alg.c | 72
> +++++++++++++++++++--
> crypto/algif_aead.c | 11 ++++
> crypto/algif_hash.c | 24 +++++++
> crypto/algif_rng.c | 9 +++
> crypto/algif_skcipher.c | 20 ++++++
> include/crypto/if_alg.h | 8 +++
> 8 files changed, 184 insertions(+), 9 deletions(-)
>
> diff --git a/Documentation/admin-guide/sysctl/crypto.rst
> b/Documentation/admin-guide/sysctl/crypto.rst
> index b707bd314a64..9a1bd53287f4 100644
> --- a/Documentation/admin-guide/sysctl/crypto.rst
> +++ b/Documentation/admin-guide/sysctl/crypto.rst
> @@ -5,10 +5,46 @@
> These files show up in ``/proc/sys/crypto/``, depending on the
> kernel configuration:
>
> .. contents:: :local:
>
> +.. _af_alg_restrict:
> +
> +af_alg_restrict
> +===============
> +
> +Controls the level of restriction of AF_ALG.
> +
> +AF_ALG is a deprecated and rarely-used userspace interface that is a
> +frequent source of vulnerabilities. It also unnecessarily exposes a
> +large number of kernel implementation details. For more information
> +about AF_ALG, see :ref:`Documentation/crypto/userspace-if.rst
> +<crypto_userspace_interface>`.
> +
> +Starting in Linux v7.3, AF_ALG supports only a limited set of
> +algorithms by default. This sysctl allows the system administrator
> to
> +remove this restriction when needed for compatibility reasons, or to
> +go further and disable AF_ALG entirely. The default value is 1.
> +
> +===
> ==================================================================
> +0 AF_ALG is unrestricted.
> +
> +1 AF_ALG is supported with a limited list of algorithms. The list
> + is designed for compatibility with known users such as iwd and
> + bluez that haven't yet been fixed to use userspace crypto code.
> +
> + Specifically, there is an allowlist for unprivileged processes
> + and a somewhat longer allowlist for processes that hold
> + CAP_SYS_ADMIN or CAP_NET_ADMIN in the initial user namespace.
> +
> + Attempts to bind() an AF_ALG socket with a disallowed algorithm
> + fail with ENOENT.
> +
> +2 AF_ALG is completely disabled. Attempts to create an AF_ALG
> + socket fail with EAFNOSUPPORT.
> +===
> ==================================================================
> +
> fips_enabled
> ============
>
> Read-only flag that indicates whether FIPS mode is enabled.
>
> diff --git a/Documentation/crypto/userspace-if.rst
> b/Documentation/crypto/userspace-if.rst
> index ab93300c8e04..d6194346e366 100644
> --- a/Documentation/crypto/userspace-if.rst
> +++ b/Documentation/crypto/userspace-if.rst
> @@ -1,5 +1,7 @@
> +.. _crypto_userspace_interface:
> +
> User Space Interface
> ====================
>
> Introduction
> ------------
> @@ -10,13 +12,18 @@ code.
>
> AF_ALG is insecure and is deprecated. Originally added to the kernel
> in 2010,
> most kernel developers now consider it to be a mistake. Support for
> hardware
> accelerators, which was the original purpose of AF_ALG, has been
> removed.
>
> -AF_ALG continues to be supported only for backwards compatibility.
> On systems
> -where no programs using AF_ALG remain, the support for it should be
> disabled by
> -disabling ``CONFIG_CRYPTO_USER_API_*``.
> +AF_ALG continues to be supported only for backwards compatibility.
> +
> +Starting in Linux v7.3, the set of algorithms supported by AF_ALG is
> limited by
> +default. See :ref:`/proc/sys/crypto/af_alg_restrict
> <af_alg_restrict>`.
> +
> +On systems where no programs using AF_ALG remain, the support for it
> should be
> +disabled entirely by setting ``/proc/sys/crypto/af_alg_restrict`` to
> 2 or by
> +disabling ``CONFIG_CRYPTO_USER_API_*`` in the kernel configuration.
>
> Deprecation
> -----------
>
> AF_ALG was originally intended to provide userspace programs access
> to crypto
> diff --git a/crypto/af_alg.c b/crypto/af_alg.c
> index cce000e8590e..34b801568fba 100644
> --- a/crypto/af_alg.c
> +++ b/crypto/af_alg.c
> @@ -6,10 +6,11 @@
> *
> * Copyright (c) 2010 Herbert Xu <herbert@gondor.apana.org.au>
> */
>
> #include <linux/atomic.h>
> +#include <linux/capability.h>
> #include <crypto/if_alg.h>
> #include <linux/crypto.h>
> #include <linux/init.h>
> #include <linux/kernel.h>
> #include <linux/key.h>
> @@ -20,14 +21,32 @@
> #include <linux/rwsem.h>
> #include <linux/sched.h>
> #include <linux/sched/signal.h>
> #include <linux/security.h>
> #include <linux/string.h>
> +#include <linux/sysctl.h>
> +#include <linux/user_namespace.h>
> #include <keys/user-type.h>
> #include <keys/trusted-type.h>
> #include <keys/encrypted-type.h>
>
> +static int af_alg_restrict = 1;
> +
> +static const struct ctl_table af_alg_table[] = {
> + {
> + .procname = "af_alg_restrict",
> + .data = &af_alg_restrict,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_TWO,
> + },
> +};
> +
> +static struct ctl_table_header *af_alg_header;
> +
> struct alg_type_list {
> const struct af_alg_type *type;
> struct list_head list;
> };
>
> @@ -108,10 +127,43 @@ int af_alg_unregister_type(const struct
> af_alg_type *type)
>
> return err;
> }
> EXPORT_SYMBOL_GPL(af_alg_unregister_type);
>
> +static bool af_alg_capable(void)
> +{
> + return ns_capable_noaudit(&init_user_ns, CAP_NET_ADMIN) ||
> + capable(CAP_SYS_ADMIN);
> +}
> +
> +int af_alg_check_restriction(const char *name,
> + const struct af_alg_allowlist_entry
> allowlist[])
> +{
> + int level = READ_ONCE(af_alg_restrict);
> +
> + if (level == 0)
> + return 0;
> + if (level == 1) {
> + for (const struct af_alg_allowlist_entry *ent =
> allowlist;
> + ent->name; ent++) {
> + if (strcmp(name, ent->name) == 0 &&
> + (!ent->privileged || af_alg_capable()))
> + return 0;
> + }
> + }
> + /*
> + * Use -ENOENT (the error code for "algorithm not found")
> instead of
> + * -EACCES or -EPERM, for the highest chance of correctly
> triggering
> + * fallback code paths in userspace programs.
> + *
> + * Don't log a warning, since it would be noisy. iwd tries
> to bind a
> + * bunch of algorithms that it never uses.
> + */
> + return -ENOENT;
> +}
> +EXPORT_SYMBOL_GPL(af_alg_check_restriction);
> +
> static void alg_do_release(const struct af_alg_type *type, void
> *private)
> {
> if (!type)
> return;
>
> @@ -504,10 +556,13 @@ static int alg_create(struct net *net, struct
> socket *sock, int protocol,
> int kern)
> {
> struct sock *sk;
> int err;
>
> + if (READ_ONCE(af_alg_restrict) == 2)
> + return -EAFNOSUPPORT;
> +
> if (sock->type != SOCK_SEQPACKET)
> return -ESOCKTNOSUPPORT;
> if (protocol != 0)
> return -EPROTONOSUPPORT;
>
> @@ -1220,31 +1275,36 @@ int af_alg_get_rsgl(struct sock *sk, struct
> msghdr *msg, int flags,
> }
> EXPORT_SYMBOL_GPL(af_alg_get_rsgl);
>
> static int __init af_alg_init(void)
> {
> - int err = proto_register(&alg_proto, 0);
> + int err;
> +
> + af_alg_header = register_sysctl("crypto", af_alg_table);
>
> + err = proto_register(&alg_proto, 0);
> if (err)
> - goto out;
> + goto out_unregister_sysctl;
>
> err = sock_register(&alg_family);
> - if (err != 0)
> + if (err)
> goto out_unregister_proto;
>
> -out:
> - return err;
> + return 0;
>
> out_unregister_proto:
> proto_unregister(&alg_proto);
> - goto out;
> +out_unregister_sysctl:
> + unregister_sysctl_table(af_alg_header);
> + return err;
> }
>
> static void __exit af_alg_exit(void)
> {
> sock_unregister(PF_ALG);
> proto_unregister(&alg_proto);
> + unregister_sysctl_table(af_alg_header);
> }
>
> module_init(af_alg_init);
> module_exit(af_alg_exit);
> MODULE_DESCRIPTION("Crypto userspace interface");
> diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
> index 787aac8aeb24..b9217f9086aa 100644
> --- a/crypto/algif_aead.c
> +++ b/crypto/algif_aead.c
> @@ -32,10 +32,15 @@
> #include <linux/mm.h>
> #include <linux/module.h>
> #include <linux/net.h>
> #include <net/sock.h>
>
> +static const struct af_alg_allowlist_entry aead_allowlist[] = {
> + { "ccm(aes)", true }, /* bluez */
> + {},
> +};
> +
> static inline bool aead_sufficient_data(struct sock *sk)
> {
> struct alg_sock *ask = alg_sk(sk);
> struct sock *psk = ask->parent;
> struct alg_sock *pask = alg_sk(psk);
> @@ -342,10 +347,16 @@ static struct proto_ops algif_aead_ops_nokey =
> {
> .poll = af_alg_poll,
> };
>
> static void *aead_bind(const char *name)
> {
> + int err;
> +
> + err = af_alg_check_restriction(name, aead_allowlist);
> + if (err)
> + return ERR_PTR(err);
> +
> return crypto_alloc_aead(name, 0, AF_ALG_CRYPTOAPI_MASK);
> }
>
> static void aead_release(void *private)
> {
> diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
> index 5452ad6c1506..a8d958d51ece 100644
> --- a/crypto/algif_hash.c
> +++ b/crypto/algif_hash.c
> @@ -14,10 +14,28 @@
> #include <linux/mm.h>
> #include <linux/module.h>
> #include <linux/net.h>
> #include <net/sock.h>
>
> +static const struct af_alg_allowlist_entry hash_allowlist[] = {
> + { "cmac(aes)", true }, /* iwd, bluez */
> + { "hmac(md5)", true }, /* iwd */
> + { "hmac(sha1)", true }, /* iwd */
> + { "hmac(sha224)", true }, /* iwd */
> + { "hmac(sha256)", true }, /* iwd */
> + { "hmac(sha384)", true }, /* iwd */
> + { "hmac(sha512)", true }, /* iwd, sha512hmac */
> + { "md4", true }, /* iwd */
> + { "md5", true }, /* iwd */
> + { "sha1", false }, /* iwd, iproute2 < 7.0 */
> + { "sha224", true }, /* iwd */
> + { "sha256", true }, /* iwd */
> + { "sha384", true }, /* iwd */
> + { "sha512", true }, /* iwd */
> + {},
> +};
> +
> struct hash_ctx {
> struct af_alg_sgl sgl;
>
> u8 *result;
>
> @@ -380,10 +398,16 @@ static struct proto_ops algif_hash_ops_nokey =
> {
> .accept = hash_accept_nokey,
> };
>
> static void *hash_bind(const char *name)
> {
> + int err;
> +
> + err = af_alg_check_restriction(name, hash_allowlist);
> + if (err)
> + return ERR_PTR(err);
> +
> return crypto_alloc_ahash(name, 0, AF_ALG_CRYPTOAPI_MASK);
> }
>
> static void hash_release(void *private)
> {
> diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c
> index 4dfe7899f8fa..bd522915d56d 100644
> --- a/crypto/algif_rng.c
> +++ b/crypto/algif_rng.c
> @@ -48,10 +48,14 @@
>
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
> MODULE_DESCRIPTION("User-space interface for random number
> generators");
>
> +static const struct af_alg_allowlist_entry rng_allowlist[] = {
> + {},
> +};
> +
> struct rng_ctx {
> #define MAXSIZE 128
> unsigned int len;
> struct crypto_rng *drng;
> u8 *addtl;
> @@ -199,10 +203,15 @@ static struct proto_ops __maybe_unused
> algif_rng_test_ops = {
>
> static void *rng_bind(const char *name)
> {
> struct rng_parent_ctx *pctx;
> struct crypto_rng *rng;
> + int err;
> +
> + err = af_alg_check_restriction(name, rng_allowlist);
> + if (err)
> + return ERR_PTR(err);
>
> pctx = kzalloc_obj(*pctx);
> if (!pctx)
> return ERR_PTR(-ENOMEM);
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index df20bdfe1f1f..2b8069667974 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -32,10 +32,24 @@
> #include <linux/mm.h>
> #include <linux/module.h>
> #include <linux/net.h>
> #include <net/sock.h>
>
> +static const struct af_alg_allowlist_entry skcipher_allowlist[] = {
> + { "adiantum(xchacha12,aes)", false }, /* cryptsetup */
> + { "adiantum(xchacha20,aes)", false }, /* cryptsetup */
> + { "cbc(aes)", true }, /* iwd */
> + { "cbc(des)", true }, /* iwd */
> + { "cbc(des3_ede)", true }, /* iwd */
> + { "ctr(aes)", true }, /* iwd */
> + { "ecb(aes)", true }, /* iwd, bluez */
> + { "ecb(des)", true }, /* iwd */
> + { "hctr2(aes)", false }, /* cryptsetup */
> + { "xts(aes)", false }, /* cryptsetup benchmark */
> + {},
> +};
> +
> static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg,
> size_t size)
> {
> struct sock *sk = sock->sk;
> struct alg_sock *ask = alg_sk(sk);
> @@ -307,10 +321,16 @@ static struct proto_ops
> algif_skcipher_ops_nokey = {
> .poll = af_alg_poll,
> };
>
> static void *skcipher_bind(const char *name)
> {
> + int err;
> +
> + err = af_alg_check_restriction(name, skcipher_allowlist);
> + if (err)
> + return ERR_PTR(err);
> +
> return crypto_alloc_skcipher(name, 0,
> AF_ALG_CRYPTOAPI_MASK);
> }
>
> static void skcipher_release(void *private)
> {
> diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
> index 7643ba954125..4e9ed8e73403 100644
> --- a/include/crypto/if_alg.h
> +++ b/include/crypto/if_alg.h
> @@ -159,13 +159,21 @@ struct af_alg_ctx {
> unsigned int len;
>
> unsigned int inflight;
> };
>
> +struct af_alg_allowlist_entry {
> + const char *name;
> + bool privileged;
> +};
> +
> int af_alg_register_type(const struct af_alg_type *type);
> int af_alg_unregister_type(const struct af_alg_type *type);
>
> +int af_alg_check_restriction(const char *name,
> + const struct af_alg_allowlist_entry
> allowlist[]);
> +
> int af_alg_release(struct socket *sock);
> void af_alg_release_parent(struct sock *sk);
> int af_alg_accept(struct sock *sk, struct socket *newsock,
> struct proto_accept_arg *arg);
>
>
> base-commit: 1dc18801be29bc54709aa355b8acd80e183b03cd
^ permalink raw reply
* Re: [PATCH V2 3/8] Bluetooth: btnxpuart: Add M.2 Bluetooth device support using pwrseq
From: Bartosz Golaszewski @ 2026-06-23 8:34 UTC (permalink / raw)
To: Sherry Sun (OSS)
Cc: imx, linux-pci, linux-arm-kernel, devicetree, linux-kernel,
linux-bluetooth, linux-pm, sherry.sun, robh, krzk+dt, conor+dt,
Frank.Li, s.hauer, kernel, festevam, amitkumar.karwar,
neeraj.sanjaykale, marcel, luiz.dentz, hongxing.zhu, l.stach,
lpieralisi, kwilczynski, mani, bhelgaas, brgl
In-Reply-To: <20260623030736.1421537-4-sherry.sun@oss.nxp.com>
On Tue, 23 Jun 2026 05:07:30 +0200, "Sherry Sun (OSS)"
<sherry.sun@oss.nxp.com> said:
> From: Sherry Sun <sherry.sun@nxp.com>
>
> Power supply to the M.2 Bluetooth device attached to the host using M.2
> connector is controlled using the 'uart' pwrseq device. So add support for
> getting the pwrseq device if the OF graph link is present. Once obtained,
> pwrseq_power_on() is called to power up the M.2 Bluetooth card. The power
> sequencer descriptor is obtained via devm_pwrseq_get(), so the power-off
> and cleanup are handled automatically when the device is unbound.
>
> Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
> ---
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH v4 2/2] Bluetooth: btmtk: Add MT7928 support
From: Paul Menzel @ 2026-06-23 8:05 UTC (permalink / raw)
To: Chris Lu
Cc: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz, Sean Wang,
Will Lee, SS Wu, Steve Lee, linux-bluetooth, linux-kernel,
linux-mediatek
In-Reply-To: <20260623034121.691031-3-chris.lu@mediatek.com>
Dear Chris,
Thank you for your patch.
Am 23.06.26 um 05:41 schrieb Chris Lu:
> Add support for MT7928 (internal device ID is MT7935) which requires
> additional firmware (CBMCU firmware) loading before Bluetooth firmware.
>
> CBMCU is a new component on MT7928 to handle common part shared across
> the combo chip (Wi-Fi/Bluetooth's subsystem), providing a better user
> experience through improved coordination between subsystems.
>
> Implement two-phase CBMCU firmware download: Phase 1 loads section with
> type 0x5 containing global descriptor, section maps and signature data;
> Phase 2 loads remaining firmware sections. Add retry mechanism for
> concurrent download protection.
>
> After CBMCU firmware loads successfully, the driver continues to load
> corresponding BT firmware based on device ID through fallthrough to
> case 0x7922/0x7925.
>
> The firmware(CBMCU_CODE_MT7935_1_1.bin/BT_RAM_CODE_MT7935_1_1_hdr.bin)
> required for MT7928 will be scheduled for upload to linux-firmware at
> a later stage.
>
> MT7928 bringup kernel log:
bring-up
> [ 475.742336] usb 1-3: New USB device found, idVendor=0e8d, idProduct=7935, bcdDevice= 1.00
> [ 475.742399] usb 1-3: New USB device strings: Mfr=5, Product=6, SerialNumber=7
> [ 475.742436] usb 1-3: Product: Wireless_Device
> [ 475.742466] usb 1-3: Manufacturer: MediaTek Inc.
> [ 475.742495] usb 1-3: SerialNumber: 000000000
> [ 475.766697] Bluetooth: hci1: CBMCU Version: 0x00000000, Build Time: 20260601T161751+0800
> [ 476.144693] Bluetooth: hci1: CBMCU firmware download completed
> [ 476.190083] Bluetooth: hci1: HW/SW Version: 0x00000000, Build Time: 20260527000816
Can we improve these logs to include the device name and to have one
line (or two lines) less?
Bluetooth: MT7928: CBMCU firmware <name> (version: 0x<short>, build
time: 20260601T161751+0800) update complete
Bluetooth: MT7928: device firmware updated to <name>
The second line is unrelated to this change.
> [ 479.073470] Bluetooth: hci1: Device setup in 3238661 usecs
> [ 479.073489] Bluetooth: hci1: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
> [ 479.177477] Bluetooth: hci1: AOSP extensions version v2.00
> [ 479.177506] Bluetooth: hci1: AOSP quality report is supported
> [ 479.178814] Bluetooth: MGMT ver 1.23
>
> Signed-off-by: Chris Lu <chris.lu@mediatek.com>
> ---
> drivers/bluetooth/btmtk.c | 352 +++++++++++++++++++++++++++++++++++++-
> drivers/bluetooth/btmtk.h | 3 +
> 2 files changed, 354 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index 21c08ee1cdbf..dcbd431cc364 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -21,6 +21,12 @@
> #define MTK_FW_ROM_PATCH_SEC_MAP_SIZE 64
> #define MTK_SEC_MAP_COMMON_SIZE 12
> #define MTK_SEC_MAP_NEED_SEND_SIZE 52
> +#define MTK_SEC_MAP_LENGTH_SIZE 4
> +#define MTK_SEC_CBMCU_DESC 0x5
> +
> +/* CBMCU WMT command flags */
> +#define BTMTK_CBMCU_FLAG_QUERY_STATUS 0xF0
> +#define BTMTK_CBMCU_FLAG_ENABLE_PATCH 0xF1
>
> /* It is for mt79xx iso data transmission setting */
> #define MTK_ISO_THRESHOLD 264
> @@ -120,6 +126,11 @@ void btmtk_fw_get_filename(char *buf, size_t size, u32 dev_id, u32 fw_ver,
> snprintf(buf, size,
> "mediatek/mt%04x/BT_RAM_CODE_MT%04x_1_%x_hdr.bin",
> dev_id & 0xffff, dev_id & 0xffff, (fw_ver & 0xff) + 1);
> + /* MT7928 */
> + else if (dev_id == 0x7935)
> + snprintf(buf, size,
> + "mediatek/mt7928/BT_RAM_CODE_MT%04x_1_1_hdr.bin",
> + dev_id & 0xffff);
> else if (dev_id == 0x7961 && fw_flavor)
> snprintf(buf, size,
> "mediatek/BT_RAM_CODE_MT%04x_1a_%x_hdr.bin",
> @@ -734,6 +745,7 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
> status = BTMTK_WMT_ON_UNDONE;
> break;
> case BTMTK_WMT_PATCH_DWNLD:
> + case BTMTK_WMT_CBMCU_DWNLD:
> if (wmt_evt->whdr.flag == 2)
> status = BTMTK_WMT_PATCH_DONE;
> else if (wmt_evt->whdr.flag == 1)
> @@ -870,6 +882,333 @@ static u32 btmtk_usb_reset_done(struct hci_dev *hdev)
> return val & MTK_BT_RST_DONE;
> }
>
> +static int btmtk_cbmcu_patch_status(struct hci_dev *hdev,
> + wmt_cmd_sync_func_t wmt_cmd_sync,
> + u8 *patch_status)
> +{
> + struct btmtk_hci_wmt_params wmt_params;
> + int status, err, retry = 20;
> +
> + do {
> + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> + wmt_params.flag = BTMTK_CBMCU_FLAG_QUERY_STATUS;
> + wmt_params.dlen = 0;
> + wmt_params.data = NULL;
> + wmt_params.status = &status;
> +
> + err = wmt_cmd_sync(hdev, &wmt_params);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to query CBMCU patch status (%d)", err);
> + return err;
> + }
> +
> + *patch_status = (u8)status;
> +
> + if (*patch_status == BTMTK_WMT_PATCH_PROGRESS) {
> + msleep(100);
> + retry--;
> + } else {
> + break;
> + }
> + } while (retry > 0);
> +
> + return 0;
> +}
> +
> +static int btmtk_query_cbmcu_section(struct hci_dev *hdev,
> + wmt_cmd_sync_func_t wmt_cmd_sync,
> + u8 cbmcu_type,
> + const u8 *section_map,
> + u32 cert_len)
> +{
> + struct btmtk_hci_wmt_params wmt_params;
> + u8 cmd[64];
> + int status, err;
> +
> + cmd[0] = 0;
> + cmd[1] = cbmcu_type;
> +
> + if (cbmcu_type == 0)
> + put_unaligned_le32(cert_len, &cmd[2]);
> + else
> + memcpy(&cmd[2], section_map, MTK_SEC_MAP_NEED_SEND_SIZE);
> +
> + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> + wmt_params.flag = 0;
> + wmt_params.dlen = cbmcu_type ?
> + MTK_SEC_MAP_NEED_SEND_SIZE + 2 :
> + MTK_SEC_MAP_LENGTH_SIZE + 2;
> + wmt_params.data = cmd;
> + wmt_params.status = &status;
> +
> + err = wmt_cmd_sync(hdev, &wmt_params);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to query CBMCU section (%d)", err);
> + return err;
> + }
> +
> + /* Query should return UNDONE status for successful section query */
> + if (status != BTMTK_WMT_PATCH_UNDONE) {
> + bt_dev_err(hdev, "CBMCU section query status error (%d)", status);
> + return -EIO;
> + }
> +
> + return 0;
> +}
> +
> +static int btmtk_download_cbmcu_section(struct hci_dev *hdev,
> + wmt_cmd_sync_func_t wmt_cmd_sync,
> + const u8 *fw_data,
> + u32 dl_size)
> +{
> + struct btmtk_hci_wmt_params wmt_params;
> + u32 sent_len, total_size = dl_size;
> + int err;
> +
> + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> + wmt_params.status = NULL;
> +
> + while (dl_size > 0) {
> + sent_len = min_t(u32, 250, dl_size);
> +
> + if (dl_size == total_size)
> + wmt_params.flag = BTMTK_WMT_PKT_START;
> + else if (dl_size == sent_len)
> + wmt_params.flag = BTMTK_WMT_PKT_END;
> + else
> + wmt_params.flag = BTMTK_WMT_PKT_CONTINUE;
> +
> + wmt_params.dlen = sent_len;
> + wmt_params.data = fw_data;
> +
> + err = wmt_cmd_sync(hdev, &wmt_params);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to send CBMCU section data (%d)", err);
> + return err;
> + }
> +
> + dl_size -= sent_len;
> + fw_data += sent_len;
> + }
> +
> + return 0;
> +}
> +
> +static int btmtk_enable_cbmcu_patch(struct hci_dev *hdev,
> + wmt_cmd_sync_func_t wmt_cmd_sync)
> +{
> + struct btmtk_hci_wmt_params wmt_params;
> + int err;
> +
> + wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
> + wmt_params.flag = BTMTK_CBMCU_FLAG_ENABLE_PATCH;
> + wmt_params.dlen = 0;
> + wmt_params.data = NULL;
> + wmt_params.status = NULL;
> +
> + err = wmt_cmd_sync(hdev, &wmt_params);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to enable CBMCU patch (%d)", err);
> + return err;
> + }
> +
> + return 0;
> +}
> +
> +static int btmtk_load_cbmcu_firmware(struct hci_dev *hdev,
> + const char *fwname,
> + wmt_cmd_sync_func_t wmt_cmd_sync)
> +{
> + struct btmtk_patch_header *hdr;
> + struct btmtk_global_desc *globaldesc;
> + struct btmtk_section_map *sectionmap;
> + const struct firmware *fw;
> + const u8 *fw_ptr;
> + u8 *cert_buf = NULL;
> + u32 section_num, section_offset, dl_size, cert_len;
> + int i, err;
> +
> + err = request_firmware(&fw, fwname, &hdev->dev);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to load CBMCU firmware file %s (%d)",
> + fwname, err);
> + return err;
> + }
> +
> + if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE) {
> + bt_dev_err(hdev, "CBMCU firmware too small: size=%zu, min=%u",
> + fw->size,
> + MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE);
> + err = -EINVAL;
> + goto err_release_fw;
> + }
> +
> + fw_ptr = fw->data;
> + hdr = (struct btmtk_patch_header *)fw_ptr;
> + globaldesc = (struct btmtk_global_desc *)(fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE);
> + section_num = le32_to_cpu(globaldesc->section_num);
> +
> + if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE +
> + (size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num) {
> + bt_dev_err(hdev, "CBMCU firmware truncated: size=%zu, expected=%zu (section_num=%u)",
> + fw->size,
> + MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE +
> + (size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num,
> + section_num);
> + err = -EINVAL;
> + goto err_release_fw;
> + }
> +
> + bt_dev_info(hdev, "CBMCU Version: 0x%04x%04x, Build Time: %s",
> + le16_to_cpu(hdr->hwver), le16_to_cpu(hdr->swver), hdr->datetime);
> +
> + /* Phase 1: Download section type MTK_SEC_CBMCU_DESC */
> + for (i = 0; i < section_num; i++) {
> + sectionmap = (struct btmtk_section_map *)
> + (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
> + MTK_FW_ROM_PATCH_GD_SIZE +
> + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
> +
> + /* Only process MTK_SEC_CBMCU_DESC section in Phase 1 */
> + if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) != MTK_SEC_CBMCU_DESC)
> + continue;
> +
> + section_offset = le32_to_cpu(sectionmap->secoffset);
> + dl_size = le32_to_cpu(sectionmap->secsize);
> +
> + if (dl_size == 0)
> + continue;
> +
> + if (section_offset > fw->size ||
> + dl_size > fw->size - section_offset) {
> + bt_dev_err(hdev, "CBMCU Phase 1 section out of bounds");
> + err = -EINVAL;
> + goto err_release_fw;
> + }
> +
> + cert_len = MTK_FW_ROM_PATCH_GD_SIZE +
> + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num +
> + dl_size;
> +
> + /* Query cbmcu section */
> + err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync, 0, NULL,
> + cert_len);
> + if (err < 0)
> + goto err_release_fw;
> +
> + cert_buf = kmalloc(cert_len, GFP_KERNEL);
> + if (!cert_buf) {
> + err = -ENOMEM;
> + goto err_release_fw;
> + }
> +
> + /* Copy Global Descriptor + All Section Maps */
> + memcpy(cert_buf,
> + fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE,
> + MTK_FW_ROM_PATCH_GD_SIZE + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num);
> +
> + /* Copy Phase 1 section data */
> + memcpy(cert_buf + MTK_FW_ROM_PATCH_GD_SIZE +
> + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num,
> + fw_ptr + section_offset,
> + dl_size);
> +
> + /* Download Phase 1 section */
> + err = btmtk_download_cbmcu_section(hdev, wmt_cmd_sync,
> + cert_buf, cert_len);
> + kfree(cert_buf);
> + cert_buf = NULL;
> +
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to download CBMCU Phase 1 section (%d)", err);
> + goto err_release_fw;
> + }
> +
> + break;
> + }
> +
> + /* Phase 2: Download other sections (type != MTK_SEC_CBMCU_DESC) */
> + for (i = 0; i < section_num; i++) {
> + sectionmap = (struct btmtk_section_map *)
> + (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
> + MTK_FW_ROM_PATCH_GD_SIZE +
> + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
> +
> + /* Skip MTK_SEC_CBMCU_DESC section in Phase 2 */
> + if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) == MTK_SEC_CBMCU_DESC)
> + continue;
> +
> + section_offset = le32_to_cpu(sectionmap->secoffset);
> + dl_size = le32_to_cpu(sectionmap->bin_info_spec.dlsize);
> +
> + if (dl_size == 0)
> + continue;
> +
> + if (section_offset > fw->size ||
> + dl_size > fw->size - section_offset) {
> + bt_dev_err(hdev, "CBMCU Phase 2 section %d out of bounds", i);
> + err = -EINVAL;
> + goto err_release_fw;
> + }
> +
> + /* Query cbmcu section */
> + err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync, 1,
> + (u8 *)§ionmap->bin_info_spec,
> + 0);
> + if (err < 0)
> + goto err_release_fw;
> +
> + /* Download section data */
> + err = btmtk_download_cbmcu_section(hdev, wmt_cmd_sync,
> + fw_ptr + section_offset,
> + dl_size);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to download CBMCU section %d (%d)", i, err);
> + goto err_release_fw;
> + }
> + }
> +
> + bt_dev_info(hdev, "CBMCU firmware download completed");
> +
> +err_release_fw:
> + release_firmware(fw);
> + return err;
> +}
> +
> +static int btmtk_setup_cbmcu_firmware(struct hci_dev *hdev,
> + wmt_cmd_sync_func_t wmt_cmd_sync,
> + u32 dev_id)
> +{
> + char cbmcu_fwname[64];
> + u8 patch_status;
> + int err;
> +
> + err = btmtk_cbmcu_patch_status(hdev, wmt_cmd_sync, &patch_status);
> + if (err < 0)
> + return err;
> +
> + bt_dev_dbg(hdev, "CBMCU patch status: 0x%02x", patch_status);
> +
> + if (patch_status != BTMTK_WMT_PATCH_UNDONE)
> + return 0;
> +
> + snprintf(cbmcu_fwname, sizeof(cbmcu_fwname),
> + "mediatek/mt7928/CBMCU_CODE_MT%04x_1_1.bin",
> + dev_id & 0xffff);
> +
> + err = btmtk_load_cbmcu_firmware(hdev, cbmcu_fwname, wmt_cmd_sync);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to download CBMCU firmware (%d)", err);
> + return err;
> + }
> +
> + err = btmtk_enable_cbmcu_patch(hdev, wmt_cmd_sync);
> + if (err < 0)
> + return err;
> +
> + return 0;
> +}
> +
> int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
> {
> u32 val;
> @@ -894,7 +1233,7 @@ int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
> if (err < 0)
> return err;
> msleep(100);
> - } else if (dev_id == 0x7925 || dev_id == 0x6639) {
> + } else if (dev_id == 0x7925 || dev_id == 0x6639 || dev_id == 0x7935) {
> err = btmtk_usb_uhw_reg_read(hdev, MTK_BT_RESET_REG_CONNV3, &val);
> if (err < 0)
> return err;
> @@ -1379,6 +1718,15 @@ int btmtk_usb_setup(struct hci_dev *hdev)
> case 0x7668:
> fwname = FIRMWARE_MT7668;
> break;
> + case 0x7935:
> + /* Requires CBMCU firmware before BT firmware */
> + err = btmtk_setup_cbmcu_firmware(hdev, btmtk_usb_hci_wmt_sync,
> + dev_id);
> + if (err < 0) {
> + bt_dev_err(hdev, "Failed to set up CBMCU firmware (%d)", err);
> + return err;
> + }
> + fallthrough;
> case 0x7922:
> case 0x7925:
> /*
> @@ -1596,3 +1944,5 @@ MODULE_FIRMWARE(FIRMWARE_MT7922);
> MODULE_FIRMWARE(FIRMWARE_MT7961);
> MODULE_FIRMWARE(FIRMWARE_MT7925);
> MODULE_FIRMWARE(FIRMWARE_MT7927);
> +MODULE_FIRMWARE(FIRMWARE_MT7928);
> +MODULE_FIRMWARE(FIRMWARE_MT7928_CBMCU);
> diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
> index 51c18dde0a80..5fe4964b031b 100644
> --- a/drivers/bluetooth/btmtk.h
> +++ b/drivers/bluetooth/btmtk.h
> @@ -9,6 +9,8 @@
> #define FIRMWARE_MT7961 "mediatek/BT_RAM_CODE_MT7961_1_2_hdr.bin"
> #define FIRMWARE_MT7925 "mediatek/mt7925/BT_RAM_CODE_MT7925_1_1_hdr.bin"
> #define FIRMWARE_MT7927 "mediatek/mt7927/BT_RAM_CODE_MT6639_2_1_hdr.bin"
> +#define FIRMWARE_MT7928 "mediatek/mt7928/BT_RAM_CODE_MT7935_1_1_hdr.bin"
> +#define FIRMWARE_MT7928_CBMCU "mediatek/mt7928/CBMCU_CODE_MT7935_1_1.bin"
>
> #define HCI_EV_WMT 0xe4
> #define HCI_WMT_MAX_EVENT_SIZE 64
> @@ -54,6 +56,7 @@ enum {
> BTMTK_WMT_RST = 0x7,
> BTMTK_WMT_REGISTER = 0x8,
> BTMTK_WMT_SEMAPHORE = 0x17,
> + BTMTK_WMT_CBMCU_DWNLD = 0x58,
> };
>
> enum {
gemini/gemini-3.1-pro-preview commented on three things [1].
Kind regards,
Paul
[1]:
https://sashiko.dev/#/message/20260623034121.691031-3-chris.lu%40mediatek.com
^ permalink raw reply
* Re: [PATCH v4 1/2] Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum
From: Paul Menzel @ 2026-06-23 7:13 UTC (permalink / raw)
To: Chris Lu
Cc: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz, Sean Wang,
Will Lee, SS Wu, Steve Lee, linux-bluetooth, linux-kernel,
linux-mediatek
In-Reply-To: <20260623034121.691031-2-chris.lu@mediatek.com>
Dear Chris,
Thank you for the patch.
Am 23.06.26 um 05:41 schrieb Chris Lu:
> Add BTMTK_WMT_PKT_* enum to represent WMT download packet sequence flags,
> improving code readability. Replace magic numbers (1, 2, 3) in
> btmtk_setup_firmware_79xx() with descriptive enum values:
>
> - BTMTK_WMT_PKT_START (1): First packet of a sequence
> - BTMTK_WMT_PKT_CONTINUE (2): Continuation packet
> - BTMTK_WMT_PKT_END (3): Final packet of a sequence
>
> Signed-off-by: Chris Lu <chris.lu@mediatek.com>
> ---
> drivers/bluetooth/btmtk.c | 6 +++---
> drivers/bluetooth/btmtk.h | 6 ++++++
> 2 files changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index 02a96342e964..21c08ee1cdbf 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -230,12 +230,12 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
> while (dl_size > 0) {
> dlen = min_t(int, 250, dl_size);
> if (first_block == 1) {
> - flag = 1;
> + flag = BTMTK_WMT_PKT_START;
> first_block = 0;
> } else if (dl_size - dlen <= 0) {
> - flag = 3;
> + flag = BTMTK_WMT_PKT_END;
> } else {
> - flag = 2;
> + flag = BTMTK_WMT_PKT_CONTINUE;
> }
>
> wmt_params.flag = flag;
> diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
> index c83c24897c95..51c18dde0a80 100644
> --- a/drivers/bluetooth/btmtk.h
> +++ b/drivers/bluetooth/btmtk.h
> @@ -66,6 +66,12 @@ enum {
> BTMTK_WMT_ON_PROGRESS,
> };
>
> +enum {
> + BTMTK_WMT_PKT_START = 1,
> + BTMTK_WMT_PKT_CONTINUE = 2,
> + BTMTK_WMT_PKT_END = 3,
> +};
> +
> struct btmtk_wmt_hdr {
> u8 dir;
> u8 op;
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox