)]}' { "log": [ { "commit": "559cab24b04e1daf8c3ca274005ba6d05908ce3a", "tree": "f923dc6af35bb6f29a13125796dd3b32e06c41a8", "parents": [ "850685a031e1429131e7111b82a86e86b46164dd" ], "author": { "name": "Xiuzhuo Shang", "email": "xiuzhuo.shang@oss.qualcomm.com", "time": "Wed Jun 10 14:42:32 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 10 11:26:18 2026 -0400" }, "message": "Bluetooth: qca: Add BT FW build version to kernel log\n\nFirmware version is critical for bug triage. Users reporting issues\ntypically share dmesg output rather than debugfs contents, requiring\nextra communication rounds to collect this information. Log the FW\nbuild version directly to the kernel log so it is immediately\navailable in bug reports.\n\nAcked-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nSigned-off-by: Xiuzhuo Shang \u003cxiuzhuo.shang@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "850685a031e1429131e7111b82a86e86b46164dd", "tree": "7d4256b88b120495b87f65883ac207fc67002bde", "parents": [ "801f756504d1bbddb25fbc810fcf326b1184c381" ], "author": { "name": "Samuel Moelius", "email": "sam.moelius@trailofbits.com", "time": "Mon Jun 08 23:58:23 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 10 11:25:59 2026 -0400" }, "message": "Bluetooth: vhci: validate devcoredump state before side effects\n\nThe VHCI force_devcoredump debugfs hook accepts a small test record from\nuserspace. It validates the requested terminal state only after\nregistering, initializing and appending a Bluetooth devcoredump.\n\nAs a result, an invalid state returns -EINVAL but still leaves queued\ndevcoredump work behind. With a non-zero timeout field, the rejected\nwrite can still emit a devcoredump after the timeout expires.\n\nReject unsupported states before allocating the skb or changing the HCI\ndevcoredump state machine.\n\nFixes: ab4e4380d4e1 (\"Bluetooth: Add vhci devcoredump support\")\nAssisted-by: Codex:gpt-5.5-cyber-preview\nSigned-off-by: Samuel Moelius \u003csam.moelius@trailofbits.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "801f756504d1bbddb25fbc810fcf326b1184c381", "tree": "051d3b417a23aab2c3b8632c270b7afe480f8f24", "parents": [ "246dc2ed724b43f82854fb0131ad94a253870a35" ], "author": { "name": "Samuel Moelius", "email": "sam.moelius@trailofbits.com", "time": "Mon Jun 08 23:57:05 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 10 11:25:38 2026 -0400" }, "message": "Bluetooth: L2CAP: validate connectionless PSM length\n\nConnectionless L2CAP frames carry a two-byte PSM at the start of the\npayload. l2cap_recv_frame() currently reads that PSM unconditionally\nafter validating only the outer L2CAP length.\n\nA malformed connectionless frame with a zero- or one-byte payload can\ntherefore make the parser read beyond the advertised skb payload and use\ntailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer\ninjected a one-byte connectionless payload and reached the unchecked\nread.\n\nReject connectionless frames that cannot contain the PSM before reading\nor pulling it. This preserves all valid connectionless frames while\ndropping only structurally incomplete packets.\n\nAssisted-by: Codex:gpt-5.5-cyber-preview\nSigned-off-by: Samuel Moelius \u003csam.moelius@trailofbits.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "246dc2ed724b43f82854fb0131ad94a253870a35", "tree": "5c39aec87d181ab6a5c4b05ddaa2e2f736ea78bb", "parents": [ "06528e2f5fc9339c01261866f237af7075f6fb60" ], "author": { "name": "Samuel Moelius", "email": "sam.moelius@trailofbits.com", "time": "Mon Jun 08 23:56:28 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 10 10:48:57 2026 -0400" }, "message": "Bluetooth: hci: validate codec capability element length\n\nRead Local Codec Capabilities returns a sequence of capability elements.\nEach element starts with a one-byte length followed by that many payload\nbytes.\n\nhci_read_codec_capabilities() checks that the skb contains the length\nbyte, but then validates only caps-\u003elen against the remaining skb\nlength. A malformed controller response with one remaining byte and\ncaps-\u003elen set to one passes that check even though the element needs two\nbytes. The parser then records a two-byte capability and copies one\nbyte beyond the advertised response payload into the codec list.\n\nValidate the full element size, including the length byte, before adding\nit to the accumulated capability length. This preserves all well-formed\ncapability elements and drops only truncated controller responses.\n\nFixes: 8961987f3f5f (\"Bluetooth: Enumerate local supported codec and cache details\")\nAssisted-by: Codex:gpt-5.5-cyber-preview\nSigned-off-by: Samuel Moelius \u003csam.moelius@trailofbits.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "06528e2f5fc9339c01261866f237af7075f6fb60", "tree": "bcb16ff663409aaf920104a84cd796f8c41dd176", "parents": [ "e5ea095d9bd1f3cf78d56f780d0f278f77663373" ], "author": { "name": "Marco Elver", "email": "elver@google.com", "time": "Fri Jun 05 16:23:35 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Jun 09 15:26:55 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix UAF in channel timeout by holding conn ref\n\nl2cap_chan_timeout() runs asynchronously and accesses chan-\u003econn. If\nthe connection is torn down while the timer is running or pending,\nchan-\u003econn can be freed, leading to a use-after-free when the timer\nworker attempts to lock conn-\u003elock:\n\n| BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]\n| BUG: KASAN: slab-use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]\n| BUG: KASAN: slab-use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]\n| BUG: KASAN: slab-use-after-free in mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318\n| Write of size 8 at addr ffff8881298d9550 by task kworker/2:1/83\n|\n| CPU: 2 UID: 0 PID: 83 Comm: kworker/2:1 Not tainted 7.1.0-rc6-next-20260601-dirty #6 PREEMPT(full)\n| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n| Workqueue: events l2cap_chan_timeout\n| Call Trace:\n| \u003cTASK\u003e\n| instrument_atomic_read_write include/linux/instrumented.h:112 [inline]\n| atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:4456 [inline]\n| __mutex_trylock_fast kernel/locking/mutex.c:161 [inline]\n| mutex_lock+0x4f/0xa0 kernel/locking/mutex.c:318\n| l2cap_chan_timeout+0x5d/0x1b0 net/bluetooth/l2cap_core.c:422\n| process_one_work kernel/workqueue.c:3326 [inline]\n| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409\n| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490\n| kthread+0x346/0x430 kernel/kthread.c:436\n| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158\n| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n| \u003c/TASK\u003e\n|\n| Allocated by task 320:\n| l2cap_conn_add+0xa7/0x820 net/bluetooth/l2cap_core.c:7075\n| l2cap_connect_cfm+0xdb/0xd70 net/bluetooth/l2cap_core.c:7452\n| hci_connect_cfm include/net/bluetooth/hci_core.h:2139 [inline]\n| hci_remote_features_evt+0x52f/0x9f0 net/bluetooth/hci_event.c:3760\n| hci_event_func net/bluetooth/hci_event.c:7796 [inline]\n| hci_event_packet+0x561/0xa70 net/bluetooth/hci_event.c:7847\n| hci_rx_work+0x370/0x890 net/bluetooth/hci_core.c:4040\n| process_one_work kernel/workqueue.c:3326 [inline]\n| process_scheduled_works+0x7c8/0xfb0 kernel/workqueue.c:3409\n| worker_thread+0x8a9/0xcf0 kernel/workqueue.c:3490\n| kthread+0x346/0x430 kernel/kthread.c:436\n| ret_from_fork+0x1a3/0x470 arch/x86/kernel/process.c:158\n| ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n|\n| Freed by task 322:\n| hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]\n| hci_conn_hash_flush+0x101/0x1f0 net/bluetooth/hci_conn.c:2736\n| hci_dev_close_sync+0x889/0xde0 net/bluetooth/hci_sync.c:5405\n| hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]\n| hci_unregister_dev+0x1f7/0x370 net/bluetooth/hci_core.c:2679\n| vhci_release+0x12a/0x180 drivers/bluetooth/hci_vhci.c:690\n| __fput+0x369/0x890 fs/file_table.c:510\n| task_work_run+0x160/0x1d0 kernel/task_work.c:233\n| get_signal+0xf5b/0x1120 kernel/signal.c:2810\n| arch_do_signal_or_restart+0x4d/0x600 arch/x86/kernel/signal.c:337\n| __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]\n| exit_to_user_mode_loop+0x85/0x510 kernel/entry/common.c:98\n| do_syscall_64+0x263/0x3d0 arch/x86/entry/syscall_64.c:100\n| entry_SYSCALL_64_after_hwframe+0x77/0x7f\n|\n| The buggy address belongs to the object at ffff8881298d9400\n| which belongs to the cache kmalloc-512 of size 512\n| The buggy address is located 336 bytes inside of\n| freed 512-byte region [ffff8881298d9400, ffff8881298d9600)\n\nFix it by having chan-\u003econn hold a reference to l2cap_conn (via\nl2cap_conn_get) when the channel is added to the connection, and\nreleasing it in the channel destructor. This ensures the l2cap_conn\nremains alive as long as the channel exists.\n\nA new FLAG_DEL channel flag is introduced to indicate that the channel\nhas been deleted from its connection. l2cap_chan_del() atomically sets\nthis flag using test_and_set_bit() instead of setting chan-\u003econn to\nNULL. All asynchronous workers (l2cap_chan_timeout, l2cap_ack_timeout,\nl2cap_monitor_timeout, l2cap_retrans_timeout) and l2cap_chan_send()\ncheck FLAG_DEL to determine whether the channel has been torn down,\nrather than testing chan-\u003econn for NULL.\n\nFixes: 75780ca4c6a8 (\"Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\")\nCc: \u003cstable@vger.kernel.org\u003e\nCc: Siwei Zhang \u003coss@fourdim.xyz\u003e\nCc: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nAssisted-by: Gemini:gemini-3.1-pro-preview\nReported-by: https://sashiko.dev/#/patchset/20260521021249.3258069-1-oss%40fourdim.xyz\nSigned-off-by: Marco Elver \u003celver@google.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e5ea095d9bd1f3cf78d56f780d0f278f77663373", "tree": "f906bb0d5ab4355ac192b5341a8a55d58f84279c", "parents": [ "202af099928b26959a5e93d61dff9aacea21af40" ], "author": { "name": "Sai Teja Aluvala", "email": "aluvala.sai.teja@intel.com", "time": "Sun Jun 07 11:51:17 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Jun 09 12:27:45 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Load IOSF debug regs by controller variant\n\nLoad the IOSF DBGC base address based on the controller hardware\nvariant when reading DRAM buffers during a trace dump. Scorpius\nPeak family controllers (SCP/SCP2/SCP2F) use a different DBGC base\naddress (0xf0d5d500) than Blazar family controllers (BZRI/BZRIW,\n0xf3800300).\n\nFixes: 07e6bddb54b4 (\"Bluetooth: btintel_pcie: Add support for device coredump\")\nSigned-off-by: Sai Teja Aluvala \u003caluvala.sai.teja@intel.com\u003e\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "202af099928b26959a5e93d61dff9aacea21af40", "tree": "e40291179eeea87c49cb2dbb5be119d85697d0d1", "parents": [ "ae283ad45b1d1a906b3b1701ce2c28716379f056" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Jun 06 06:06:37 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Jun 09 12:27:40 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Add 50 ms delay before MAC init on BlazarIW\n\nOn BlazarIW, fast restart cycles fail because the D0 entry to MAC\ninit does not complete in time. As a result, MAC initialization\ndoes not proceed and the controller fails to transition past the\nROM boot stage.\n\nAdd a 50 ms delay (worst case as per HW analysis) before doing MAC\ninit in btintel_pcie_enable_bt() so the shared hardware reset flow\nhas time to complete. The delay is gated on the BlazarIW PCI device\nid 0x4D76 so other Intel BT PCIe controllers are unaffected.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ae283ad45b1d1a906b3b1701ce2c28716379f056", "tree": "d3d4a4f829ddb336e0cad86b08a09fcf9dee82d4", "parents": [ "b08dac7cce620369c2c3b53231408fcc890751f2" ], "author": { "name": "Tim Bird", "email": "tim.bird@sony.com", "time": "Thu Jun 04 11:06:33 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 15:21:24 2026 -0400" }, "message": "Bluetooth: Add SPDX id lines to some source files\n\nMany bluetooth source files are missing SPDX-License-Identifier\nlines. Add appropriate IDs to these files, and remove other\nlicense lines from the headers.\n\nLeave the warranty disclaimer in files where the license ID is\nGPL-2.0 but the wording of the disclaimer is slightly different\nfrom that of the GPL v2 disclaimer.\n\nIt is not different enough to cause licensing conflicts, but is\nkept to honor the original contributors\u0027 legal intent.\n\nSigned-off-by: Tim Bird \u003ctim.bird@sony.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b08dac7cce620369c2c3b53231408fcc890751f2", "tree": "f5c9e1a4b9b0c968f290ec4b3bcdc6134a2dfc33", "parents": [ "745b685608ebeeec42391777862c3163ab9d557b" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Wed Jun 03 21:24:15 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:06 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Add support for smart trigger dump\n\nBased on the debug configuration, firmware can raise MSI-X interrupt with\nfirmware trigger cause bit set on specific events like Disconnection,\nConnection Timeout, Page Timeout etc.\n\nUpon receiving an MSI-X interrupt with the firmware trigger cause bit\nset, the driver performs the following actions:\n\n1. Reads Device Memory: Retrieves data from the device memory,\n constructs an HCI diagnostic event, and sends it to the monitor. This\n event includes details about the trigger, such as connection timeout or\n page timeout.\n\n2. Dumps Device Coredump: Generates a coredump containing firmware\n traces for further analysis.\n\nThe coredump can be retrieved using:\n\n $ cat /sys/class/devcoredump/devcd*/data \u003e /tmp/btintel_coredump.bin\n\nHCI traces:\n\u003d Vendor Diagnostic (len 12)\n a5 a5 a5 a5 01 03 00 23 00 01 00 00\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "745b685608ebeeec42391777862c3163ab9d557b", "tree": "4484904989bf034ead02f4bc0493edfcfe6b4e4b", "parents": [ "e8b3e4c62d8deefe549e6914676f55491c1b7f59" ], "author": { "name": "Sergey Shtylyov", "email": "s.shtylyov@auroraos.dev", "time": "Mon Jun 01 23:21:30 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: hci_h5: reset hci_uart::priv in the close() method\n\nUnlike the other HCI UART drivers, the 3-wire UART driver doesn\u0027t reset\nhci_uart::priv in its close() method -- this shouldn\u0027t pose a problem as\nall the methods in *struct* hci_uart_proto should only be called after the\nopen() method that sets up hci_uart::priv properly. However, it seems wise\nto be more consistent and provide for the *struct* hci_uart_proto methods\nthe same state that exists before the first open() method call (so that\nthey rather crash than dereference a stale hci_uart::priv pointer)...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.\n\nSigned-off-by: Sergey Shtylyov \u003cs.shtylyov@auroraos.dev\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e8b3e4c62d8deefe549e6914676f55491c1b7f59", "tree": "27806af38e8257a3df2acfd106d433cac7acbdbb", "parents": [ "4415cdce0ba46fd3dd60142c7eea59ea9ee7d510" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Thu Jun 04 08:37:40 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: btusb: clean up probe error handling\n\nClean up probe error handling by using dedicated error labels with an\n\"err\" prefix.\n\nNote that the endpoint lookup helper returns -ENXIO when endpoints are\nmissing which is functionally equivalent to returning -ENODEV.\n\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4415cdce0ba46fd3dd60142c7eea59ea9ee7d510", "tree": "426d698168dd2d3d2890cc024c851e99952e4bb6", "parents": [ "8c23d7dd662df7b0e2c20aaabb2f6b40ccf838e5" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Thu Jun 04 08:37:39 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: btusb: fix wakeup irq devres lifetime\n\nThe OOB wakeup interrupt is device managed but its lifetime is\nincorrectly tied to the child HCI device rather than the USB interface\nto which the driver is bound.\n\nThis should not cause any trouble currently as the interrupt will be\ndisabled when the HCI device is deregistered on disconnect (but this was\nnot always the case, see [1]), and there should be no further references\nif probe fails before registering it. But it is still technically wrong\nas the reference counted HCI device could in theory remain after a probe\nfailure.\n\nExplicitly free the interrupt on disconnect so that it is guaranteed to\nbe disabled before freeing the (non-managed) driver data (including if\ndisconnected while suspended).\n\n[1] 699fb50d9903 (\"drivers: base: Free devm resources when unregistering\n a device\")\n\nFixes: fd913ef7ce61 (\"Bluetooth: btusb: Add out-of-band wakeup support\")\nCc: Rajat Jain \u003crajatja@google.com\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8c23d7dd662df7b0e2c20aaabb2f6b40ccf838e5", "tree": "233669ce7c78786d2efbbbb9c667c9589bbbcbac", "parents": [ "71b6d1520ffe5b691598c14a98957125959991f1" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Thu Jun 04 08:37:38 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: btusb: fix wakeup source leak on probe failure\n\nMake sure to disable wakeup on probe failure to avoid leaking the wakeup\nsource.\n\nFixes: fd913ef7ce61 (\"Bluetooth: btusb: Add out-of-band wakeup support\")\nCc: stable@vger.kernel.org\t# 4.11\nCc: Rajat Jain \u003crajatja@google.com\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "71b6d1520ffe5b691598c14a98957125959991f1", "tree": "56e146d9f91c6e3e9da075246f839f499c6274c9", "parents": [ "5cb8a65f22eda3d53a9141133c6bb88f71764df8" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Thu Jun 04 08:37:37 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: btusb: fix use-after-free on marvell probe failure\n\nMake sure to stop any TX URBs submitted during Marvell OOB wakeup\nconfiguration on later probe failures to avoid use-after-free in the\ncompletion callback.\n\nThis issue was reported by Sashiko while reviewing a fix for a wakeup\nsource leak in the btusb probe errors paths.\n\nLink: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org\nFixes: a4ccc9e33d2f (\"Bluetooth: btusb: Configure Marvell to use one of the pins for oob wakeup\")\nCc: stable@vger.kernel.org\t# 4.11\nCc: Rajat Jain \u003crajatja@google.com\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5cb8a65f22eda3d53a9141133c6bb88f71764df8", "tree": "9089bfdb978801e0e5a7c2da60134fe86b3936e8", "parents": [ "c583e1de7ede5437de3cf238d9a4edd0eef38436" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Thu Jun 04 08:37:36 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: btusb: fix use-after-free on registration failure\n\nMake sure to release the sibling interfaces in case controller\nregistration fails to avoid use-after-free and double-free when they are\neventually disconnected.\n\nThis issue was reported by Sashiko while reviewing a fix for a wakeup\nsource leak in the btusb probe errors paths.\n\nLink: https://sashiko.dev/#/patchset/20260402092704.2346710-1-johan%40kernel.org\nFixes: 9bfa35fe422c (\"[Bluetooth] Add SCO support to btusb driver\")\nFixes: 9d08f50401ac (\"Bluetooth: btusb: Add support for Broadcom LM_DIAG interface\")\nCc: stable@vger.kernel.org\t# 2.6.27\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c583e1de7ede5437de3cf238d9a4edd0eef38436", "tree": "d98d6d6a3be00cdfba02730148c07d13bef4fd91", "parents": [ "8d729cdaa27ea136103e18459b73d5b409ebd2ac" ], "author": { "name": "Zhao Dongdong", "email": "zhaodongdong@kylinos.cn", "time": "Thu Jun 04 19:46:40 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Jun 04 11:30:05 2026 -0400" }, "message": "Bluetooth: btmtk: fix URB leak in alloc_mtk_intr_urb error path\n\nWhen btmtk_isopkt_pad() fails, the previously allocated URB is not freed,\nleaking the urb structure. Add usb_free_urb() before returning the error.\n\nFixes: ceac1cb0259d (\"Bluetooth: btusb: mediatek: add ISO data transmission functions\")\nSigned-off-by: Zhao Dongdong \u003czhaodongdong@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8d729cdaa27ea136103e18459b73d5b409ebd2ac", "tree": "40aa8e9ea6775da9dee6fcb2ff0f9cf545a56f8b", "parents": [ "ad85ec7a145b7e2837c85f0508263d35903f8383" ], "author": { "name": "Jordan Walters", "email": "jaggyaur@gmail.com", "time": "Wed Jun 03 04:50:47 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 13:49:23 2026 -0400" }, "message": "Bluetooth: hci_core: Fix UAF in hci_unregister_dev()\n\nhci_unregister_dev() does not disable cmd_timer and ncmd_timer\nbefore the hci_dev structure is freed. If a timeout fires\nduring device teardown, the callback dereferences freed memory\n(including the hdev-\u003ereset function pointer), leading to a\nuse-after-free.\n\nAdd disable_delayed_work_sync() calls alongside the existing\ndisable_work_sync() calls to ensure both timers are fully\nquiesced before teardown proceeds.\n\nFixes: 0d151a103775 (\"Bluetooth: hci_core: cancel all works upon hci_unregister_dev()\")\nSigned-off-by: Jordan Walters \u003cjaggyaur@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ad85ec7a145b7e2837c85f0508263d35903f8383", "tree": "792eb6952d588a037a391144575a2add658aa295", "parents": [ "83dc982fad52a76ce61f61560f09beaa2725dc0a" ], "author": { "name": "Jiajia Liu", "email": "liujiajia@kylinos.cn", "time": "Tue Jun 02 15:00:32 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 13:40:28 2026 -0400" }, "message": "Bluetooth: hci_event: fix simultaneous discovery stuck in FINDING\n\nWhen hci_inquiry_complete_evt is called between le_scan_disable and\nle_set_scan_enable_complete and no remote name needs to be resolved,\nthe interleaved discovery with SIMULTANEOUS quirk gets stuck in\nDISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry\nstate. No one sets DISCOVERY_STOPPED in this process.\n\nAdd state check in le_set_scan_enable_complete and change state if\nthe state is DISCOVERY_FINDING. Tested with AX201 (8087:0026) in Dell\nVostro 13. Discovering disabled MGMT Event below is reported when\nrunning into the above condition.\n\n @ MGMT Command: Start Discovery (0x0023) {0x0001} [hci0] 10885.970873\n Address type: 0x07\n BR/EDR\n LE Public\n LE Random\n ...\n \u003c HCI Command: LE Set Extended Scan Enable #38205 [hci0] 10886.131438\n Extended scan: Enabled (0x01)\n Filter duplicates: Enabled (0x01)\n Duration: 0 msec (0x0000)\n Period: 0.00 sec (0x0000)\n \u003e HCI Event: Command Complete (0x0e) plen 4 #38206 [hci0] 10886.133295\n LE Set Extended Scan Enable (0x08|0x0042) ncmd 2\n Status: Success (0x00)\n @ MGMT Event: Discovering (0x0013) plen 2 {0x0001} [hci0] 10886.133414\n Address type: 0x07\n BR/EDR\n LE Public\n LE Random\n Discovery: Enabled (0x01)\n \u003c HCI Command: Inquiry (0x01|0x0001) plen 5 #38207 [hci0] 10886.133528\n Access code: 0x9e8b33 (General Inquiry)\n Length: 10.24s (0x08)\n Num responses: 0\n \u003e HCI Event: Command Status (0x0f) plen 4 #38208 [hci0] 10886.141333\n Inquiry (0x01|0x0001) ncmd 2\n Status: Success (0x00)\n ...\n \u003c HCI Command: LE Set Extended Scan Enable #38242 [hci0] 10896.381802\n Extended scan: Disabled (0x00)\n Filter duplicates: Disabled (0x00)\n Duration: 0 msec (0x0000)\n Period: 0.00 sec (0x0000)\n \u003e HCI Event: Inquiry Complete (0x01) plen 1 #38243 [hci0] 10896.383419\n Status: Success (0x00)\n \u003e HCI Event: Command Complete (0x0e) plen 4 #38244 [hci0] 10896.394378\n LE Set Extended Scan Enable (0x08|0x0042) ncmd 2\n Status: Success (0x00)\n @ MGMT Event: Device Found (0x0012) plen 22 {0x0001} [hci0] 10896.394497\n LE Address: 88:12:AC:92:43:69\n RSSI: -101 dBm (0x9b)\n Flags: 0x00000004\n Not Connectable\n Data length: 8\n Company: Xiaomi Inc. (911)\n Data[0]:\n 16-bit Service UUIDs (complete): 1 entry\n Xiaomi Inc. (0xfdaa)\n @ MGMT Event: Discovering (0x0013) plen 2 {0x0001} [hci0] 10896.394506\n Address type: 0x07\n BR/EDR\n LE Public\n LE Random\n Discovery: Disabled (0x00)\n\nFixes: 8ffde2a73f2c (\"Bluetooth: Convert le_scan_disable timeout to hci_sync\")\nSigned-off-by: Jiajia Liu \u003cliujiajia@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "83dc982fad52a76ce61f61560f09beaa2725dc0a", "tree": "7f8019782df6d99615e7bee7d5c33ea73f672d72", "parents": [ "7e7dff125429546d721783b5836ab6cdf88a5713" ], "author": { "name": "Weiming Shi", "email": "bestswngs@gmail.com", "time": "Wed Jun 03 01:06:21 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 13:40:24 2026 -0400" }, "message": "Bluetooth: eir: Fix stack OOB write when prepending the Flags AD\n\neir_create_adv_data() builds the advertising data into a fixed-size\nbuffer (\"size\", 31 for the legacy path). It may prepend a 3-byte \"Flags\"\nAD structure (LE_AD_NO_BREDR on an LE-only controller) and then copies\nthe per-instance data without checking that it still fits:\n\n\tmemcpy(ptr, adv-\u003eadv_data, adv-\u003eadv_data_len);\n\ntlv_data_max_len() only reserves those 3 bytes when the user-supplied\nflags carry a managed-flags bit, so an instance added with flags \u003d\u003d 0 is\naccepted with adv_data_len up to the full buffer. At advertise time the\nflags are still prepended, and the memcpy() writes 3 + adv_data_len\nbytes into the size-byte buffer:\n\n BUG: KASAN: stack-out-of-bounds in eir_create_adv_data (net/bluetooth/eir.c:301)\n Write of size 31 at addr ffff88800a547bdc by task kworker/u9:0/65\n Workqueue: hci0 hci_cmd_sync_work\n __asan_memcpy (mm/kasan/shadow.c:106)\n eir_create_adv_data (net/bluetooth/eir.c:301)\n hci_update_adv_data_sync (net/bluetooth/hci_sync.c:1310)\n hci_schedule_adv_instance_sync (net/bluetooth/hci_sync.c:1817)\n hci_cmd_sync_work (net/bluetooth/hci_sync.c:332)\n This frame has 1 object:\n [32, 64) \u0027cp\u0027\n\nThe \"Flags\" structure is added by the kernel, not requested by\nuserspace, so only prepend it when it fits together with the instance\nadvertising data; when there is no room for both, drop the flags rather\nthan the user-provided data.\n\nReachable by a local user with CAP_NET_ADMIN owning an LE-only\ncontroller on the legacy advertising path.\n\nFixes: b44133ff03be (\"Bluetooth: Support the \"discoverable\" adv flag\")\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nAssisted-by: Claude:claude-opus-4-8\nSigned-off-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nReported-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7e7dff125429546d721783b5836ab6cdf88a5713", "tree": "382892da286d2ce408eea994c1de375519a7e85a", "parents": [ "2475701517893b291f2c73356fa453e405685b32" ], "author": { "name": "Cris", "email": "cxs1494089474@gmail.com", "time": "Wed Jun 03 11:58:18 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 13:40:20 2026 -0400" }, "message": "Bluetooth: btusb: Add support for TP-Link TL-UB250\n\nAdd USB ID 2357:0607 for TP-Link TL-UB250.\n\nThis is a Realtek RTL8761BUV based Bluetooth adapter.\n\nWithout this entry the device is picked up by the generic Bluetooth USB\nclass match and exposes hci0, but the Realtek setup path is not used and\nrtl8761bu firmware/config are not loaded.\n\nThe controller reports Realtek Semiconductor Corporation as the\nmanufacturer and LMP subversion 0x8761. With this entry added, btusb\nloads rtl_bt/rtl8761bu_fw.bin and rtl_bt/rtl8761bu_config.bin\nsuccessfully.\n\nRelevant part of /sys/kernel/debug/usb/devices:\n\nT: Bus\u003d01 Lev\u003d02 Prnt\u003d06 Port\u003d00 Cnt\u003d01 Dev#\u003d 9 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 1.10 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d2357 ProdID\u003d0607 Rev\u003d 2.00\nS: Product\u003dTP-Link TL-UB250 Adapter\nC:* #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d500mA\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n\nUse the same flags as the existing TP-Link 2357:0604 entry.\n\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Cris \u003ccxs1494089474@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2475701517893b291f2c73356fa453e405685b32", "tree": "fa0da43c362ac3b817d7aacdd8d9c3c64689e4ee", "parents": [ "4a17208f1b99cae817e68f5adf52689e3b39c8d6" ], "author": { "name": "Rong Zhang", "email": "i@rong.moe", "time": "Wed Jun 03 02:38:10 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Jun 03 13:40:16 2026 -0400" }, "message": "Bluetooth: btmtk: Disable remote wakeup for MT7922/MT7925\n\nThese NICs are often reported to lose their Bluetooth interfaces, i.e,\ntheir USB interfaces suddenly become completely unresponsive, causing\nthe USB core to reset them, only to find that they are no longer\naccessible. A power cycle is required to make the Bluetooth interfaces\nrecover.\n\nAfter some investigations, I found that their USB autosuspend remote\nwakeup capabilities are so broken that they are precisely the culprit\nbehind the issue:\n\n [27452.608056] hub 3-0:1.0: state 7 ports 5 chg 0000 evt 0020\n [27452.702018] usb 3-5: usb wakeup-resume\n [27452.716038] usb 3-5: Waited 0ms for CONNECT\n [27452.716642] usb 3-5: finish resume\n /* usbmon showed that the device was completely unresponsive to any\n URBs after the remote wakeup */\n [27457.836030] usb 3-5: retry with reset-resume\n [27457.956046] usb 3-5: reset high-speed USB device number 4 using xhci_hcd\n [27463.332047] usb 3-5: device descriptor read/64, error -110\n [27478.948117] usb 3-5: device descriptor read/64, error -110\n [27479.172430] usb 3-5: reset high-speed USB device number 4 using xhci_hcd\n [27484.332035] usb 3-5: device descriptor read/64, error -110\n [27499.940039] usb 3-5: device descriptor read/64, error -110\n [27500.164060] usb 3-5: reset high-speed USB device number 4 using xhci_hcd\n [27505.196142] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27510.576045] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27510.784038] usb 3-5: device not accepting address 4, error -62\n [27510.912215] usb 3-5: reset high-speed USB device number 4 using xhci_hcd\n [27515.948307] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27521.324380] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27521.525107] usb 3-5: device not accepting address 4, error -62\n [27521.525928] usb usb3-port5: logical disconnect\n [27521.525996] usb 3-5: gone after usb resume? status -19\n [27521.526230] usb 3-5: can\u0027t resume, status -19\n [27521.526434] usb usb3-port5: logical disconnect\n [27521.526469] usb usb3-port5: resume, status -19\n [27521.526493] usb usb3-port5: status 0503, change 0004, 480 Mb/s\n [27521.526528] usb 3-5: USB disconnect, device number 4\n [27521.526736] usb 3-5: unregistering device\n [27521.804029] usb 3-5: new high-speed USB device number 5 using xhci_hcd\n [27527.076067] usb 3-5: device descriptor read/64, error -110\n [27542.692027] usb 3-5: device descriptor read/64, error -110\n [27542.916047] usb 3-5: new high-speed USB device number 6 using xhci_hcd\n [27548.068043] usb 3-5: device descriptor read/64, error -110\n [27563.684073] usb 3-5: device descriptor read/64, error -110\n [27563.792133] usb usb3-port5: attempt power cycle\n [27563.924381] hub 3-0:1.0: port_wait_reset: err \u003d -11\n [27563.925213] usb usb3-port5: not enabled, trying reset again...\n [27564.184398] usb 3-5: new high-speed USB device number 7 using xhci_hcd\n [27569.196322] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27574.572040] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27574.776053] usb 3-5: device not accepting address 7, error -62\n [27574.900165] usb 3-5: new high-speed USB device number 8 using xhci_hcd\n [27579.948039] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27585.324331] xhci_hcd 0000:67:00.0: Timeout while waiting for setup device command\n [27585.528040] usb 3-5: device not accepting address 8, error -62\n [27585.528389] usb usb3-port5: unable to enumerate USB device\n [27585.528424] hub 3-0:1.0: state 7 ports 5 chg 0000 evt 0020\n\nTo reproduce the issue, these conditions must be met:\n- a noisy radio environment (cafe or office) to cause frequent remote\n wakeup events\n- no Bluetooth device is connected, so autosuspend is not prohibited\n- the Bluetooth interface is opened, so remote wakeup is enabled when\n the device runs into autosuspend\n\nThen I can reproduce the issue within sereval hours each time.\n\nIncreasing TRSMRCY or setting USB_QUIRK_RESET doesn\u0027t help at all.\n\nSince the remote wakeup capability is super broken, just disable it to\nget rid of the troubles. The device can still be autosuspended when\nthe bluetooth interface is closed, which won\u0027t break the device as\nremote wakeup is unneeded in this case.\n\nLink: https://bbs.archlinux.org/viewtopic.php?id\u003d308169\nLink: https://bbs.bee-link.com/d/7694-gtr9-pro-ai-max-395-usb-issues\nSigned-off-by: Rong Zhang \u003ci@rong.moe\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4a17208f1b99cae817e68f5adf52689e3b39c8d6", "tree": "4237f6eb209bf89961e1e26255e579bd7ba95895", "parents": [ "961ea93b3ceb2f9b1ba9a503d9384286a9462706" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Mon Jun 01 20:19:08 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Jun 02 12:50:12 2026 -0400" }, "message": "Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect\n\nsco_sock_connect() copies the destination address into sco_pi(sk)-\u003edst\nunder lock_sock(), then releases the lock and calls sco_connect(),\nwhich reads dst, src, setting, and codec without holding lock_sock() in\nhci_get_route() and hci_connect_sco().\n\nThese fields may be modified concurrently by connect(), bind(), or\nsetsockopt() on the same socket, resulting in data-races reported by\nKCSAN.\n\nFix this by snapshotting dst, src, setting, and codec under lock_sock()\nat the start of sco_connect() before passing them to hci_get_route()\nand hci_connect_sco().\n\nBUG: KCSAN: data-race in memcmp+0x45/0xb0\n\nrace at unknown origin, with read to 0xffff88800e6b0dd0 of 1 bytes\nby task 315 on cpu 0:\n memcmp+0x45/0xb0\n hci_connect_acl+0x1b7/0x6b0\n hci_connect_sco+0x4d/0xb30\n sco_sock_connect+0x27b/0xd60\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFixes: 9a8ec9e8ebb5 (\"Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "961ea93b3ceb2f9b1ba9a503d9384286a9462706", "tree": "6e197ebf63a00438b981f148daebfd54a8dd4aa2", "parents": [ "e13696f42ec923d5e26800b5bead6459dc619c81" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Mon Jun 01 20:19:07 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Jun 02 12:50:08 2026 -0400" }, "message": "Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls\n\niso_connect_bis(), iso_connect_cis(), iso_listen_bis(), and\niso_conn_big_sync() call hci_get_route() using iso_pi(sk)-\u003edst,\niso_pi(sk)-\u003esrc, and iso_pi(sk)-\u003esrc_type without holding lock_sock().\n\nThese fields may be modified concurrently by connect() or setsockopt()\non the same socket, resulting in data-races reported by KCSAN.\n\nFix this by snapshotting the required fields under lock_sock() before\ncalling hci_get_route().\n\nBUG: KCSAN: data-race in memcmp+0x45/0xb0\n\nrace at unknown origin, with read to 0xffff8880122135cf of 1 bytes\nby task 333 on cpu 1:\n memcmp+0x45/0xb0\n hci_get_route+0x27e/0x490\n iso_connect_cis+0x4c/0xa10\n iso_sock_connect+0x60e/0xb30\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFixes: 241f51931c35 (\"Bluetooth: ISO: Avoid circular locking dependency\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e13696f42ec923d5e26800b5bead6459dc619c81", "tree": "ee7ab6dca3907795c1d146da19cc36dfb4d8f420", "parents": [ "59e3efb116d40fedc9d4c673df39cbabd11707f3" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:52:09 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 16:41:36 2026 -0400" }, "message": "Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer\n\nIn iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is\ndropped:\n\tbis \u003d iso_pi(sk)-\u003econn-\u003ehcon;\n\t/* Release the socket before lookups since that requires hci_dev_lock\n\t * which shall not be acquired while holding sock_lock for proper\n\t * ordering.\n\t */\n\trelease_sock(sk);\n\thci_dev_lock(bis-\u003ehdev);\n\nDuring the unlocked window, could a concurrent close() destroy the connection\nand free the bis structure, causing hci_dev_lock(bis-\u003ehdev) to access memory\nafter it is freed, fix this by using the hdev reference which was safely\nacquired via iso_conn_get_hdev().\n\nFixes: d3413703d5f8 (\"Bluetooth: ISO: Add support to bind to trigger PAST\")\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "59e3efb116d40fedc9d4c673df39cbabd11707f3", "tree": "f16e0dc2aa197250274e7cbd5a3bff9ed77a0424", "parents": [ "cf767a2d88f78bb69184b6bb76489f0caf0d272a" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:45:42 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 16:41:28 2026 -0400" }, "message": "Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync\n\nhci_get_route() returns a reference-counted hci_dev pointer via\nhci_dev_hold(). The function exits normally or with an error without ever\nreleasing it.\n\nFixes: 07a9342b94a9 (\"Bluetooth: ISO: Send BIG Create Sync via hci_sync\")\nReported-by: Sashiko \u003csashiko-bot@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "cf767a2d88f78bb69184b6bb76489f0caf0d272a", "tree": "632aa12ad2b37c168da2704f6cafc538ed201aab", "parents": [ "b2aa1661149c2bd0846ef2dbb86ffe4fc69e4026" ], "author": { "name": "Bharath Reddy", "email": "kbreddy.rpbc@gmail.com", "time": "Mon Jun 01 08:54:26 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:58:30 2026 -0400" }, "message": "Bluetooth: fix memory leak in error path of hci_alloc_dev()\n\nEarly failures in Bluetooth HCI UART configuration leak SRCU percpu\nmemory.\n\nWhen device initialization fails before hci_register_dev() completes,\nthe HCI_UNREGISTER flag is never set. As a result, when the device\nreference count reaches zero, bt_host_release() evaluates this flag as\nfalse and falls back to a direct kfree(hdev).\n\nBecause hci_release_dev() is bypassed, the SRCU struct initialized\nearly in hci_alloc_dev() is never cleaned up, resulting in a leak of\npercpu memory.\n\nFix the leak by explicitly calling cleanup_srcu_struct() in the\nfallback (unregistered) branch of bt_host_release() before freeing\nthe device.\n\nReported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d535ecc844591e50588a5\nTested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com\nFixes: 1d6123102e9f (\"Bluetooth: hci_core: Fix use-after-free in vhci_flush()\")\nSigned-off-by: Bharath Reddy \u003ckbreddy.rpbc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b2aa1661149c2bd0846ef2dbb86ffe4fc69e4026", "tree": "5d0e6fbf084ff3eabe52c183cbf953e0cd000e92", "parents": [ "2bf22888ea6defeb4962480e3bcc665226f7a79e" ], "author": { "name": "Nils Helmig", "email": "nils.helmig@web.de", "time": "Sat May 30 14:39:34 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:58:11 2026 -0400" }, "message": "Bluetooth: btusb: Add TP-Link UB600 for Realtek 8761BUV\n\nAdd the vendor/product ID (0x37ad, 0x0600) to usb_device_id table\nfor Realtek 8761BUV.\n\nThe device info from /sys/kernel/debug/usb/devices as below.\n\nT: Bus\u003d03 Lev\u003d01 Prnt\u003d01 Port\u003d01 Cnt\u003d01 Dev#\u003d 4 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 1.10 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d37ad ProdID\u003d0600 Rev\u003d 2.00\nS: Manufacturer\u003d\nS: Product\u003dTP-Link Bluetooth USB Adapter\nS: SerialNumber\u003dACA7F14FD2A5\nC:* #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d500mA\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d1ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\n\nSigned-off-by: Nils Helmig \u003cnils.helmig@web.de\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2bf22888ea6defeb4962480e3bcc665226f7a79e", "tree": "ba88afc6501e72c8ad2cdbeb2759832ffeb0b703", "parents": [ "4fcae45539b9d4795aabebe8cc4bdb256b82e498" ], "author": { "name": "Chandrashekar Devegowda", "email": "chandrashekar.devegowda@intel.com", "time": "Mon Jun 01 15:56:11 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:57:53 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Fix null pointer dereference in remove\n\nAdd a NULL check for pci_get_drvdata() in btintel_pcie_remove() to\nprevent a null pointer dereference. This can occur when\nbtintel_pcie_remove() is called concurrently from the PLDR\ndevice_reprobe path on another CPU, after pci_set_drvdata(pdev, NULL)\nhas already been executed.\n\nFixes: 8c0693e29dba (\"Bluetooth: btintel_pcie: Support Product level reset\")\nSigned-off-by: Chandrashekar Devegowda \u003cchandrashekar.devegowda@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4fcae45539b9d4795aabebe8cc4bdb256b82e498", "tree": "b8f7fd8474f9edc56147e473f026548207d531ba", "parents": [ "7bfdd3d9129c167addf78eda2a080a18c6538f6e" ], "author": { "name": "Zijun Hu", "email": "zijun.hu@oss.qualcomm.com", "time": "Mon Jun 01 04:30:56 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:57:34 2026 -0400" }, "message": "Bluetooth: hci_qca: fix NULL pointer dereference in qca_dmp_hdr() for non-serdev device\n\nhu-\u003eserdev is NULL for hci_uart attached via non-serdev paths, but\nqca_dmp_hdr() unconditionally dereferences hu-\u003eserdev-\u003edev.driver-\u003ename,\ncausing a NULL pointer dereference.\n\nFix by guarding the dereference with a NULL check and falling back to\n\"hci_ldisc_qca\" for the non-serdev case.\n\nFixes: 06d3fdfcdf5c (\"Bluetooth: hci_qca: Add qcom devcoredump support\")\nSigned-off-by: Zijun Hu \u003czijun.hu@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7bfdd3d9129c167addf78eda2a080a18c6538f6e", "tree": "44253f75288af22ef9408b5d4ed5fb6adc0b2929", "parents": [ "379b101059b44f64f6c5c022724f880a68fed15b" ], "author": { "name": "Zijun Hu", "email": "zijun.hu@oss.qualcomm.com", "time": "Mon Jun 01 04:30:55 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Jun 01 14:56:54 2026 -0400" }, "message": "Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device\n\nhu-\u003eserdev is NULL for hci_uart attached via non-serdev paths, but\nqca_setup() unconditionally calls serdev_device_get_drvdata(hu-\u003eserdev)\nand dereferences the result, causing a NULL pointer dereference.\n\nFix by guarding the dereference with a NULL check, consistent with the\nrest of qca_setup().\n\nFixes: 22d893eec0d5 (\"Bluetooth: hci_qca: Refactor HFP hardware offload capability handling\")\nSigned-off-by: Zijun Hu \u003czijun.hu@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "379b101059b44f64f6c5c022724f880a68fed15b", "tree": "07322c30076110a9133191af9fa707075288c017", "parents": [ "0bc614e5e938ea90ad8b7507f55cc478553cdd10" ], "author": { "name": "Zhang Cen", "email": "rollkingzzc@gmail.com", "time": "Fri May 29 11:22:09 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri May 29 11:30:49 2026 -0400" }, "message": "Bluetooth: bnep: reject short frames before parsing\n\nA BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the\npacket type byte immediately and, for control packets, reads the control\nopcode and setup UUID-size byte before proving that those bytes are\npresent. bnep_rx_control() also dereferences the control opcode without\nrejecting an empty control payload.\n\nUse skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL\nreturn gates each dereference. Split the control handler so the frame\npath can pass an opcode that has already been pulled, and keep the\nbyte-buffer wrapper for extension control payloads.\n\nFor BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the\nsetup payload. struct bnep_setup_conn_req carries destination and source\nservice UUIDs after that byte, each uuid_size bytes, so the parser now\ndocuments that tuple explicitly instead of leaving the pull length as an\nopaque multiplication.\n\nValidation reproduced this kernel report:\nKASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790\nThe buggy address belongs to the object at ffff88800c0f7908 which belongs\nto the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes to the right of allocated 1-byte\nregion [ffff88800c0f7908, ffff88800c0f7909)\nRead of size 1\nCall trace:\n dump_stack_lvl+0xb3/0x140 (?:?)\n print_address_description+0x57/0x3a0 (?:?)\n bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)\n print_report+0xb9/0x2b0 (?:?)\n __virt_addr_valid+0x1ba/0x3a0 (?:?)\n srso_alias_return_thunk+0x5/0xfbef5 (?:?)\n kasan_addr_to_slab+0x21/0x60 (?:?)\n kasan_report+0xe0/0x110 (?:?)\n process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)\n worker_thread+0x65c/0xe40 (?:?)\n __kthread_parkme+0x184/0x230 (?:?)\n kthread+0x35e/0x470 (?:?)\n _raw_spin_unlock_irq+0x28/0x50 (?:?)\n ret_from_fork+0x586/0x870 (?:?)\n __switch_to+0x74f/0xdc0 (?:?)\n ret_from_fork_asm+0x1a/0x30 (?:?)\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nAssisted-by: Codex:gpt-5.5\nSigned-off-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0bc614e5e938ea90ad8b7507f55cc478553cdd10", "tree": "dc3f4dec9af1cf9f67183d329c190ac29b1159cf", "parents": [ "a6273f046450862cd5c68e6d46260f924d5aed58" ], "author": { "name": "Yuqi Xu", "email": "xuyq21@lenovo.com", "time": "Fri May 29 16:54:23 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri May 29 11:30:26 2026 -0400" }, "message": "Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend\n\nExisting advertising instances can already hold the maximum extended\nadvertising payload. When hci_adv_bcast_annoucement() prepends the\nBroadcast Announcement service data to that payload, the combined data\nmay no longer fit in the temporary buffer used to rebuild the\nadvertising data.\n\nReject that case before copying the existing payload and report the\nfailure through the device log. This keeps the existing advertising\ndata intact and avoids overrunning the temporary buffer.\n\nFixes: 5725bc608252 (\"Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance\")\nCc: stable@kernel.org\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Zhengchuan Liang \u003czcliangcn@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nAssisted-by: Codex:GPT-5.4\nSigned-off-by: Yuqi Xu \u003cxuyq21@lenovo.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a6273f046450862cd5c68e6d46260f924d5aed58", "tree": "31333801b75e5d1f16faf0fdeb04f7986cd343e5", "parents": [ "a82ccb946ae5d399437ece698590421c332252ed" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Thu May 21 10:45:17 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 16:26:26 2026 -0400" }, "message": "Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig\n\nnet/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR\nsignaling packets up to the channel MTU and dispatches each command\nwithout enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer\nwithin radio range can send a fixed-channel CID 0x0001 packet that is\nlarger than MTUsig and contains many L2CAP_ECHO_REQ commands before\npairing. In a real-radio stock-kernel run, one 681-byte signaling\npacket containing 168 zero-length ECHO_REQ commands made the target\ntransmit 168 ECHO_RSP frames over about 220 ms.\n\nImpact: a Bluetooth BR/EDR peer within radio range, before pairing, can\nforce 168 ECHO_RSP frames from one 681-byte fixed-channel signaling\npacket containing packed ECHO_REQ commands.\n\nDefine Linux\u0027s BR/EDR signaling MTU as the spec minimum of 48 bytes and\nreject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP\ncarrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.\n\nThe Bluetooth Core spec wording for MTUExceeded says the reject\nidentifier shall match the first request command in the packet, and\nthat packets containing only responses shall be silently discarded.\nLinux intentionally deviates from that prescription: silently\ndiscarding desynchronizes the peer because the remote stack never\nlearns its responses were dropped, and locating the first request\ncommand requires walking command headers past MTUsig, i.e. processing\nbytes from a packet we have already decided is too large to process.\nWe therefore always emit one reject and use the identifier from the\nfirst command header, a single fixed-offset byte read.\n\nThe unrestricted BR/EDR signaling parser and ECHO_REQ response path both\ntrace to the initial git import; no later introducing commit is\navailable for a Fixes tag.\n\nCc: stable@vger.kernel.org\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.dentz@gmail.com\u003e\nLink: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com\nLink: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com\nLink: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com\nAssisted-by: Claude:claude-opus-4-7\nAssisted-by: Codex:gpt-5-5-xhigh\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a82ccb946ae5d399437ece698590421c332252ed", "tree": "111932c6e8c327997d57e834b61753db8423062e", "parents": [ "899a200a76486bf4ddc57048c2f3b94818ba8e1c" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Mon May 25 20:04:43 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 10:01:28 2026 -0400" }, "message": "Bluetooth: RFCOMM: validate skb length in MCC handlers\n\nThe RFCOMM MCC handlers cast skb-\u003edata to protocol-specific structs\nwithout validating skb-\u003elen first. A malicious remote device can send\ntruncated MCC frames and trigger out-of-bounds reads in these handlers.\n\nFix this by using skb_pull_data() to validate and access the required\ndata before dereferencing it.\n\nrfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows\n1-byte RPN requests. Handle this by validating only the DLCI byte first,\nand validating the full struct only when len \u003e 1.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSuggested-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "899a200a76486bf4ddc57048c2f3b94818ba8e1c", "tree": "90d19edddd47eb98c007cb4f554f84f85fdce5ae", "parents": [ "339cf04eb21aba08d0a2ff36d490dc1e61e49181" ], "author": { "name": "Zhang Cen", "email": "rollkingzzc@gmail.com", "time": "Thu May 28 17:45:06 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 10:01:25 2026 -0400" }, "message": "Bluetooth: MGMT: validate advertising TLV before type checks\n\ntlv_data_is_valid() reads each advertising data field length from\ndata[i], then inspects data[i + 1] for managed EIR types before\nchecking that the current field still fits inside the supplied buffer.\n\nA malformed field whose length byte is the last byte of the buffer can\ntherefore make the parser read one byte past the advertising data.\n\nKASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING\nrequest reached that path:\n\n BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()\n Read of size 1\n Call trace:\n tlv_data_is_valid()\n add_advertising()\n hci_mgmt_cmd()\n hci_sock_sendmsg()\n\nMove the existing element-length check before any type-octet inspection\nso each non-empty element is proven to contain its type byte before the\nparser looks at data[i + 1].\n\nFixes: 2bb36870e8cb (\"Bluetooth: Unify advertising instance flags check\")\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "339cf04eb21aba08d0a2ff36d490dc1e61e49181", "tree": "40ef88bf7eb632248b5c91ad52a5af1772be5095", "parents": [ "a92f90568cc9eec665f47040445290d4b18a7bb5" ], "author": { "name": "Zhang Cen", "email": "rollkingzzc@gmail.com", "time": "Thu May 28 15:56:41 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 28 10:01:22 2026 -0400" }, "message": "Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()\n\nrfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock,\nbut returns the selected listener after dropping that lock without\ntaking a reference. rfcomm_connect_ind() then locks the listener,\nqueues a child socket on it, and may notify it after unlocking it.\n\nThe buggy scenario involves two paths, with each column showing the\norder within that path:\n\nrfcomm_connect_ind(): listener close:\n 1. Find parent in 1. close() enters\n rfcomm_get_sock_by_channel() rfcomm_sock_release().\n 2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()\n without pinning parent. closes the listener.\n 3. Call lock_sock(parent) and 3. rfcomm_sock_kill()\n bt_accept_enqueue(parent, unlinks and puts parent.\n sk, true).\n 4. Read parent flags and may 4. parent can be freed.\n call sk_state_change().\n\nIf close wins the race, parent can be freed before\nrfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the\ndeferred-setup callback.\n\nTake a reference on the listener before leaving rfcomm_sk_list.lock.\nAfter lock_sock() succeeds, recheck that it is still in BT_LISTEN\nbefore queueing a child, cache the deferred-setup bit while the parent\nis locked, and drop the reference after the last parent use.\n\nKASAN reported a slab-use-after-free in lock_sock_nested() from\nrfcomm_connect_ind(), with the freeing stack going through\nrfcomm_sock_kill() and rfcomm_sock_release().\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Zhang Cen \u003crollkingzzc@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a92f90568cc9eec665f47040445290d4b18a7bb5", "tree": "b002390d0e24ef7f2b2159e157d374183de4fad7", "parents": [ "db6e813f578907b960c218c0e428db73620499a7" ], "author": { "name": "Heitor Alves de Siqueira", "email": "halves@igalia.com", "time": "Tue May 26 10:50:59 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:42:08 2026 -0400" }, "message": "Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()\n\nBefore resetting or closing the device, protocol counters should also be\nzeroed.\n\nFixes: d0b137062b2d (\"Bluetooth: hci_sync: Rework init stages\")\nSigned-off-by: Heitor Alves de Siqueira \u003chalves@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "db6e813f578907b960c218c0e428db73620499a7", "tree": "e569c0289214e0af47bf2d24d51bc4486aa3be61", "parents": [ "54f93846b7a8189d57324d34643e8489c957baa1" ], "author": { "name": "Heitor Alves de Siqueira", "email": "halves@igalia.com", "time": "Tue May 26 10:50:58 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:42:05 2026 -0400" }, "message": "Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close\n\nSince hci_dev_close_sync() can now be called during the reset path, we\nshould also set HCI_CMD_DRAIN_WORKQUEUE. This avoids queuing timeouts\nwhile the hdev workqueue is being drained.\n\nFixes: 877afadad2dc (\"Bluetooth: When HCI work queue is drained, only queue chained work\")\nSigned-off-by: Heitor Alves de Siqueira \u003chalves@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "54f93846b7a8189d57324d34643e8489c957baa1", "tree": "ee1bd689e9fb3146687d4c783a7c9e819ee4c9e1", "parents": [ "7978ae58aafb7d9e3993a14557380436a7afa60c" ], "author": { "name": "Heitor Alves de Siqueira", "email": "halves@igalia.com", "time": "Tue May 26 10:50:57 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:42:02 2026 -0400" }, "message": "Bluetooth: hci_core: Rework hci_dev_do_reset() to use hci_sync functions\n\nThe current HCI reset function in hci_core.c duplicates most of the work\ndone by hci_dev_close_sync(), and doesn\u0027t handle LE, advertising or\ndiscovery.\n\nInstead of porting these to hci_dev_do_reset(), directly call the\nclose/open functions from hci_sync to reset the hdev. MGMT now notifies\nwhen a user performs a reset.\n\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nSigned-off-by: Heitor Alves de Siqueira \u003chalves@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7978ae58aafb7d9e3993a14557380436a7afa60c", "tree": "1c6a004549da2a8b50588c0c63f3c5e7695e71e7", "parents": [ "7e3545cc3d1abcc4669145369f0208c9352d80a8" ], "author": { "name": "Muhammad Bilal", "email": "meatuni001@gmail.com", "time": "Wed May 27 04:59:18 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:41:59 2026 -0400" }, "message": "Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock\n\niso_sock_close() calls iso_sock_clear_timer() before acquiring\nlock_sock(sk).\n\niso_sock_clear_timer() reads iso_pi(sk)-\u003econn twice without the\nsocket lock held:\n\n if (!iso_pi(sk)-\u003econn)\n return;\n cancel_delayed_work(\u0026iso_pi(sk)-\u003econn-\u003etimeout_work);\n\nConcurrently, iso_conn_del() executes under lock_sock(sk) and calls\niso_chan_del(), which sets iso_pi(sk)-\u003econn to NULL and may result in\nthe final reference to the connection being dropped:\n\n CPU0 CPU1\n ---- ----\n iso_sock_clear_timer()\n if (conn !\u003d NULL) ... lock_sock(sk)\n iso_chan_del()\n iso_pi(sk)-\u003econn \u003d NULL\n cancel_delayed_work(conn) /* NULL deref or UAF */\n\niso_pi(sk)-\u003econn is not stable across the unlock window, causing a\nNULL pointer dereference or use-after-free.\n\nSerialize iso_sock_clear_timer() with the socket lock by moving it\ninside lock_sock()/release_sock(), matching the pattern used in\niso_conn_del() and all other call sites.\n\nFixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a (\"Bluetooth: Add BTPROTO_ISO socket type\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7e3545cc3d1abcc4669145369f0208c9352d80a8", "tree": "1be8ce0a740f9ad05274c8d48721357bc98e68a9", "parents": [ "1403053c428f6ef054b0bfb0f62d0cb578f93b4d" ], "author": { "name": "Muhammad Bilal", "email": "meatuni001@gmail.com", "time": "Wed May 27 04:59:17 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:41:56 2026 -0400" }, "message": "Bluetooth: ISO: fix UAF in iso_recv_frame\n\niso_recv_frame reads conn-\u003esk under iso_conn_lock but releases the lock\nbefore using sk, with no reference held. A concurrent iso_sock_kill()\ncan free sk in that window, causing use-after-free on sk-\u003esk_state and\nsock_queue_rcv_skb().\n\nFix by replacing the bare pointer read with iso_sock_hold(conn), which\ncalls sock_hold() while the spinlock is held, atomically elevating the\nrefcount before the lock drops. Add a drop_put label so sock_put() is\ncalled on all exit paths where the hold succeeded.\n\nFixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a (\"Bluetooth: Add BTPROTO_ISO socket type\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "1403053c428f6ef054b0bfb0f62d0cb578f93b4d", "tree": "89d8293b4185bc71528334a4a992a3779da70077", "parents": [ "4fe5ea11ac728b12b5a139742ed9f561ccd2707e" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 11 12:09:42 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:16 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp\n\nIf dcid is received for an already-assigned destination CID the spec\nrequires that both channels to be discarded, but calling l2cap_chan_del\nmay invalidate the tmp cursor created by list_for_each_entry_safe and\nin fact it is the wrong procedure as the chan-\u003edcid may be assigned\npreviously it really needs to be disconnected.\n\nCalling l2cap_chan_clone directly may still lead to l2cap_chan_del so\ninstead schedule l2cap_chan_timeout with delay 0 to close the channel\nasynchronously.\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4fe5ea11ac728b12b5a139742ed9f561ccd2707e", "tree": "257bbbe6b7ce7767efcab8917e2ec955400c6ad3", "parents": [ "34c27938d3dc0d93975aaba0c31a6b61206feb78" ], "author": { "name": "Zhenghang Xiao", "email": "kipreyyy@gmail.com", "time": "Tue May 26 18:51:52 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:16 2026 -0400" }, "message": "Bluetooth: l2cap: clear chan-\u003eident on ECRED reconfiguration success\n\nl2cap_ecred_reconf_rsp() returns early on success without clearing\nchan-\u003eident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,\nl2cap_le_connect_rsp, l2cap_config_rsp) clears chan-\u003eident after a\nsuccessful transaction to prevent the channel from matching subsequent\nresponses with the recycled ident value.\n\nA remote attacker that completed a reconfiguration as the peer can\nreplay a failure response with the stale ident, causing the kernel to\nmatch and destroy the already-established channel via\nl2cap_chan_del(chan, ECONNRESET).\n\nClear chan-\u003eident for all matching channels on success, and harden the\nfailure path by using l2cap_chan_hold_unless_zero() consistent with\nother L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nSigned-off-by: Zhenghang Xiao \u003ckipreyyy@gmail.com\u003e\n" }, { "commit": "34c27938d3dc0d93975aaba0c31a6b61206feb78", "tree": "511a73bae74b257ebf353c2b4875febf3c830274", "parents": [ "ff4b897195fa093b4be2b71d44519d30379c0644" ], "author": { "name": "Shuai Zhang", "email": "shuai.zhang@oss.qualcomm.com", "time": "Mon May 25 14:51:56 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:16 2026 -0400" }, "message": "Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading\n\nWhen bt_en is pulled high by hardware, the host does not re-download\nthe firmware after SSR. The controller loads the rampatch and NVM\ninternally.\n\nOn HMT chip, the rampatch is ~264 KB and the NVM is ~9.4 KB. The\nloading process takes approximately 70 ms. The previous 50 ms delay is\ntoo short, causing the controller to not respond to the reset command\nsent by the host, which leads to BT initialization failure:\n\n Bluetooth: hci0: QCA memdump Done, received 458752, total 458752\n Bluetooth: hci0: mem_dump_status: 2\n Bluetooth: hci0: Opcode 0x0c03 failed: -110\n\nIncrease the delay to 100 ms, which was confirmed as a safe value by\nthe controller, to ensure the controller has finished loading the\nfirmware before the host sends commands.\n\nSteps to reproduce:\n1. Trigger SSR and wait for SSR to complete:\n hcitool cmd 0x3f 0c 26\n2. Run \"bluetoothctl power on\" and observe that BT fails to start.\n\nFixes: fce1a9244a0f (\"Bluetooth: hci_qca: Fix SSR (SubSystem Restart) fail when BT_EN is pulled up by hw\")\nCc: stable@vger.kernel.org\nReviewed-by: Dmitry Baryshkov \u003cdmitry.baryshkov@oss.qualcomm.com\u003e\nSigned-off-by: Shuai Zhang \u003cshuai.zhang@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ff4b897195fa093b4be2b71d44519d30379c0644", "tree": "0948ca42b2a625cc6a0f296f75b612896b17594a", "parents": [ "e0b8ca0f9f75a3112566a9eb9477e5fc60f6a3e7" ], "author": { "name": "Doruk Tan Ozturk", "email": "doruk@0sec.ai", "time": "Mon May 25 18:24:38 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:16 2026 -0400" }, "message": "Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync\n\nhci_le_create_cis_sync() dereferences conn-\u003econn_timeout after releasing\nboth rcu_read_lock() and hci_dev_lock(hdev). The conn pointer was\nobtained from an RCU-protected iteration over hdev-\u003econn_hash.list and\nis not valid once these locks are dropped. A concurrent disconnect can\nfree the hci_conn between the unlock and the dereference, causing a\nuse-after-free read.\n\nThe cancellation mechanism in hci_conn_del() cannot prevent this because\nhci_le_create_cis_pending() queues hci_create_cis_sync with data\u003dNULL:\n\n hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);\n\nWhile hci_conn_del() dequeues with data\u003dconn:\n\n hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);\n\nSince NULL !\u003d conn, the lookup in _hci_cmd_sync_lookup_entry() never\nmatches, and the pending work item is not cancelled.\n\nFix this by saving conn-\u003econn_timeout into a local variable while the\nlocks are still held, so the stale conn pointer is never dereferenced\nafter unlock.\n\nThis is the same class of bug as the one fixed by commit 035c25007c9e\n(\"Bluetooth: hci_sync: Fix UAF on le_read_features_complete\") which\naddressed the identical pattern in a different function.\n\nThis vulnerability was identified using 0sec.ai, an open-source\nautomated security auditing platform (https://github.com/0sec-labs).\n\nFixes: c09b80be6ffc (\"Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED\")\nCc: stable@vger.kernel.org\nReported-by: Doruk Tan Ozturk \u003cdoruk@0sec.ai\u003e\nSigned-off-by: Doruk Tan Ozturk \u003cdoruk@0sec.ai\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e0b8ca0f9f75a3112566a9eb9477e5fc60f6a3e7", "tree": "0be45c75324a7226b937743ffee5f2920341a69b", "parents": [ "3aaf0066caba19096c78f5f340ff1e9e7d25760f" ], "author": { "name": "Zenm Chen", "email": "zenmchen@gmail.com", "time": "Tue May 26 00:19:42 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:15 2026 -0400" }, "message": "Bluetooth: btusb: Add USB ID 2c4e:0128 for Mercusys MA60XNB\n\nAdd USB ID 2c4e:0128 for Mercusys MA60XNB, an RTL8851BU-based\nWi-Fi + Bluetooth adapter.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below:\n\nT: Bus\u003d03 Lev\u003d01 Prnt\u003d01 Port\u003d04 Cnt\u003d01 Dev#\u003d 3 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.00 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d2c4e ProdID\u003d0128 Rev\u003d 0.00\nS: Manufacturer\u003dRealtek\nS: Product\u003d802.11ax WLAN Adapter\nS: SerialNumber\u003d00e04c000001\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d500mA\nA: FirstIf#\u003d 0 IfCount\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d1ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 8 Cls\u003dff(vend.) Sub\u003dff Prot\u003dff Driver\u003drtw89_8851bu\nE: Ad\u003d84(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d05(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d06(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d07(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d09(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d0a(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d0b(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d0c(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\n\nCc: stable@vger.kernel.org # 6.6.x\nSigned-off-by: Zenm Chen \u003czenmchen@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3aaf0066caba19096c78f5f340ff1e9e7d25760f", "tree": "507b4925b7c79dfa0039893c11535ed6dac39239", "parents": [ "1b75eb35f32ea8df92c18db9805c0b527e52a51e" ], "author": { "name": "Zhao Dongdong", "email": "zhaodongdong@kylinos.cn", "time": "Tue May 26 11:21:39 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:15 2026 -0400" }, "message": "Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()\n\nThe skb_clone() function can return NULL if memory allocation fails.\nsend_mcast_pkt() calls skb_clone() without checking the return value, which\ncan lead to a NULL pointer dereference in send_pkt() when it dereferences\nskb-\u003edata.\nAdd a NULL check after skb_clone() and skip the peer if the clone fails.\n\nFixes: 18722c247023 (\"Bluetooth: Enable 6LoWPAN support for BT LE devices\")\nSigned-off-by: Zhao Dongdong \u003czhaodongdong@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "1b75eb35f32ea8df92c18db9805c0b527e52a51e", "tree": "c33b668656ff6772778bdd40fe28e099dbb0686f", "parents": [ "3c2c428f25e25d18a496d7b04926451cb03652aa" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 26 12:43:42 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 27 15:29:15 2026 -0400" }, "message": "Bluetooth: hci_sync: Add support for HCI_LE_Set_Host_Feature [v2]\n\nThis adds support for using HCI_LE_Set_Host_Feature [v2] instead of v1\nif LL Extented Features is supported and the controller supports the\ncommand.\n\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3c2c428f25e25d18a496d7b04926451cb03652aa", "tree": "39bf14e4c2ed3748875686ff2fed2656a65960cf", "parents": [ "b3e1ce1381485cbbfc355285f91f53e5573d3e05" ], "author": { "name": "Shuai Zhang", "email": "shuai.zhang@oss.qualcomm.com", "time": "Thu May 21 13:25:47 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 21 11:23:01 2026 -0400" }, "message": "Bluetooth: btusb: Allow firmware re-download when version matches\n\nThe Bluetooth host decides whether to download firmware by reading the\ncontroller firmware download completion flag and firmware version\ninformation.\n\nIf a USB error occurs during the firmware download process (for example\ndue to a USB disconnect), the download is aborted immediately. An\nincomplete firmware transfer does not cause the controller to set the\ndownload completion flag, but the firmware version information may be\nupdated at an early stage of the download process.\n\nIn this case, after USB reconnection, the host attempts to re-download\nthe firmware because the download completion flag is not set. However,\nsince the controller reports the same firmware version as the target\nfirmware, the download is skipped. This ultimately results in the\nfirmware not being properly updated on the controller.\n\nThis change removes the restriction that skips firmware download when\nthe versions are equal. It covers scenarios where the USB connection\ncan be disconnected at any time and ensures that firmware download can\nbe retriggered after USB reconnection, allowing the Bluetooth firmware\nto be correctly and completely updated.\n\nFixes: 3267c884cefa (\"Bluetooth: btusb: Add support for QCA ROME chipset family\")\nCc: stable@vger.kernel.org\nSigned-off-by: Shuai Zhang \u003cshuai.zhang@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b3e1ce1381485cbbfc355285f91f53e5573d3e05", "tree": "80fe3dce92935fccf9ba232029c0a929f905cc66", "parents": [ "6522ecbcd122083c8dfdc07e383fdd7056094530" ], "author": { "name": "Jiajia Liu", "email": "liujiajia@kylinos.cn", "time": "Wed May 20 10:15:00 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 21 11:21:45 2026 -0400" }, "message": "Bluetooth: btmtk: remove extra copy in cmd array init\n\nIn btmtk_setup_firmware_79xx, the data length indicated by wmt_params.dlen\nin the cmd buffer is MTK_SEC_MAP_NEED_SEND_SIZE + 1. Except for the first\nbyte, the remaining length is MTK_SEC_MAP_NEED_SEND_SIZE. memcpy copied one\nmore byte to cmd + 1 than the remaining length. Align the length passed to\nmemcpy to avoid exceeding current section map.\n\nSigned-off-by: Jiajia Liu \u003cliujiajia@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6522ecbcd122083c8dfdc07e383fdd7056094530", "tree": "5ecf01cfd38c0fd5f2d0b85faa75f2ab5ae1d781", "parents": [ "75780ca4c6a874eb820f4133ee468fe8a6d3624b" ], "author": { "name": "Muhammad Bilal", "email": "meatuni001@gmail.com", "time": "Wed May 20 18:56:43 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 21 11:10:30 2026 -0400" }, "message": "Bluetooth: HIDP: fix missing length checks in hidp_input_report()\n\nhidp_input_report() reads keyboard and mouse payload data from an skb\nwithout first verifying that skb-\u003elen contains enough data.\n\nhidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching\nto hidp_input_report(). If a paired device sends a truncated packet,\nthe handler reads beyond the valid skb data, resulting in an\nout-of-bounds read of skb data. The OOB bytes may be interpreted as\nphantom key presses or spurious mouse movement.\n\nReplace the open-coded length tracking and pointer arithmetic with\nskb_pull_data() calls. skb_pull_data() returns NULL if the requested\nbytes are not present, eliminating the need for a manual size variable\nand the separate skb-\u003elen guard.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nCc: stable@vger.kernel.org\nSigned-off-by: Muhammad Bilal \u003cmeatuni001@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "75780ca4c6a874eb820f4133ee468fe8a6d3624b", "tree": "dcb6e22d6dacf967fbd52de717db730cb46ba888", "parents": [ "628669434306e90870bdd2014ca742332f59301c" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed May 20 22:12:20 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 21 11:10:27 2026 -0400" }, "message": "Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\n\nl2cap_chan_close() removes the channel from conn-\u003echan_l, which\nmust be done under conn-\u003elock. cleanup_listen() runs under the\nparent sk_lock, so acquiring conn-\u003elock would invert the\nestablished conn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock order.\n\nInstead of calling l2cap_chan_close() directly, schedule\nl2cap_chan_timeout with delay 0 to close the channel\nasynchronously. The timeout handler already acquires conn-\u003elock\nand chan-\u003elock in the correct order.\n\nThe timer is only armed when chan-\u003econn is still set: if it is\nalready NULL, l2cap_conn_del() has already processed this channel\n(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),\nso there is nothing left to do. If l2cap_conn_del() races in\nafter the timer is armed, __clear_chan_timer() inside\nl2cap_chan_del() cancels it; if the timer has already fired, the\nhandler returns harmlessly because chan-\u003econn was cleared.\n\nFixes: 3df91ea20e74 (\"Bluetooth: Revert to mutexes from RCU list\")\nCc: \u003cstable@vger.kernel.org\u003e # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "628669434306e90870bdd2014ca742332f59301c", "tree": "c2ed5c68272429c08821a164513f64b85d33c394", "parents": [ "6dbf781d088546ba922a9a7baf97502365660a6e" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed May 20 22:30:36 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 21 11:10:25 2026 -0400" }, "message": "Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn\n\n__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()\nbefore scheduling the delayed work. The normal path in\nl2cap_chan_timeout() drops this reference with l2cap_chan_put() at the\nend, but the early return when chan-\u003econn is NULL skips the put,\nleaking the reference.\n\nAdd the missing l2cap_chan_put() before the early return.\n\nFixes: adf0398cee86 (\"Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\")\nCc: stable@vger.kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6dbf781d088546ba922a9a7baf97502365660a6e", "tree": "7f06c9240594d898c2e9f79b1ccb66c815d55d47", "parents": [ "0b580042a1a5478b2cf5f1ff66372b75392ad2a4" ], "author": { "name": "Pavitra Jha", "email": "jhapavitra98@gmail.com", "time": "Thu May 21 04:04:14 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 21 11:10:15 2026 -0400" }, "message": "Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()\n\nhci_le_big_terminate() allocates iso_list_data via kzalloc_obj but\nreturns 0 without freeing it when neither pa_sync_term nor big_sync_term\nflags are set after evaluating the PA and BIG sync connection state.\n\nThis early-return path was introduced when hci_le_big_terminate() was\nrefactored to take struct hci_conn instead of raw u8 parameters, adding\nPA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue\nfailure does not cover this path.\n\nFixes: a7bcffc673de (\"Bluetooth: Add PA_LINK to distinguish BIG sync and PA sync connections\")\nCc: stable@vger.kernel.org\nSigned-off-by: Pavitra Jha \u003cjhapavitra98@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0b580042a1a5478b2cf5f1ff66372b75392ad2a4", "tree": "72f38dd9d741cea77b6f9de6e8ab595985e95306", "parents": [ "7db62a762f613961a9ed0582902abd0295a385e9" ], "author": { "name": "Safa KarakuÅŸ", "email": "safa.karakus@secunnix.com", "time": "Sat May 16 21:15:04 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 20 15:53:30 2026 -0400" }, "message": "Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()\n\nbt_accept_dequeue() unlinks a not-yet-accepted child from the parent\naccept queue and release_sock()s it before returning, so the returned\nsk has no caller reference and is unlocked.\n\nl2cap_sock_cleanup_listen() walks these children on listening-socket\nclose. A concurrent HCI disconnect drives hci_rx_work -\u003e\nl2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and\nfrees the child sk and its l2cap_chan; cleanup_listen() then uses both:\n\n BUG: KASAN: slab-use-after-free in l2cap_sock_kill\n l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close\n Freed by: l2cap_conn_del -\u003e l2cap_sock_close_cb -\u003e l2cap_sock_kill\n\nThis is distinct from the two fixes already in this area: commit\ne83f5e24da741 (\"Bluetooth: serialize accept_q access\") serialises the\naccept_q list/poll and takes temporary refs inside bt_accept_dequeue(),\nand CVE-2025-39860 serialises the userspace close()/accept() race by\ncalling cleanup_listen() under lock_sock() in l2cap_sock_release().\nNeither covers l2cap_conn_del() running from hci_rx_work, so this UAF\nstill reproduces on current bluetooth/master.\n\nTake the reference at the source: bt_accept_dequeue() does sock_hold()\nwhile sk is still locked, before release_sock(); callers sock_put().\ncleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under\na brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops\nit before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on\nSOCK_DEAD. conn-\u003elock is not taken here: cleanup_listen() runs under\nthe parent sk lock and that would invert\nconn-\u003elock -\u003e chan-\u003elock -\u003e sk_lock (lockdep).\n\nKASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced\n12 use-after-free reports per run before this change; 0, and no lockdep\nreport, over 1600+ raced iterations after it on bluetooth/master.\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nCc: stable@vger.kernel.org\nReported-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nReviewed-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Safa KarakuÅŸ \u003csafa.karakus@secunnix.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7db62a762f613961a9ed0582902abd0295a385e9", "tree": "7f9bbe052c13765dfbed8c0652ac0b33a19dade5", "parents": [ "8f5b6b4b198ed661ae851daaf9cb94fe285b2648" ], "author": { "name": "Mingyu Wang", "email": "25181214217@stu.xidian.edu.cn", "time": "Mon May 18 10:49:49 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 19 10:22:30 2026 -0400" }, "message": "Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths\n\nVulnerabilities leading to Use-After-Free (UAF) and Null Pointer\nDereference (NPD) conditions were observed in the lifecycle management\nof hci_uart.\n\nThe primary issue arises because the workqueues (init_ready and\nwrite_work) are only flushed/cancelled if the HCI_UART_PROTO_READY\nflag is set during TTY close. If a hangup occurs before setup completes,\nhci_uart_tty_close() skips the teardown of these workqueues and\nproceeds to free the `hu` struct. When the scheduled work executes\nlater, it blindly dereferences the freed `hu` struct.\n\nFurthermore, several data races and UAFs were identified in the teardown\nsequence:\n1. Calling hci_uart_flush() from hci_uart_close() without effectively\n disabling write_work causes a race condition where both can concurrently\n double-free hu-\u003etx_skb. This happens because protocol timers can\n concurrently invoke hci_uart_tx_wakeup() and requeue write_work.\n2. Calling hci_free_dev(hdev) before hu-\u003eproto-\u003eclose(hu) causes a UAF\n when vendor specific protocol close callbacks dereference hu-\u003ehdev.\n3. In the initialization error paths, failing to take the proto_lock\n write lock before clearing PROTO_READY leads to races with active\n readers. Additionally, hci_uart_tty_receive() accesses hu-\u003ehdev\n outside the read lock, leading to UAFs if the initialization error\n path frees hdev concurrently.\n\nFix these synchronization and lifecycle issues by:\n1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,\n followed immediately by a cancel_work_sync(\u0026hu-\u003ewrite_work). Clearing\n the flag locks out concurrent protocol timers from successfully invoking\n hci_uart_tx_wakeup(), effectively rendering the cancellation permanent\n and preventing the tx_skb double-free.\n2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip\n hu-\u003eproto-\u003eflush(). This is perfectly safe in the tty_close path\n because hu-\u003eproto-\u003eclose() executes shortly after, which intrinsically\n purges all protocol SKB queues and tears down the state.\n3. Relocating hu-\u003eproto-\u003eclose(hu) strictly prior to hci_free_dev(hdev)\n across all close and error paths to prevent vendor-level UAFs.\n4. Moving the hdev-\u003estat.byte_rx increment in hci_uart_tty_receive()\n inside the proto_lock read-side critical section to safely synchronize\n with device unregistration.\n5. Adding cancel_work_sync(\u0026hu-\u003ewrite_work) to hci_uart_close() to safely\n flush the workqueue before hci_uart_flush() is invoked via the HCI core.\n6. Utilizing cancel_work_sync() instead of disable_work_sync() across\n all paths to prevent permanently breaking user-space retry capabilities.\n\nFixes: 3b799254cf6f (\"Bluetooth: hci_uart: Cancel init work before unregistering\")\nCc: stable@vger.kernel.org\nSigned-off-by: Mingyu Wang \u003c25181214217@stu.xidian.edu.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8f5b6b4b198ed661ae851daaf9cb94fe285b2648", "tree": "b01c8ba7ce882c69413480412fd987dc1774cc5a", "parents": [ "5daf96ab8398e91cfa02565b75bf39f8f84bb3df" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Fri May 15 10:38:19 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 18 17:47:59 2026 -0400" }, "message": "Bluetooth: MGMT: validate Add Extended Advertising Data length\n\nMGMT_OP_ADD_EXT_ADV_DATA is registered as a variable-length command,\nwith MGMT_ADD_EXT_ADV_DATA_SIZE as the fixed header size. The handler\nthen uses cp-\u003eadv_data_len and cp-\u003escan_rsp_len to validate and copy\ncp-\u003edata, but it never checks that those bytes are part of the mgmt\ncommand payload.\n\nA short command can therefore make add_ext_adv_data() pass an\nout-of-bounds pointer into tlv_data_is_valid(). If the bytes beyond\nthe command buffer are addressable, they can also be copied into the\nadvertising instance as scan response data, where the caller can read\nthem back via MGMT_OP_GET_ADV_INSTANCE. The trigger requires\nCAP_NET_ADMIN in the initial user namespace; KASAN reports an 8-byte\nslab-out-of-bounds read.\n\nReject commands whose length does not match the fixed header plus both\nadvertising data lengths before parsing cp-\u003edata.\n\nFixes: 12410572833a (\"Bluetooth: Break add adv into two mgmt commands\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5daf96ab8398e91cfa02565b75bf39f8f84bb3df", "tree": "8ffe01be1f685d04e4017a3be0c551a68131f3f1", "parents": [ "6aba94a49bc9cc5477e56053bfe5d70a123f9aed" ], "author": { "name": "Jiajia Liu", "email": "liujiajia@kylinos.cn", "time": "Mon May 18 10:24:02 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 18 17:47:56 2026 -0400" }, "message": "Bluetooth: btmtk: fix urb-\u003esetup_packet leak in error paths\n\nThe setup_packet of control urb is not freed if usb_submit_urb fails or\nthe submitted urb is killed. Add free in these two paths.\n\nFixes: a1c49c434e150 (\"Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices\")\nSigned-off-by: Jiajia Liu \u003cliujiajia@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6aba94a49bc9cc5477e56053bfe5d70a123f9aed", "tree": "466095b8d9844bed737d3f02057e0477a2df38bf", "parents": [ "663fc68494ce647c4075f9e792a1a85535e9c6d3" ], "author": { "name": "David Carlier", "email": "devnexen@gmail.com", "time": "Fri May 15 07:25:25 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri May 15 13:28:54 2026 -0400" }, "message": "Bluetooth: ISO: drop ISO_END frames received without prior ISO_START\n\nISO data PDUs carry a packet-boundary flag indicating START, CONT, END\nor SINGLE. The ISO_CONT branch of iso_recv() guards against a missing\nISO_START by checking conn-\u003erx_len before touching conn-\u003erx_skb, but\nISO_END does not.\n\nIf a peer sends an ISO_END as the first packet on a fresh ISO\nconnection, conn-\u003erx_skb is still NULL and conn-\u003erx_len is zero, so\nskb_put(conn-\u003erx_skb, ...) dereferences NULL and oopses. For BIS,\nwhere receivers sync to a broadcaster without pairing, any broadcaster\non the air can trigger this.\n\nMirror the ISO_CONT check at the top of ISO_END so a stray end fragment\nis logged and dropped instead of crashing the host.\n\nFixes: ccf74f2390d6 (\"Bluetooth: Add BTPROTO_ISO socket type\")\nCc: stable@vger.kernel.org\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: David Carlier \u003cdevnexen@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "663fc68494ce647c4075f9e792a1a85535e9c6d3", "tree": "388b18102e0c79ad97f5e657a2fb4f3a00b73816", "parents": [ "085d13bf8612422b3f9841024aaa271263483d43" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Fri May 15 00:32:48 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri May 15 11:43:19 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Fix incorrect MAC access programming\n\nbtintel_pcie_get_mac_access() and btintel_pcie_release_mac_access()\nwere programming STOP_MAC_ACCESS_DIS and XTAL_CLK_REQ in addition to\nthe MAC_ACCESS_REQ handshake. These bits are not part of the host\nMAC-access handshake on the supported parts; the driver was\nprogramming them incorrectly. Drop the writes so the register update\ncontains only the bits the controller actually consumes.\n\nFixes: b9465e6670a2 (\"Bluetooth: btintel_pcie: Read hardware exception data\")\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "085d13bf8612422b3f9841024aaa271263483d43", "tree": "765f5a9739f6c17b7c9494fa0ee902e1a99a9b18", "parents": [ "ffeee619a13bf316dbb3ca0ddd0d2b03462f218f" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 14 09:42:24 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri May 15 11:43:02 2026 -0400" }, "message": "Bluetooth: hci_sync: Fix not setting mask for HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE\n\nThis fixes not setting the bit for HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE\nwhen extended features bit is set otherwise the controller may not\ngenerate HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE causing\nhci_le_read_all_remote_features_sync to timeout waiting for it.\n\nAlso remove dead code.\n\nFixes: a106e50be74b (\"Bluetooth: HCI: Add support for LL Extended Feature Set\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ffeee619a13bf316dbb3ca0ddd0d2b03462f218f", "tree": "d68df00a314ba1854df217d2c710499a51641217", "parents": [ "a9a4dd96b77c5999153a555c1e1ca0e95ec841ab" ], "author": { "name": "Jann Horn", "email": "jannh@google.com", "time": "Tue May 12 22:15:39 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri May 15 11:42:45 2026 -0400" }, "message": "Bluetooth: bnep: Fix UAF read of dev-\u003ename\n\nbnep_add_connection() needs to keep holding the bnep_session_sem while\nreading dev-\u003ename (just like bnep_get_connlist() does); otherwise the\nbnep_session() thread can concurrently free the net_device, which can for\nexample be triggered by a concurrent bnep_del_connection().\n\n(This UAF is fairly uninteresting from a security perspective;\ncalling bnep_add_connection() requires passing a capable(CAP_NET_ADMIN)\ncheck. It also requires completely tearing down a netdev during a fairly\ntight race window.)\n\nCc: stable@vger.kernel.org\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a9a4dd96b77c5999153a555c1e1ca0e95ec841ab", "tree": "70b3f48d02fa724f372f103b8e6a0170497c7f7b", "parents": [ "ae3ff17c6240ae8c911a674b76fcea82860b0370" ], "author": { "name": "Ravindra", "email": "ravindra@intel.com", "time": "Tue May 12 14:04:44 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 13 12:47:02 2026 -0400" }, "message": "Bluetooth: btusb: Add support for Intel Lizard Peak 2 (0x8087:0x0040)\n\nDevice from /sys/kernel/debug/usb/devices:\n\nT: Bus\u003d09 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 2 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 2.00 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d8087 ProdID\u003d0040 Rev\u003d 0.00\nC:* #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d1ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\n\nSigned-off-by: Ravindra \u003cravindra@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ae3ff17c6240ae8c911a674b76fcea82860b0370", "tree": "b5853cd14416ad37aef0171b303733cca4470c16", "parents": [ "ff2e1268ee45f471bb06d4231dc284d5112f1b5c" ], "author": { "name": "luke-yj.chen", "email": "luke-yj.chen@mediatek.com", "time": "Tue May 12 14:03:18 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 13 12:47:00 2026 -0400" }, "message": "Bluetooth: btusb: MT7925: Add VID/PID 13d3/3609\n\nAdd VID 13d3 \u0026 PID 3609 for MediaTek MT7925 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d06 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 2 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3609 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI: If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI:* If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nSigned-off-by: luke-yj.chen \u003cluke-yj.chen@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ff2e1268ee45f471bb06d4231dc284d5112f1b5c", "tree": "01cca95cc0a25dbc97c63ac5d99df817a6dc5222", "parents": [ "fcadc2780bf27ec568b2f8ee68ebfec0350de333" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Tue May 12 04:12:21 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 12 13:33:24 2026 -0400" }, "message": "Bluetooth: SCO: convert to getsockopt_iter\n\nConvert SCO socket\u0027s getsockopt implementation to use the new\ngetsockopt_iter callback with sockopt_t.\n\nKey changes:\n- Replace (char __user *optval, int __user *optlen) with sockopt_t *opt\n- Use opt-\u003eoptlen for buffer length (input) and returned size (output)\n- Use copy_to_iter() instead of put_user()/copy_to_user()\n- Drop the open-coded ptr cursor in BT_CODEC; iter_out advances on\n every copy_to_iter() naturally\n- Add linux/uio.h for copy_to_iter()\n\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "fcadc2780bf27ec568b2f8ee68ebfec0350de333", "tree": "b1fb22cececaad9563667147b3a555e88f0486ff", "parents": [ "477cbdca75685581c0cbf91efaad62718ffd621e" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Tue May 12 04:12:20 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 12 13:33:22 2026 -0400" }, "message": "Bluetooth: L2CAP: convert to getsockopt_iter\n\nConvert L2CAP socket\u0027s getsockopt implementation to use the new\ngetsockopt_iter callback with sockopt_t.\n\nKey changes:\n- Replace (char __user *optval, int __user *optlen) with sockopt_t *sopt\n- Use sopt-\u003eoptlen for buffer length (input)\n- Use copy_to_iter() instead of put_user()/copy_to_user()\n- Add linux/uio.h for copy_to_iter()\n\nThe sockopt_t parameter is named sopt rather than opt to avoid\ncollision with the existing local u32 opt used by L2CAP_LM. The same\nnaming is reused for the new u32 helper in l2cap_sock_getsockopt(),\nwith mtu and mval helpers covering the u16 and u8 cases.\n\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "477cbdca75685581c0cbf91efaad62718ffd621e", "tree": "3cdd7d352882d5b1045e3f1bf73e557b7d13386e", "parents": [ "2b650bf299b694dcafd95f879c3f604a6b96d2d7" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Tue May 12 04:12:19 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 12 13:33:20 2026 -0400" }, "message": "Bluetooth: RFCOMM: convert to getsockopt_iter\n\nConvert RFCOMM socket\u0027s getsockopt implementation to use the new\ngetsockopt_iter callback with sockopt_t.\n\nKey changes:\n- Replace (char __user *optval, int __user *optlen) with sockopt_t *sopt\n- Use sopt-\u003eoptlen for buffer length (input)\n- Use copy_to_iter() instead of put_user()/copy_to_user()\n- Add linux/uio.h for copy_to_iter()\n\nThe sockopt_t parameter is named sopt rather than opt to avoid\ncollision with the existing local u32 opt used by RFCOMM_LM.\n\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2b650bf299b694dcafd95f879c3f604a6b96d2d7", "tree": "63580f76b3d60e9bcc841743ba544b187f65ecbe", "parents": [ "317bb006946ae167995d6a8979dd67188fc4f832" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Tue May 12 04:12:18 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 12 13:33:18 2026 -0400" }, "message": "Bluetooth: ISO: convert to getsockopt_iter\n\nConvert ISO socket\u0027s getsockopt implementation to use the new\ngetsockopt_iter callback with sockopt_t.\n\nKey changes:\n- Replace (char __user *optval, int __user *optlen) with sockopt_t *opt\n- Use opt-\u003eoptlen for buffer length (input) and returned size (output)\n- Use copy_to_iter() instead of put_user()/copy_to_user()\n- Add linux/uio.h for copy_to_iter()\n\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "317bb006946ae167995d6a8979dd67188fc4f832", "tree": "52e2473f55f50d0c1b1fce8abbc305af7b7ceec9", "parents": [ "375386737970f6f7576e366da4a894a1291279c1" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Tue May 12 04:12:17 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 12 13:33:17 2026 -0400" }, "message": "Bluetooth: hci_sock: convert to getsockopt_iter\n\nConvert HCI socket\u0027s getsockopt implementation to use the new\ngetsockopt_iter callback with sockopt_t.\n\nKey changes:\n- Replace (char __user *optval, int __user *optlen) with sockopt_t *sopt\n- Use sopt-\u003eoptlen for buffer length (input)\n- Use copy_to_iter() instead of put_user()/copy_to_user()\n- Add linux/uio.h for copy_to_iter()\n\nThe sockopt_t parameter is named sopt rather than opt to avoid\ncollision with the existing local int opt used by HCI_DATA_DIR and\nHCI_TIME_STAMP.\n\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "375386737970f6f7576e366da4a894a1291279c1", "tree": "08a96ce8d128d981ba1c325cc36ece66ae418243", "parents": [ "c2f0079e8c42fd6814c8d6b1491e3ce0a0e3b3fa" ], "author": { "name": "Breno Leitao", "email": "leitao@debian.org", "time": "Tue May 12 04:12:16 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue May 12 13:33:15 2026 -0400" }, "message": "Bluetooth: hci_sock: write the full optval for getsockopt\n\nIn hci_sock_getsockopt_old(), HCI_DATA_DIR and HCI_TIME_STAMP both store\ntheir value into a local int and then call put_user(opt, optval). Because\noptval is the function parameter typed char __user *, put_user sizes the\nwrite from sizeof(*optval), so only the low byte of the int is copied to\nuserspace.\n\nThe matching setsockopt path reads sizeof(int) via copy_safe_from_sockptr,\nso userspace passes a 4-byte buffer in both directions but previously got\nback only one initialized byte on the read side.\n\nNot sending this through \u0027net\u0027 tree given this bug is mostly invisble,\ngiven opt is 0/1, and the last byte is being properly copied.\n\nWith this change, the upcoming translation to .getsockopt_iter becomes\nmechanical.\n\nFWIW: This behavior appeared in commit 1da177e4c3f4 (\"Linux-2.6.12-rc2\").\n\nSigned-off-by: Breno Leitao \u003cleitao@debian.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c2f0079e8c42fd6814c8d6b1491e3ce0a0e3b3fa", "tree": "6e6bb7d8bcd4abf2f92121d80371fae3ac1b3452", "parents": [ "82b794a4b4df11ae58c2368f551f4310725ebf52" ], "author": { "name": "Shuai Zhang", "email": "shuai.zhang@oss.qualcomm.com", "time": "Mon May 11 21:58:37 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 11 15:26:10 2026 -0400" }, "message": "Bluetooth: hci_qca: Convert timeout from jiffies to ms\n\nSince the timer uses jiffies as its unit rather than ms, the timeout value\nmust be converted from ms to jiffies when configuring the timer. Otherwise,\nthe intended 8s timeout is incorrectly set to approximately 33s.\n\nTo improve readability, embed msecs_to_jiffies() directly in the macro\ndefinitions and drop the _MS suffix from macros that now yield jiffies\nvalues: MEMDUMP_TIMEOUT, FW_DOWNLOAD_TIMEOUT, IBS_DISABLE_SSR_TIMEOUT,\nCMD_TRANS_TIMEOUT, and IBS_BTSOC_TX_IDLE_TIMEOUT.\n\nIBS_WAKE_RETRANS_TIMEOUT_MS and IBS_HOST_TX_IDLE_TIMEOUT_MS are\nintentionally left unchanged. Their values are stored in the struct fields\nwake_retrans and tx_idle_delay, which hold ms values at runtime and can be\nmodified via debugfs. The msecs_to_jiffies() conversion happens at each\ncall site against the field value, so it cannot be embedded in the macro.\n\nWake timer depends on commit c347ca17d62a\n\nCc: stable@vger.kernel.org\nFixes: d841502c79e3 (\"Bluetooth: hci_qca: Collect controller memory dump during SSR\")\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nAcked-by: Bartosz Golaszewski \u003cbartosz.golaszewski@linaro.org\u003e\nSigned-off-by: Shuai Zhang \u003cshuai.zhang@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "82b794a4b4df11ae58c2368f551f4310725ebf52", "tree": "fe82672f60bf36992e4cec0ed5bdbf529fdce129", "parents": [ "162b1adeb057d28ad84fd8a03f3c50cf08db5c62" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Mon May 11 08:26:41 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 11 10:30:18 2026 -0400" }, "message": "Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer\n\nCommit 1c08108f3014 (\"Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end\nwarnings\") converted the on-stack request PDU in l2cap_ecred_reconfigure()\nfrom an explicit packed struct to DEFINE_RAW_FLEX(), but did not adjust the\nsize and source-pointer arguments to l2cap_send_cmd():\n\n - struct {\n - struct l2cap_ecred_reconf_req req;\n - __le16 scid;\n - } pdu;\n + DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1);\n ...\n l2cap_send_cmd(conn, chan-\u003eident, L2CAP_ECRED_RECONF_REQ,\n sizeof(pdu), \u0026pdu);\n\nAfter the conversion, DEFINE_RAW_FLEX() expands to declare an anonymous\nunion pdu_u plus a local pointer \"pdu\" pointing at it. Therefore:\n\n - sizeof(pdu) is now sizeof(struct l2cap_ecred_reconf_req *) \u003d 8 on\n 64-bit (4 on 32-bit), not the 6 bytes of (mtu, mps, scid[1]).\n - \u0026pdu is the address of the local pointer\u0027s stack storage, not the\n address of the request payload.\n\nl2cap_send_cmd() forwards (data, count) to l2cap_build_cmd(), which calls\nskb_put_data(skb, data, count). The L2CAP_ECRED_RECONFIGURE_REQ packet\nbody therefore contains 8 bytes copied from the kernel stack starting at\n\u0026pdu -- the 8 bytes overlap the pdu pointer\u0027s value, leaking a kernel\nstack address to the paired Bluetooth peer. The intended (mtu, mps, scid)\nfields are not transmitted at all, so the peer rejects the request as\nmalformed and the L2CAP_ECRED_RECONFIGURE feature itself has been broken\nfor the local-side initiator since the introducing commit landed.\n\nThe sibling site l2cap_ecred_conn_req() in the same commit was converted\ncorrectly (sizeof(*pdu) + len, pdu); only this site was missed.\n\nRestore the original semantics: pass the full flex-struct size via\nstruct_size(pdu, scid, 1) and the pdu pointer (the struct address) as\nthe source.\n\nValidated on a stock 7.0-based host kernel via the real call path:\nsetsockopt(SOL_BLUETOOTH, BT_RCVMTU, ...) on a BT_CONNECTED\nL2CAP_MODE_EXT_FLOWCTL socket emits an L2CAP_ECRED_RECONFIGURE_REQ\nwhose body is 8 bytes (the on-stack pdu local\u0027s value) rather than\nthe expected 6. Three captures from fresh socket / fresh hciemu peer\non the same host -- low bytes vary per call, high 0xffff confirms a\nkernel virtual address (KASLR-randomised stack slot, not a fixed\nstring):\n\n RECONF_REQ body (ident\u003d0x02 len\u003d8): 42 fb 54 af 0e ca ff ff\n RECONF_REQ body (ident\u003d0x02 len\u003d8): 52 3d 2e af 0e ca ff ff\n RECONF_REQ body (ident\u003d0x02 len\u003d8): b2 fc 5b af 0e ca ff ff\n\nAfter this patch the body is 6 bytes carrying the expected\nlittle-endian (mtu, mps, scid).\n\nCc: stable@vger.kernel.org\nFixes: 1c08108f3014 (\"Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings\")\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "162b1adeb057d28ad84fd8a03f3c50cf08db5c62", "tree": "d36a417accb4a1daecd40f9967bd8d25ef8736b8", "parents": [ "303bd23ee2e9c485ebc18c62b29ab972f56a3244" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Fri Apr 24 22:24:29 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon May 11 10:26:17 2026 -0400" }, "message": "Bluetooth: btmtk: accept too short WMT FUNC_CTRL events\n\nMT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT\nFUNC_CTRL events that are missing the status field.\n\nPrior to commit 006b9943b982 (\"Bluetooth: btmtk: validate WMT event SKB\nlength before struct access\") the status was read from out-of-bounds of\nSKB data, which usually would result to success with\nBTMTK_WMT_ON_UNDONE, although I don\u0027t know the intent here. The bounds\ncheck added in that commit returns with error instead, producing\n\"Bluetooth: hci0: Failed to send wmt func ctrl (-22)\" and makes the\ndevice unusable.\n\nFix the regression by interpreting too short packet as status\nBTMTK_WMT_ON_UNDONE, which makes the device work normally again.\n\nFixes: 041e88fb0c08 (\"Bluetooth: btmtk: validate WMT event SKB length before struct access\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nTested-by: Mikhail Gavrilov \u003cmikhail.v.gavrilov@gmail.com\u003e # MT7922 (0489:e0e2)\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "303bd23ee2e9c485ebc18c62b29ab972f56a3244", "tree": "d6a3ae6094733e7af311670cdceb65b936bc791a", "parents": [ "6911f19876fbf65116c61ae93a47e2316b41d5a4" ], "author": { "name": "Jiexun Wang", "email": "wangjiexun2025@gmail.com", "time": "Wed May 06 19:43:30 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu May 07 13:51:02 2026 -0400" }, "message": "Bluetooth: serialize accept_q access\n\nbt_sock_poll() walks the accept queue without synchronization, while\nchild teardown can unlink the same socket and drop its last reference.\nThe unsynchronized accept queue walk has existed since the initial\nBluetooth import.\n\nProtect accept_q with a dedicated lock for queue updates and polling.\nAlso rework bt_accept_dequeue() to take temporary child references under\nthe queue lock before dropping it and locking the child socket.\n\nFixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (\"Linux-2.6.12-rc2\")\nCc: stable@vger.kernel.org\nReported-by: Jann Horn \u003cjannh@google.com\u003e\nReported-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nReported-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nSigned-off-by: Jiexun Wang \u003cwangjiexun2025@gmail.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nSigned-off-by: Jiexun Wang \u003cwangjiexun2025@gmail.com\u003e\nReviewed-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6911f19876fbf65116c61ae93a47e2316b41d5a4", "tree": "06f9acd4ca4919eb617f866d6b3d0da908418dfa", "parents": [ "fa0ad6bc56675ed47f59b82616865a398565cbb7" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Sat May 02 12:43:03 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:53:00 2026 -0400" }, "message": "Bluetooth: HIDP: serialise l2cap_unregister_user via hidp_session_sem\n\nCommit dbf666e4fc9b (\"Bluetooth: HIDP: Fix possible UAF\") made\nhidp_session_remove() drop the L2CAP reference and set\nsession-\u003econn \u003d NULL once the session is considered removed, and\nadded a bare if (session-\u003econn) guard around the kthread-exit\nl2cap_unregister_user() call in hidp_session_thread(). The sibling\nioctl site in hidp_connection_del() still reads session-\u003econn\nunlocked and unguarded, and the kthread-exit guard itself is a\nlockless double-read.\n\nhidp_session_find() drops hidp_session_sem before returning, so\nhidp_session_remove() can null session-\u003econn between the lookup and\nthe call in hidp_connection_del(). Worse, since commit 752a6c9596dd\n(\"Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\")\ntakes mutex_lock(\u0026conn-\u003elock) inside l2cap_unregister_user(), a\nstale non-NULL snapshot also UAFs on conn-\u003elock. v1 only added an\nif (session-\u003econn) guard at the ioctl site, which doesn\u0027t address\neither race; Luiz suggested snapshotting session-\u003econn under the\nsem and clearing it before the call.\n\nTaking hidp_session_sem across l2cap_unregister_user() would be\nwrong: l2cap_conn_del() already establishes the lock order\n\n conn-\u003elock -\u003e hidp_session_sem\n\nvia l2cap_unregister_all_users() -\u003e user-\u003eremove \u003d\u003d\nhidp_session_remove(), so taking hidp_session_sem before conn-\u003elock\nwould AB/BA deadlock.\n\nFactor a helper hidp_session_unregister_conn() that under\ndown_write(\u0026hidp_session_sem) snapshots session-\u003econn and clears\nthe member, then outside the sem calls l2cap_unregister_user() and\nl2cap_conn_put() on the snapshot. Call it from both\nhidp_connection_del() and hidp_session_thread()\u0027s exit path. At\nmost one consumer wins the write-sem; later callers observe\nsession-\u003econn \u003d\u003d NULL and skip the unregister and put, so the\nreference hidp_session_new() took via l2cap_conn_get() is consumed\nexactly once. session_free() already tolerates a NULL session-\u003econn.\n\nFixes: dbf666e4fc9b (\"Bluetooth: HIDP: Fix possible UAF\")\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.dentz@gmail.com\u003e\nLink: https://lore.kernel.org/all/20260422011437.176643-1-michael.bommarito@gmail.com/\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "fa0ad6bc56675ed47f59b82616865a398565cbb7", "tree": "3689d45894fa80bef83a6d19a8297227267744ec", "parents": [ "81e4c2a6b92741d2d86e60e1e14c5b193fb88ff2" ], "author": { "name": "Ethan Nelson-Moore", "email": "enelsonmoore@gmail.com", "time": "Sat May 02 20:31:21 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:52:35 2026 -0400" }, "message": "bluetooth: remove all PCMCIA drivers\n\nPCMCIA is almost completely obsolete (the last computers supporting it\nnatively were from ~2009), and the general consensus [1] seems to be\nthat support for it should be gradually removed from the kernel.\n\nIn 2023, an initial step of removing all the PCMCIA char drivers was\ntaken in commit 9b12f050c76f (\"char: pcmcia: remove all the drivers\"),\nand that has not been reverted, so it seems logical to continue this\nprocess by removing more low-hanging fruit.\n\nThese three Bluetooth drivers have had no meaningful changes since\ntheir status was discussed in 2022 [2], and are unlikely to have any\nremaining users. The latest functional change to any of them was a\npatch to bluecard_cs to fix LED blinking behavior in 2017. The other\ntwo drivers have not had any meaningful changes made since 2007. Remove\nthem.\n\nNote that even with these drivers removed, it is still possible to use\nother PCMCIA Bluetooth cards that present themselves as a standard\nserial port via serial_cs and hciattach while the serial_cs driver is\nstill present.\n\n[1] https://lore.kernel.org/all/c5b39544-a4fb-4796-a046-0b9be9853787@app.fastmail.com/\n[2] https://lore.kernel.org/all/Y07d7rMvd5++85BJ@owl.dominikbrodowski.net/\n\nSigned-off-by: Ethan Nelson-Moore \u003cenelsonmoore@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "81e4c2a6b92741d2d86e60e1e14c5b193fb88ff2", "tree": "4b1748b7b7cfe19c1e7f4bace95fd432ad45b9bf", "parents": [ "09d555136e011b7a083f1f7b40b86b6894e94a3f" ], "author": { "name": "Jann Horn", "email": "jannh@google.com", "time": "Wed Apr 29 15:40:46 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:52:13 2026 -0400" }, "message": "Bluetooth: hci_event: fix memset typo\n\nhci_le_big_sync_established_evt() currently does:\n\n conn-\u003enum_bis \u003d 0;\n memset(conn-\u003ebis, 0, sizeof(conn-\u003enum_bis));\n\nsizeof(conn-\u003enum_bis) is wrong - it would make sense to either use\nconn-\u003enum_bis (before setting that to 0) or sizeof(conn-\u003ebis).\nFix it by using sizeof(conn-\u003ebis), the least intrusive change.\n\nLuckily, nothing actually depends on this memset() working properly:\nNothing seems to ever read from conn-\u003ebis beyond conn-\u003enum_bis, and when\nconn-\u003enum_bis is increased, the corresponding elements of conn-\u003ebis are\ninitialized. So I think this line could also just be removed.\n\nThis is a purely theoretical fix and should have no impact on actual\nbehavior.\n\nFixes: 42ecf1947135 (\"Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending\")\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "09d555136e011b7a083f1f7b40b86b6894e94a3f", "tree": "68d89d7b742adf80c6f2cf2657a4dc460dd202ab", "parents": [ "4a1507625b027789d840a4a393e13d930558ff36" ], "author": { "name": "Alexej Sidorenko", "email": "alexej@sidorenko.cz", "time": "Wed Apr 29 17:13:43 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:51:50 2026 -0400" }, "message": "Bluetooth: btrtl: fix RTL8761B/BU broken LE extended scan\n\nRTL8761B and RTL8761BU devices report HCI version 5.1 but do not\nsupport the LE Extended Scan commands. This causes repeated failures\nwith Opcode 0x2042 (LE Set Extended Scan Parameters) returning -EBUSY\nwhen BlueZ attempts extended scanning while a connection is active.\n\nSet HCI_QUIRK_BROKEN_EXT_SCAN for CHIP_ID_8761B to make BlueZ fall\nback to legacy LE scan commands which the firmware supports correctly.\n\nTested with RTL8761BU (USB ID 0bda:a728) where the issue manifested\nas continuous \u0027Opcode 0x2042 failed: -16\u0027 errors in dmesg whenever\na BLE connection was active.\n\nSigned-off-by: Alexej Sidorenko \u003calexej@sidorenko.cz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4a1507625b027789d840a4a393e13d930558ff36", "tree": "7256011eea95e92964910a5143b7bdcedbd0b954", "parents": [ "7761cf859c21e90ba80cae57f6717be7e5c9f951" ], "author": { "name": "Eric Biggers", "email": "ebiggers@kernel.org", "time": "Tue Apr 21 16:09:17 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:51:22 2026 -0400" }, "message": "Bluetooth: SMP: Use AES-CMAC library API\n\nNow that AES-CMAC has a library API, convert net/bluetooth/smp.c to use\nit instead of the \"cmac(aes)\" crypto_shash. Since the library API\ndoesn\u0027t require dynamic memory allocation, we no longer need to pass a\ncrypto_shash object down the call stack and can simply allocate the\naes_cmac_key on the stack in smp_aes_cmac() (renamed from aes_cmac()).\n\nThe result is simpler and faster code that no longer relies on the\nerror-prone loading of algorithms by name.\n\nNote that the maximum stack usage actually decreases slightly, despite\nthe expanded AES key being moved to the stack. This is because the old\ncode called crypto_shash_tfm_digest(), which allocates 384 bytes on the\nstack for a maximally-sized hash descriptor for any algorithm. The new\ncode instead declares a 288-byte aes_cmac_key, then calls aes_cmac()\nwhich declares a 32-byte aes_cmac_ctx. Since 288 + 32 \u003c 384, the\nmaximum stack usage decreases. I.e. the entire expanded AES key easily\nfits in the space that the generic crypto API was wasting before.\n\nI didn\u0027t add zeroization of the aes_cmac_key, since smp_aes_cmac()\nalready copies the raw key to the stack without zeroizing it.\n\nReviewed-by: Ard Biesheuvel \u003cardb@kernel.org\u003e\nSigned-off-by: Eric Biggers \u003cebiggers@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7761cf859c21e90ba80cae57f6717be7e5c9f951", "tree": "6cdaf81d01f5dc4f307ce96852427cfb6de611ac", "parents": [ "563d5229b8dc845076ee9ef02232658bcc07f3ff" ], "author": { "name": "Eric Biggers", "email": "ebiggers@kernel.org", "time": "Tue Apr 21 16:09:16 2026 -0700" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:50:56 2026 -0400" }, "message": "Bluetooth: Remove unneeded crypto kconfig selections\n\nRemove several kconfig selections that are no longer needed:\n\n - CRYPTO_SKCIPHER and CRYPTO_ECB have been unneeded since\n commit a4770e1117f1 (\"Bluetooth: Switch SMP to\n crypto_cipher_encrypt_one()\") in 2016.\n\n - CRYPTO_SHA256 has been unneeded since\n commit e7b02296fb40 (\"Bluetooth: Remove BT_HS\") in 2024.\n\nSigned-off-by: Eric Biggers \u003cebiggers@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "563d5229b8dc845076ee9ef02232658bcc07f3ff", "tree": "3e10e137d83a27453835bc8f10515d8d79e649f2", "parents": [ "5e942975f2d62e93ac096464d01d92cdd54f3f15" ], "author": { "name": "Chen Zhang", "email": "zhangchen01@kylinos.cn", "time": "Fri Apr 24 20:25:22 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:50:33 2026 -0400" }, "message": "Bluetooth: btusb: Add Realtek RTL8922AE VID/PID 0bda/d923\n\nAdd the vendor/product ID (0x0bda, 0xd923) to usb_device_id table for\nRealtek RTL8922AE.\n\nThe device info from /sys/kernel/debug/usb/devices as below.\n\nT: Bus\u003d10 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 2 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 1.00 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0bda ProdID\u003dd923 Rev\u003d 0.00\nS: Manufacturer\u003dRealtek\nS: Product\u003dBluetooth Radio\nS: SerialNumber\u003d00E04C885A01\nC:* #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d500mA\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d1ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\n\nSigned-off-by: Chen Zhang \u003czhangchen01@kylinos.cn\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5e942975f2d62e93ac096464d01d92cdd54f3f15", "tree": "fd6de33f4f0c54d9af6f7294a062fc1bf68edf2e", "parents": [ "1203f09c831c7273de91860f2ac9a948d617f3bc" ], "author": { "name": "Chen Zhang", "email": "zhangchen01@kylinos.cn", "time": "Fri Apr 24 20:09:28 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:50:10 2026 -0400" }, "message": "Bluetooth: btusb: Add Realtek RTL8922AE VID/PID 0bda/d922\n\nAdd the vendor/product ID (0x0bda, 0xd922) to usb_device_id table for\nRealtek RTL8922AE.\n\nThe device info from /sys/kernel/debug/usb/devices as below.\n\nT: Bus\u003d10 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 2 Spd\u003d12 MxCh\u003d 0\nD: Ver\u003d 1.00 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0bda ProdID\u003dd922 Rev\u003d 0.00\nS: Manufacturer\u003dRealtek\nS: Product\u003dBluetooth Radio\nS: SerialNumber\u003d00E04C885A01\nC:* #Ifs\u003d 2 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d500mA\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d1ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 64 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\n\nSigned-off-by: Chen Zhang \u003czhangchen01@kylinos.cn\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "1203f09c831c7273de91860f2ac9a948d617f3bc", "tree": "9b6ffe0c663017cc565f119741daa5367f7aefe5", "parents": [ "a904b32e9172e0f43c8c6fdf2e24bdaac294a8fc" ], "author": { "name": "Pengpeng Hou", "email": "pengpeng@iscas.ac.cn", "time": "Thu Apr 23 23:31:00 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:49:47 2026 -0400" }, "message": "Bluetooth: RFCOMM: pull credit byte with skb_pull_data()\n\nrfcomm_recv_data() treats the first payload byte as a credit field when\nthe UIH frame carries PF and credit-based flow control is enabled.\n\nAfter the header has been stripped, the PF/CFC path consumes that byte\nwith a direct skb-\u003edata dereference followed by skb_pull(). A malformed\nshort frame can reach this path without a byte available.\n\nUse skb_pull_data() so the length check and pull happen together before\nthe returned credit byte is consumed.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Pengpeng Hou \u003cpengpeng@iscas.ac.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a904b32e9172e0f43c8c6fdf2e24bdaac294a8fc", "tree": "bcdbe7bb2bf0e4ac8de9d098976adb3b32229545", "parents": [ "84a362e0b391ad0900f328dca8f6042fa47dbe2a" ], "author": { "name": "Hrvoje Nuic", "email": "hrvoje.nuic@gmail.com", "time": "Wed Apr 22 23:26:47 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:49:25 2026 -0400" }, "message": "Bluetooth: btusb: Add Mercusys MA530 for Realtek RTL8761BUV\n\nAdd the USB ID for the Mercusys MA530 Bluetooth adapter. The device uses\na Realtek RTL8761BUV controller and works with the existing Realtek setup\npath.\n\nThe device reports vendor ID 0x2c4e and product ID 0x0115, and loads the\nrtl_bt/rtl8761bu_fw.bin firmware successfully with this quirk.\n\nSigned-off-by: Hrvoje Nuic \u003chrvoje.nuic@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "84a362e0b391ad0900f328dca8f6042fa47dbe2a", "tree": "0fe0d7f4a04500face5bd731dffee8b7cb2fced6", "parents": [ "a7f3eb1471fa1095affb227d07c3b555b9a0835c" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sat Apr 11 21:15:09 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:49:02 2026 -0400" }, "message": "Bluetooth: 6lowpan: fix cyclic locking warning on netdev unregister\n\n6lowpan.c has theoretically conflicting lock orderings, which lockdep\ncomplains about:\n\n a) rtnl_lock \u003e hdev-\u003eworkqueue\n\n from 6lowpan.c:delete_netdev -\u003e rtnl_lock -\u003e device_del\n -\u003e put_device(parent) -\u003e hci_release_dev -\u003e destroy_workqueue\n\n b) hdev-\u003eworkqueue \u003e l2cap_conn-\u003elock \u003e chan-\u003elock \u003e rtnl_lock\n\n from hci_rx_work -\u003e 6lowpan.c:chan_ready_cb\n -\u003e lowpan_register_netdev, ifup -\u003e rtnl_lock\n\nActual deadlock appears not possible, as hci_rx_work is disabled and\nl2cap_conn flushed already on hdev unregister. Hence, do minimal thing\nto make lockdep happy by breaking chain a) by holding hdev refcount\nuntil after netdev put in 6lowpan.c.\n\nFixes the lockdep complaint:\nWARNING: possible circular locking dependency detected.\nkworker/0:1/11 is trying to acquire lock:\nffff8880023b3940 ((wq_completion)hci0#2){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x8b/0x130\nbut task is already holding lock:\nffffffff95e4f9c0 (rtnl_mutex){+.+.}-{4:4}, at: lowpan_unregister_netdev+0xd/0x30\nWorkqueue: events delete_netdev\n\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a7f3eb1471fa1095affb227d07c3b555b9a0835c", "tree": "4ae9e70d86c61fa192925817ba849d36ea190a4f", "parents": [ "cc3d463cadd9ed585125b6292790fb8970ab6db7" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Tue Apr 21 13:08:45 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:48:40 2026 -0400" }, "message": "Bluetooth: virtio_bt: validate rx pkt_type header length\n\nvirtbt_rx_handle() reads the leading pkt_type byte from the RX skb\nand forwards the remainder to hci_recv_frame() for every\nevent/ACL/SCO/ISO type, without checking that the remaining payload\nis at least the fixed HCI header for that type.\n\nAfter the preceding patch bounds the backend-supplied used.len to\n[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches\nhci_recv_frame() with skb-\u003elen already pulled to 0. If the byte\nhappened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification\nfast-path in hci_dev_classify_pkt_type() dereferences\nhci_acl_hdr(skb)-\u003ehandle whenever the HCI device has an active\nCIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of\nuninitialized RX-buffer data. The same hazard exists for every\npacket type the driver accepts because none of the switch cases in\nvirtbt_rx_handle() check skb-\u003elen against the per-type minimum HCI\nheader size before handing the frame to the core.\n\nAfter stripping pkt_type, require skb-\u003elen to cover the fixed\nheader size for the selected type (event 2, ACL 4, SCO 3, ISO 4)\nbefore calling hci_recv_frame(); drop ratelimited otherwise.\nUnknown pkt_type values still take the original kfree_skb() default\npath.\n\nUse bt_dev_err_ratelimited() because both the length and pkt_type\nvalues come from an untrusted backend that can otherwise flood the\nkernel log.\n\nFixes: 160fbcf3bfb9 (\"Bluetooth: virtio_bt: Use skb_put to set length\")\nCc: stable@vger.kernel.org\nCc: Soenke Huster \u003csoenke.huster@eknoes.de\u003e\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "cc3d463cadd9ed585125b6292790fb8970ab6db7", "tree": "c3e4ba0753e835c3a3d95a4cc527a96048386bfa", "parents": [ "041e88fb0c0864d76cc65ee1d1a72bdcdaa0b089" ], "author": { "name": "Michael Bommarito", "email": "michael.bommarito@gmail.com", "time": "Tue Apr 21 13:08:44 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:48:19 2026 -0400" }, "message": "Bluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len \u003d\u003d 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb-\u003edata, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len \u003d\u003d 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length.\n\nFixes: 160fbcf3bfb9 (\"Bluetooth: virtio_bt: Use skb_put to set length\")\nCc: stable@vger.kernel.org\nCc: Soenke Huster \u003csoenke.huster@eknoes.de\u003e\nSigned-off-by: Michael Bommarito \u003cmichael.bommarito@gmail.com\u003e\nAssisted-by: Claude:claude-opus-4-7\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "041e88fb0c0864d76cc65ee1d1a72bdcdaa0b089", "tree": "f1742e910bfa5032c63eebdb828b71ef4a7318fb", "parents": [ "3118c1862f15ba6579686c0f0f152fba4b07b26c" ], "author": { "name": "Tristan Madani", "email": "tristan@talencesecurity.com", "time": "Tue Apr 21 11:14:54 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:47:58 2026 -0400" }, "message": "Bluetooth: btmtk: validate WMT event SKB length before struct access\n\nbtmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to\nstruct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc\n(9 bytes) without first checking that the SKB contains enough data.\nA short firmware response causes out-of-bounds reads from SKB tailroom.\n\nUse skb_pull_data() to validate and advance past the base WMT event\nheader. For the FUNC_CTRL case, pull the additional status field bytes\nbefore accessing them.\n\nFixes: d019930b0049 (\"Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c\")\nCc: stable@vger.kernel.org\nSigned-off-by: Tristan Madani \u003ctristan@talencesecurity.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3118c1862f15ba6579686c0f0f152fba4b07b26c", "tree": "4e799a30d290204c000852eaf99fb02d12da241f", "parents": [ "b3578e246758c2a0ea0f49ac7e9e127c908c6ba7" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Tue Apr 21 11:51:22 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:47:37 2026 -0400" }, "message": "Bluetooth: ISO: Fix data-race on iso_pi(sk) in socket and HCI event paths\n\nSeveral iso_pi(sk) fields (qos, qos_user_set, bc_sid, base, base_len,\nsync_handle, bc_num_bis) are written under lock_sock in\niso_sock_setsockopt() and iso_sock_bind(), but read and written under\nhci_dev_lock only in two other paths:\n\n - iso_connect_bis() / iso_connect_cis(), invoked from connect(2),\n read qos/base/bc_sid and reset qos to default_qos on the\n qos_user_set validation failure -- all without lock_sock.\n\n - iso_connect_ind(), invoked from hci_rx_work, writes sync_handle,\n bc_sid, qos.bcast.encryption, bc_num_bis, base and base_len on\n PA_SYNC_ESTABLISHED / PAST_RECEIVED / BIG_INFO_ADV_REPORT /\n PER_ADV_REPORT events. The BIG_INFO handler additionally passes\n \u0026iso_pi(sk)-\u003eqos together with sync_handle / bc_num_bis / bc_bis\n to hci_conn_big_create_sync() while setsockopt may be mutating\n them.\n\nAcquire lock_sock around the affected accesses in both paths.\n\nThe locking order hci_dev_lock -\u003e lock_sock matches the existing\niso_conn_big_sync() precedent, whose comment documents the same\nrequirement for hci_conn_big_create_sync(). The HCI connect/bind\nhelpers do not wait for command completion -- they enqueue work via\nhci_cmd_sync_queue{,_once}() / hci_le_create_cis_pending() and\nreturn -- so the added hold time is comparable to iso_conn_big_sync().\n\nKCSAN report:\n\nBUG: KCSAN: data-race in iso_connect_cis / iso_sock_setsockopt\n\nread to 0xffffa3ae8ce3cdc8 of 1 bytes by task 335 on cpu 0:\n iso_connect_cis+0x49f/0xa20\n iso_sock_connect+0x60e/0xb40\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nwrite to 0xffffa3ae8ce3cdc8 of 60 bytes by task 334 on cpu 1:\n iso_sock_setsockopt+0x69a/0x930\n do_sock_setsockopt+0xc3/0x170\n __sys_setsockopt+0xd1/0x130\n __x64_sys_setsockopt+0x64/0x80\n x64_sys_call+0x1547/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 UID: 0 PID: 334 Comm: iso_setup_race Not tainted 7.0.0-10949-g8541d8f725c6 #44 PREEMPT(lazy)\n\nThe iso_connect_ind() races were found by inspection.\n\nFixes: ccf74f2390d6 (\"Bluetooth: Add BTPROTO_ISO socket type\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b3578e246758c2a0ea0f49ac7e9e127c908c6ba7", "tree": "a8e62139ca492e9c8790cf793937f5e3b28a21f8", "parents": [ "f390196e76ebffcafff1cd189d5ed96201c89084" ], "author": { "name": "SeungJu Cheon", "email": "suunj1331@gmail.com", "time": "Tue Apr 21 11:51:21 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:47:19 2026 -0400" }, "message": "Bluetooth: ISO: Fix data-race on dst in iso_sock_connect()\n\niso_sock_connect() copies the destination address into\niso_pi(sk)-\u003edst under lock_sock, then releases the lock and reads\nit back with bacmp() to decide between the CIS and BIS connect\npaths:\n\n lock_sock(sk);\n bacpy(\u0026iso_pi(sk)-\u003edst, \u0026sa-\u003eiso_bdaddr);\n iso_pi(sk)-\u003edst_type \u003d sa-\u003eiso_bdaddr_type;\n release_sock(sk);\n\n if (bacmp(\u0026iso_pi(sk)-\u003edst, BDADDR_ANY)) // \u003c- no lock held\n\nThis read after release_sock() races with any concurrent write to\niso_pi(sk)-\u003edst on the same socket.\n\nFix by reading the destination address directly from the local\nsockaddr argument (sa-\u003eiso_bdaddr) instead of iso_pi(sk)-\u003edst.\nSince sa is a function-local argument, reading it requires no\nlocking and avoids the race.\n\nThis patch addresses only the bacmp() race in iso_sock_connect();\nother unprotected iso_pi(sk) accesses are fixed separately in the\nnext patch.\n\nKCSAN report:\n\nBUG: KCSAN: data-race in memcmp+0x39/0xb0\n\nrace at unknown origin, with read to 0xffff8f96ea66dde3 of 1 bytes by task 549 on cpu 1:\n memcmp+0x39/0xb0\n iso_sock_connect+0x275/0xb40\n __sys_connect_file+0xbd/0xe0\n __sys_connect+0xe0/0x110\n __x64_sys_connect+0x40/0x50\n x64_sys_call+0xcad/0x1c60\n do_syscall_64+0x133/0x590\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nvalue changed: 0x00 -\u003e 0xee\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 UID: 0 PID: 549 Comm: iso_race_combin Not tainted 7.0.0-08391-g1d51b370a0f8 #40 PREEMPT(lazy)\n\nFixes: ccf74f2390d6 (\"Bluetooth: Add BTPROTO_ISO socket type\")\nSigned-off-by: SeungJu Cheon \u003csuunj1331@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "f390196e76ebffcafff1cd189d5ed96201c89084", "tree": "0ddcbaac4976fc6401d4d576e978f7de6da26b76", "parents": [ "8482335ec203218cdb982655b56d13c7ce495a62" ], "author": { "name": "Aurelien DESBRIERES", "email": "aurelien@hackers.camp", "time": "Tue Apr 21 15:53:31 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:46:58 2026 -0400" }, "message": "Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized\n\nWhen a fault is injected during hci_uart line discipline setup, the\nproto open() callback may fail leaving hu-\u003epriv as NULL. A subsequent\nTIOCSTI ioctl can trigger the recv() callback before priv is\ninitialized, causing a NULL pointer dereference.\n\nFix all four affected HCI UART protocol drivers by adding a NULL check\non hu-\u003epriv at the start of their recv() callbacks: h4, h5, ath and\nbcsp.\n\nReported-by: syzbot+ff30eeab8e07b37d524e@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003dff30eeab8e07b37d524e\nSigned-off-by: Aurelien DESBRIERES \u003caurelien@hackers.camp\u003e\nAssisted-by: Claude:claude-sonnet-4-6\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8482335ec203218cdb982655b56d13c7ce495a62", "tree": "246b6c97da66822d77f14d0622d63e7f960d0155", "parents": [ "870accbefaaeb1961e46c1370d99e1f457febfea" ], "author": { "name": "Sai Teja Aluvala", "email": "aluvala.sai.teja@intel.com", "time": "Mon Apr 20 23:07:35 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:46:38 2026 -0400" }, "message": "Bluetooth: btintel_pcie: treat boot stage bit 12 as warning\n\nCSR boot stage register bit 12 is documented as a device warning,\nnot a fatal error. Rename the bit definition accordingly and stop\nincluding it in btintel_pcie_in_error().\n\nThis keeps warning-only boot stage values from being classified as\nerrors while preserving abort-handler state as the actual error\ncondition.\n\nFixes: 190377500fde (\"Bluetooth: btintel_pcie: Dump debug registers on error\")\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Sai Teja Aluvala \u003caluvala.sai.teja@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "870accbefaaeb1961e46c1370d99e1f457febfea", "tree": "79d407f2b8f24d41544e07b79af31eade63c9370", "parents": [ "0591095905fb05581d607ccfc012d739157eaae3" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sat Apr 18 18:41:12 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:46:18 2026 -0400" }, "message": "Bluetooth: SCO: hold sk properly in sco_conn_ready\n\nsk deref in sco_conn_ready must be done either under conn-\u003elock, or\nholding a refcount, to avoid concurrent close. conn-\u003esk and parent sk is\ncurrently accessed without either, and without checking parent-\u003esk_state:\n\n [Task 1] [Task 2]\n sco_sock_release\n sco_conn_ready\n sk \u003d conn-\u003esk\n lock_sock(sk)\n conn-\u003esk \u003d NULL\n lock_sock(sk)\n release_sock(sk)\n sco_sock_kill(sk)\n UAF on sk deref\n\nand similarly for access to sco_get_sock_listen() return value.\n\nFix possible UAF by holding sk refcount in sco_conn_ready() and making\nsco_get_sock_listen() increase refcount. Also recheck after lock_sock\nthat the socket is still valid. Adjust conn-\u003esk locking so it\u0027s\nprotected also by lock_sock() of the associated socket if any.\n\nFixes: 27c24fda62b60 (\"Bluetooth: switch to lock_sock in SCO\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0591095905fb05581d607ccfc012d739157eaae3", "tree": "d9d2adc0dd424d5b028356069f5a33510efa088e", "parents": [ "91fa64f09e55bed8fcbcf643e6b1f87f3b897854" ], "author": { "name": "Chris Lu", "email": "chris.lu@mediatek.com", "time": "Thu Apr 16 19:16:07 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:45:56 2026 -0400" }, "message": "Bluetooth: btmtk: add event filter to filter specific event\n\nAdd an event filter to filter event with specific opcode to prevent BT\nstack from receiving unexpected event.\n\nEvent with opcode 0xfc5d is generated when MediaTek\u0027s Bluetooth enable\nfirmware logs and is not expected to be sent to userspace.\n\nSigned-off-by: Chris Lu \u003cchris.lu@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "91fa64f09e55bed8fcbcf643e6b1f87f3b897854", "tree": "5cb57f4070c7973b3242a768f95005f08b00b4dd", "parents": [ "11bc757180ef5a6ab6e61ff8c4418a2663c4736b" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed Apr 15 16:49:59 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:45:38 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().\n\nFixes: 80808e431e1e (\"Bluetooth: Add l2cap_chan_ops abstraction\")\nCc: stable@kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "11bc757180ef5a6ab6e61ff8c4418a2663c4736b", "tree": "a2a4764de9fedf9f7ee7ecbd21d4ba24221fc462", "parents": [ "da5bd8be1bd5a1b5442085a7069a7bb798b43a3e" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed Apr 15 16:53:36 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:45:17 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().\n\nFixes: 8d836d71e222 (\"Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c\")\nCc: stable@kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "da5bd8be1bd5a1b5442085a7069a7bb798b43a3e", "tree": "011a629dd7ccfa15a626200f21ff42841a005d33", "parents": [ "70e1f435c600e1101718124e4371b9fcf5fc968c" ], "author": { "name": "Siwei Zhang", "email": "oss@fourdim.xyz", "time": "Wed Apr 15 16:51:36 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:44:56 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().\n\nFixes: 89bc500e41fc (\"Bluetooth: Add state tracking to struct l2cap_chan\")\nCc: stable@kernel.org\nSigned-off-by: Siwei Zhang \u003coss@fourdim.xyz\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "70e1f435c600e1101718124e4371b9fcf5fc968c", "tree": "aea26567e88f070d0d1f21b5d63f32c42567e20a", "parents": [ "650fd10092529ca2dea85cb39b35a995808fd6dd" ], "author": { "name": "Mikhail Gavrilov", "email": "mikhail.v.gavrilov@gmail.com", "time": "Wed Apr 15 02:52:37 2026 +0500" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:44:22 2026 -0400" }, "message": "Bluetooth: l2cap: defer conn param update to avoid conn-\u003elock/hdev-\u003elock inversion\n\nWhen a BLE peripheral sends an L2CAP Connection Parameter Update Request\nthe processing path is:\n\n process_pending_rx() [takes conn-\u003elock]\n l2cap_le_sig_channel()\n l2cap_conn_param_update_req()\n hci_le_conn_update() [takes hdev-\u003elock]\n\nMeanwhile other code paths take the locks in the opposite order:\n\n l2cap_chan_connect() [takes hdev-\u003elock]\n ...\n mutex_lock(\u0026conn-\u003elock)\n\n l2cap_conn_ready() [hdev-\u003elock via hci_cb_list_lock]\n ...\n mutex_lock(\u0026conn-\u003elock)\n\nThis is a classic AB/BA deadlock which lockdep reports as a circular\nlocking dependency when connecting a BLE MIDI keyboard (Carry-On FC-49).\n\nFix this by making hci_le_conn_update() defer the HCI command through\nhci_cmd_sync_queue() so it no longer needs to take hdev-\u003elock in the\ncaller context. The sync callback uses __hci_cmd_sync_status_sk() to\nwait for the HCI_EV_LE_CONN_UPDATE_COMPLETE event, then updates the\nstored connection parameters (hci_conn_params) and notifies userspace\n(mgmt_new_conn_param) only after the controller has confirmed the update.\n\nA reference on hci_conn is held via hci_conn_get()/hci_conn_put() for\nthe lifetime of the queued work to prevent use-after-free, and\nhci_conn_valid() is checked before proceeding in case the connection was\nremoved while the work was pending. The hci_dev_lock is held across\nhci_conn_valid() and all conn field accesses to prevent a concurrent\ndisconnect from invalidating the connection mid-use.\n\nFixes: f044eb0524a0 (\"Bluetooth: Store latency and supervision timeout in connection params\")\nSigned-off-by: Mikhail Gavrilov \u003cmikhail.v.gavrilov@gmail.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "650fd10092529ca2dea85cb39b35a995808fd6dd", "tree": "14effe4a5732a825a8495cdcb7185efaa6691a8f", "parents": [ "feaef2aa27201e1866aa9851cd502bae1e5d0803" ], "author": { "name": "Dudu Lu", "email": "phx0fer@gmail.com", "time": "Wed Apr 15 18:43:55 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:44:00 2026 -0400" }, "message": "Bluetooth: l2cap: fix MPS check in l2cap_ecred_reconf_req\n\nThe L2CAP specification states that if more than one channel is being\nreconfigured, the MPS shall not be decreased. The current check has\ntwo issues:\n\n1) The comparison uses \u003e\u003d (greater-than-or-equal), which incorrectly\n rejects reconfiguration requests where the MPS stays the same.\n Since the spec says MPS \"shall be greater than or equal to the\n current MPS\", only a strict decrease (remote_mps \u003e mps) should be\n rejected. Keeping the same MPS is valid.\n\n2) The multi-channel guard uses `\u0026\u0026 i` (loop index) to approximate\n \"more than one channel\", but this incorrectly allows MPS decrease\n for the first channel (i\u003d\u003d0) even when multiple channels are being\n reconfigured. Replace with `\u0026\u0026 num_scid \u003e 1` which correctly\n checks whether the request covers more than one channel.\n\nSigned-off-by: Dudu Lu \u003cphx0fer@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "feaef2aa27201e1866aa9851cd502bae1e5d0803", "tree": "18870f67c05224da09d4bc774ed4e959c2ccbb9b", "parents": [ "2ac4a9d672432562953ab8754874bfe7ec9d7501" ], "author": { "name": "Dudu Lu", "email": "phx0fer@gmail.com", "time": "Wed Apr 15 17:39:53 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed May 06 15:43:42 2026 -0400" }, "message": "Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling\n\nIn bnep_rx_frame(), the BNEP_FILTER_NET_TYPE_SET and\nBNEP_FILTER_MULTI_ADDR_SET extension header parsing has two bugs:\n\n1) The 2-byte length field is read with *(u16 *)(skb-\u003edata + 1), which\n performs a native-endian read. The BNEP protocol specifies this field\n in big-endian (network byte order), and the same file correctly uses\n get_unaligned_be16() for the identical fields in\n bnep_ctrl_set_netfilter() and bnep_ctrl_set_mcfilter().\n\n2) The length is multiplied by 2, but unlike BNEP_SETUP_CONN_REQ where\n the length byte counts UUID pairs (requiring * 2 for two UUIDs per\n entry), the filter extension length field already represents the total\n data size in bytes. This is confirmed by bnep_ctrl_set_netfilter()\n which reads the same field as a byte count and divides by 4 to get\n the number of filter entries.\n\n The bogus * 2 means skb_pull advances twice as far as it should,\n either dropping valid data from the next header or causing the pull\n to fail entirely when the doubled length exceeds the remaining skb.\n\nFix by splitting the pull into two steps: first use skb_pull_data() to\nsafely pull and validate the 3-byte fixed header (ctrl type + length),\nthen pull the variable-length data using the properly decoded length.\n\nFixes: bf8b9a9cb77b (\"Bluetooth: bnep: Add support to extended headers of control frames\")\nSigned-off-by: Dudu Lu \u003cphx0fer@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" } ], "next": "2ac4a9d672432562953ab8754874bfe7ec9d7501" }