)]}' { "log": [ { "commit": "710f92b5b91274663238464cdd29b697ad92fcb7", "tree": "3dd07ea270332c34c874f48cb0682a530e14fa0b", "parents": [ "becdde9999657136cee002da16c86704ee6af9eb" ], "author": { "name": "Gustavo A. R. Silva", "email": "gustavoars@kernel.org", "time": "Tue Apr 07 14:16:46 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Apr 07 17:11:37 2026 -0400" }, "message": "Bluetooth: hci.h: Avoid a couple -Wflex-array-member-not-at-end warnings\n\n-Wflex-array-member-not-at-end was introduced in GCC-14, and we are\ngetting ready to enable it, globally.\n\nstruct hci_std_codecs and struct hci_std_codecs_v2 are flexible\nstructures, this is structures that contain a flexible-array member\n(__u8 codec[]; and struct hci_std_codec_v2 codec[];, correspondingly.)\n\nSince struct hci_rp_read_local_supported_codecs and struct\nhci_rp_read_local_supported_codecs_v2 are defined by hardware, we\ncreate the new struct hci_std_codecs_hdr and struct hci_std_codecs_v2_hdr\ntypes, and use them to replace the object types causing trouble in\nstruct hci_rp_read_local_supported_codecs and struct\nhci_rp_read_local_supported_codecs_v2, namely struct hci_std_codecs\nstd_codecs; and struct hci_std_codecs_v2_hdr std_codecs;.\n\nAlso, once -fms-extensions is enabled, we can use transparent struct\nmembers in both struct hci_std_codecs and struct hci_std_codecs_v2_hdr.\n\nNotice that the newly created types does not contain the flex-array\nmember `codec`, which is the object causing the -Wfamnae warnings.\n\nAfter these changes, the size of struct hci_rp_read_local_supported_codecs\nand struct hci_rp_read_local_supported_codecs_v2, along with their\nmember\u0027s offsets remain the same, hence the memory layouts don\u0027t\nchange:\n\nBefore changes:\nstruct hci_rp_read_local_supported_codecs {\n __u8 status; /* 0 1 */\n struct hci_std_codecs std_codecs; /* 1 1 */\n struct hci_vnd_codecs vnd_codecs; /* 2 1 */\n\n /* size: 3, cachelines: 1, members: 3 */\n /* last cacheline: 3 bytes */\n} __attribute__((__packed__));\n\nstruct hci_rp_read_local_supported_codecs_v2 {\n __u8 status; /* 0 1 */\n struct hci_std_codecs_v2 std_codecs; /* 1 1 */\n struct hci_vnd_codecs_v2 vendor_codecs; /* 2 1 */\n\n /* size: 3, cachelines: 1, members: 3 */\n /* last cacheline: 3 bytes */\n} __attribute__((__packed__));\n\nAfter changes:\nstruct hci_rp_read_local_supported_codecs {\n\t__u8 status; /* 0 1 */\n\tstruct hci_std_codecs_hdr std_codecs; /* 1 1 */\n\tstruct hci_vnd_codecs vnd_codecs; /* 2 1 */\n\n\t/* size: 3, cachelines: 1, members: 3 */\n\t/* last cacheline: 3 bytes */\n} __attribute__((__packed__));\n\nstruct hci_rp_read_local_supported_codecs_v2 {\n\t__u8 status; /* 0 1 */\n\tstruct hci_std_codecs_v2_hdr std_codecs; /* 1 1 */\n\tstruct hci_vnd_codecs_v2 vendor_codecs; /* 2 1 */\n\n\t/* size: 3, cachelines: 1, members: 3 */\n\t/* last cacheline: 3 bytes */\n} __attribute__((__packed__));\n\nWith these changes fix the following warnings:\n\ninclude/net/bluetooth/hci.h:1490:31: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\ninclude/net/bluetooth/hci.h:1525:34: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nSigned-off-by: Gustavo A. R. Silva \u003cgustavoars@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "becdde9999657136cee002da16c86704ee6af9eb", "tree": "f2a353af9656010e6259e88a64253c9c53f1618e", "parents": [ "0875da1eeb296fd89a3e934dd5700247ffc9e142" ], "author": { "name": "Stefan Metzmacher", "email": "metze@samba.org", "time": "Tue Apr 07 17:13:45 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Apr 07 13:46:27 2026 -0400" }, "message": "Bluetooth: SCO: check for codecs-\u003enum_codecs \u003d\u003d 1 before assigning to sco_pi(sk)-\u003ecodec\n\ncopy_struct_from_sockptr() fill \u0027buffer\u0027 in\nsco_sock_setsockopt() with zeros, so there\u0027s no\nreal problem.\n\nBut it actually looks strange to do this,\nwithout checking all of codecs-\u003ecodecs[0]\nreally comes from userspace:\n\n sco_pi(sk)-\u003ecodec \u003d codecs-\u003ecodecs[0];\n\nAs only optlen \u003c sizeof(struct bt_codecs) is checked\nand codecs-\u003enum_codecs is not checked against !\u003d 1,\nbut only \u003c\u003d 1, and the space for the additional struct bt_codec\nis not checked.\n\nNote I don\u0027t understand bluetooth and I didn\u0027t do any runtime\ntests with this! I just found it when debugging a problem\nin copy_struct_from_sockptr().\n\nI just added this to check the size is as expected:\n\n BUILD_BUG_ON(struct_size(codecs, codecs, 0) !\u003d 1);\n BUILD_BUG_ON(struct_size(codecs, codecs, 1) !\u003d 8);\n\nAnd made sure it still compiles using this:\n\n make CF\u003d-D__CHECK_ENDIAN__ W\u003d1ce C\u003d1 net/bluetooth/sco.o\n\nFixes: 3e643e4efa1e (\"Bluetooth: Improve setsockopt() handling of malformed user input\")\nCc: Michal Luczaj \u003cmhal@rbox.co\u003e\nCc: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nCc: Luiz Augusto von Dentz \u003cluiz.dentz@gmail.com\u003e\nCc: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nCc: David Wei \u003cdw@davidwei.uk\u003e\nCc: linux-bluetooth@vger.kernel.org\nCc: linux-kernel@vger.kernel.org\nSigned-off-by: Stefan Metzmacher \u003cmetze@samba.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0875da1eeb296fd89a3e934dd5700247ffc9e142", "tree": "e666f91d8a859f4a0534e1f016d0dd0cccd64e23", "parents": [ "c3b37ff8d7df0cd51e6c9e2aa5796fc342062da8" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Tue Apr 07 15:32:40 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Apr 07 13:45:03 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Align shared DMA memory to 128 bytes\n\nAlign each descriptor/index/context region to 128 bytes before\ncalculating the total DMA pool size. This ensures the memory layout\nshared with firmware meets the 128-byte alignment requirement.\n\nThe DMA pool alignment is also set to 128 bytes to match the firmware\nexpectation for all shared structures.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c3b37ff8d7df0cd51e6c9e2aa5796fc342062da8", "tree": "c9c5c15c8d6358009b74057662f201c3d5fb7ace", "parents": [ "60f6ea0dbe1a7d2c8999162153acdcaeddf196c4" ], "author": { "name": "Dudu Lu", "email": "phx0fer@gmail.com", "time": "Sun Apr 05 23:47:41 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Apr 07 13:11:11 2026 -0400" }, "message": "Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp\n\nl2cap_ecred_reconf_rsp() calls l2cap_chan_del() without holding\nl2cap_chan_lock(). Every other l2cap_chan_del() caller in the file\nacquires the lock first. A remote BLE device can send a crafted\nL2CAP ECRED reconfiguration response to corrupt the channel list\nwhile another thread is iterating it.\n\nAdd l2cap_chan_hold() and l2cap_chan_lock() before l2cap_chan_del(),\nand l2cap_chan_unlock() and l2cap_chan_put() after, matching the\npattern used in l2cap_ecred_conn_rsp() and l2cap_conn_del().\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nSigned-off-by: Dudu Lu \u003cphx0fer@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "60f6ea0dbe1a7d2c8999162153acdcaeddf196c4", "tree": "ad88de61b9ffebae68ad799a134b7f7e0305f0c7", "parents": [ "3966e67cdd709d7b1cae5a650654cd53b291c126" ], "author": { "name": "Stefano Radaelli", "email": "stefano.r@variscite.com", "time": "Thu Apr 02 20:47:03 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Apr 02 15:59:54 2026 -0400" }, "message": "Bluetooth: hci_ll: Enable BROKEN_ENHANCED_SETUP_SYNC_CONN for WL183x\n\nTI WL183x controllers advertise support for the HCI Enhanced Setup\nSynchronous Connection command, but SCO setup fails when the enhanced\npath is used. The only working configuration is to fall back to the\nlegacy HCI Setup Synchronous Connection (0x0028).\n\nThis matches the scenario described in commit 05abad857277\n(\"Bluetooth: HCI: Add HCI_QUIRK_BROKEN_ENHANCED_SETUP_SYNC_CONN quirk\").\n\nEnable HCI_QUIRK_BROKEN_ENHANCED_SETUP_SYNC_CONN automatically for\ndevices compatible with:\n - ti,wl1831-st\n - ti,wl1835-st\n - ti,wl1837-st\n\nSigned-off-by: Stefano Radaelli \u003cstefano.r@variscite.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3966e67cdd709d7b1cae5a650654cd53b291c126", "tree": "36fb5b8ea64b484556e7103d7d46265ded22c9b9", "parents": [ "a6e00a811c87d0ba42402d5b8c384b9867a4a700" ], "author": { "name": "Kamiyama Chiaki", "email": "nercone@nercone.dev", "time": "Wed Apr 01 02:53:01 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Apr 02 13:25:16 2026 -0400" }, "message": "Bluetooth: btusb: MediaTek MT7922: Add VID 0489 \u0026 PID e11d\n\nAdd VID 0489 \u0026 PID e11d for MediaTek MT7922 USB Bluetooth chip.\nFound in Dynabook GA/ZY (W6GAZY5RCL).\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d03 Lev\u003d01 Prnt\u003d01 Port\u003d03 Cnt\u003d02 Dev#\u003d 3 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de11d Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\n\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Kamiyama Chiaki \u003cnercone@nercone.dev\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a6e00a811c87d0ba42402d5b8c384b9867a4a700", "tree": "f73671837957645c4b17d4c48ae4d12d4a93a69c", "parents": [ "3a0b100b337cabf009cdaee6031afd8f6313d214" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Thu Apr 02 16:11:15 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Apr 02 13:25:10 2026 -0400" }, "message": "Bluetooth: btmtk: hide unused btmtk_mt6639_devs[] array\n\nWhen USB support is disabled, the array is not referenced anywhere,\ncausing a warning:\n\ndrivers/bluetooth/btmtk.c:35:3: error: \u0027btmtk_mt6639_devs\u0027 defined but not used [-Werror\u003dunused-const-variable\u003d]\n 35 | } btmtk_mt6639_devs[] \u003d {\n | ^~~~~~~~~~~~~~~~~\n\nMove it into the #ifdef block.\n\nFixes: 4cdd001ff03f (\"Bluetooth: btmtk: Add MT6639 (MT7927) Bluetooth support\")\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3a0b100b337cabf009cdaee6031afd8f6313d214", "tree": "ab746bd7a85231a27098d3731a08a358a250ec05", "parents": [ "1bd2e4ce149fa63a647e5e2c513e0319dead2337" ], "author": { "name": "Oleh Konko", "email": "security@1seal.org", "time": "Tue Mar 31 11:52:13 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Apr 01 14:35:00 2026 -0400" }, "message": "Bluetooth: SMP: derive legacy responder STK authentication from MITM state\n\nThe legacy responder path in smp_random() currently labels the stored\nSTK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.\nThat reflects what the local service requested, not what the pairing\nflow actually achieved.\n\nFor Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear\nand the resulting STK should remain unauthenticated even if the local\nside requested HIGH security. Use the established MITM state when\nstoring the responder STK so the key metadata matches the pairing result.\n\nThis also keeps the legacy path aligned with the Secure Connections code,\nwhich already treats JUST_WORKS/JUST_CFM as unauthenticated.\n\nFixes: fff3490f4781 (\"Bluetooth: Fix setting correct authentication information for SMP STK\")\nCc: stable@vger.kernel.org\nSigned-off-by: Oleh Konko \u003csecurity@1seal.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "1bd2e4ce149fa63a647e5e2c513e0319dead2337", "tree": "3399fdd1c6a550cab80b0950c1706a3488042284", "parents": [ "2c12536623ca3a02a31316005cd4097658a3a025" ], "author": { "name": "Oleh Konko", "email": "security@1seal.org", "time": "Tue Mar 31 11:52:12 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Apr 01 14:33:12 2026 -0400" }, "message": "Bluetooth: SMP: force responder MITM requirements before building the pairing response\n\nsmp_cmd_pairing_req() currently builds the pairing response from the\ninitiator auth_req before enforcing the local BT_SECURITY_HIGH\nrequirement. If the initiator omits SMP_AUTH_MITM, the response can\nalso omit it even though the local side still requires MITM.\n\ntk_request() then sees an auth value without SMP_AUTH_MITM and may\nselect JUST_CFM, making method selection inconsistent with the pairing\npolicy the responder already enforces.\n\nWhen the local side requires HIGH security, first verify that MITM can\nbe achieved from the IO capabilities and then force SMP_AUTH_MITM in the\nresponse in both rsp.auth_req and auth. This keeps the responder auth bits\nand later method selection aligned.\n\nFixes: 2b64d153a0cc (\"Bluetooth: Add MITM mechanism to LE-SMP\")\nCc: stable@vger.kernel.org\nSuggested-by: Luiz Augusto von Dentz \u003cluiz.dentz@gmail.com\u003e\nSigned-off-by: Oleh Konko \u003csecurity@1seal.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2c12536623ca3a02a31316005cd4097658a3a025", "tree": "6a328761f0bc4aa19c693ff3abae1b3432510656", "parents": [ "b65fdb465d5475e9ec1b70aa38b3fd79e237a089" ], "author": { "name": "Keenan Dong", "email": "keenanat2000@gmail.com", "time": "Wed Apr 01 22:25:26 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Apr 01 12:41:30 2026 -0400" }, "message": "Bluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request.\n\nFixes: b338d91703fa (\"Bluetooth: Implement support for Mesh\")\nReported-by: Keenan Dong \u003ckeenanat2000@gmail.com\u003e\nSigned-off-by: Keenan Dong \u003ckeenanat2000@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b65fdb465d5475e9ec1b70aa38b3fd79e237a089", "tree": "603bdddbe6f99cddf067dc9a9658be8f0b56e534", "parents": [ "26308f935d23083697a96e0e2d31e164bdab2577" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:30 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:28:18 2026 -0400" }, "message": "Bluetooth: btusb: Add MT7927 ID for ASUS X870E / ProArt X870E-Creator\n\nAdd USB device ID 13d3:3588 (IMC Networks/Azurewave) for the MediaTek\nMT7927 (Filogic 380) Bluetooth interface found on the ASUS ROG STRIX\nX870E-E GAMING WIFI and ASUS ProArt X870E-Creator WiFi motherboards.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 5 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3588 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nTested-by: Jose Tiburcio Ribeiro Netto \u003cjnetto@mineiro.io\u003e\nTested-by: Ivan Lubnin \u003clubnin.ivan@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "26308f935d23083697a96e0e2d31e164bdab2577", "tree": "b7744fc4aa1b3177a38b7690d4a529de0c96b6ed", "parents": [ "4be0c880070831bcce03bef18ca2da79cac2a8d6" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:29 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:25:02 2026 -0400" }, "message": "Bluetooth: btusb: Add MT7927 ID for TP-Link Archer TBE550E\n\nAdd USB device ID 0489:e116 (Foxconn/Hon Hai) for the MediaTek MT7927\n(Filogic 380) Bluetooth interface found on the TP-Link Archer TBE550E\nPCIe adapter.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d05 Cnt\u003d04 Dev#\u003d 5 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de116 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n...\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nTested-by: Thibaut FRANCOIS \u003ctibo@humeurlibre.fr\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4be0c880070831bcce03bef18ca2da79cac2a8d6", "tree": "2c6720e5b3d76191b0fb54663f9ecdd0ba649ee0", "parents": [ "e4fb2113d5e2a87d8abd31e42fe812bd375d1d63" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:28 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:24:56 2026 -0400" }, "message": "Bluetooth: btusb: Add MT7927 ID for MSI X870E Ace Max\n\nAdd USB device ID 0489:e110 (Foxconn/Hon Hai) for the MediaTek MT7927\n(Filogic 380) Bluetooth interface found on the MSI X870E Ace Max\nmotherboard.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d05 Cnt\u003d04 Dev#\u003d 5 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de110 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n...\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nTested-by: Nitin Gurram \u003cnitin.reddy88@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e4fb2113d5e2a87d8abd31e42fe812bd375d1d63", "tree": "8e60e03e4995eb3b279faa55b4ae40d34f8a78c0", "parents": [ "70d2954d3051c08141d9dc76cc1b8427f85813c4" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:27 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:24:49 2026 -0400" }, "message": "Bluetooth: btusb: Add MT7927 ID for Gigabyte Z790 AORUS MASTER X\n\nAdd USB device ID 0489:e10f (Foxconn/Hon Hai) for the MediaTek MT7927\n(Filogic 380) Bluetooth interface found on the Gigabyte Z790 AORUS\nMASTER X motherboard.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d05 Cnt\u003d04 Dev#\u003d 5 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de10f Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n...\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nTested-by: Chapuis Dario \u003cchapuisdario4@gmail.com\u003e\nTested-by: Evgeny Kapusta \u003c3193631@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "70d2954d3051c08141d9dc76cc1b8427f85813c4", "tree": "93277bd7ca0bedb65e2b21e664492d67d45d5b8c", "parents": [ "af6731663d8f497b7e0d1b3a92facaf5e349d902" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:26 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:24:42 2026 -0400" }, "message": "Bluetooth: btusb: Add MT7927 ID for Lenovo Legion Pro 7 16ARX9\n\nAdd USB device ID 0489:e0fa (Foxconn/Hon Hai) for the MediaTek MT7927\n(Filogic 380) Bluetooth interface found on the Lenovo Legion Pro 7\n16ARX9 laptop.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d05 Cnt\u003d04 Dev#\u003d 5 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de0fa Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n...\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nTested-by: Llewellyn Curran \u003cmelinko2003@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "af6731663d8f497b7e0d1b3a92facaf5e349d902", "tree": "f51238b6e8f9f1420dd93ffe2378768f27976765", "parents": [ "fe9e35d0b3f12a6f484680e168b0e11fe221547c" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:25 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:24:35 2026 -0400" }, "message": "Bluetooth: btusb: Add MT7927 ID for ASUS ROG Crosshair X870E Hero\n\nAdd USB device ID 0489:e13a (Foxconn/Hon Hai) for the MediaTek MT7927\n(Filogic 380) Bluetooth interface found on the ASUS ROG Crosshair X870E\nHero WiFi motherboard.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d05 Cnt\u003d04 Dev#\u003d 5 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de13a Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\n...\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nTested-by: Jose Tiburcio Ribeiro Netto \u003cjnetto@mineiro.io\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "fe9e35d0b3f12a6f484680e168b0e11fe221547c", "tree": "693ea65803f7f9a2d3f513968a75b3d719e3b9c5", "parents": [ "4cdd001ff03fea2b4aac9e610a9cd581592fb6ac" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:24 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:24:29 2026 -0400" }, "message": "Bluetooth: btmtk: fix ISO interface setup for single alt setting\n\nSome MT6639 Bluetooth USB interfaces (e.g. IMC Networks 13d3:3588 on\nASUS ROG STRIX X870E-E and ProArt X870E-Creator boards) expose only a\nsingle alternate setting (alt 0) on the ISO interface. The driver\nunconditionally requests alt setting 1, which fails with EINVAL on\nthese devices, causing a ~20 second initialization delay and no LE\naudio support.\n\nCheck the number of available alternate settings before selecting one.\nIf only alt 0 exists, use it; otherwise request alt 1 as before.\n\nCloses: https://github.com/jetm/mediatek-mt7927-dkms/pull/39\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nReported-by: Ryan Gilbert \u003cxelnaga@gmail.com\u003e\nTested-by: Ryan Gilbert \u003cxelnaga@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4cdd001ff03fea2b4aac9e610a9cd581592fb6ac", "tree": "19b1611c4b66fdfd77a82570b1f5b519b72bc9d1", "parents": [ "22edb157ba3c09d93ee583be6c0b1ce03fe6a237" ], "author": { "name": "Javier Tia", "email": "floss@jetm.me", "time": "Mon Mar 30 14:39:23 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:24:22 2026 -0400" }, "message": "Bluetooth: btmtk: Add MT6639 (MT7927) Bluetooth support\n\nThe MediaTek MT7927 (Filogic 380) combo WiFi 7 + BT 5.4 module uses\nhardware variant 0x6639 for its Bluetooth subsystem. Without this patch,\nthe chip fails with \"Unsupported hardware variant (00006639)\" or hangs\nduring firmware download.\n\nThree changes are needed to support MT6639:\n\n1. CHIPID workaround: On some boards the BT USB MMIO register reads\n 0x0000 for dev_id, causing the driver to skip the 0x6639 init path.\n Force dev_id to 0x6639 only when the USB VID/PID matches a known\n MT6639 device, avoiding misdetection if a future chip also reads\n zero. This follows the WiFi-side pattern that uses PCI device IDs\n to scope the same workaround.\n\n2. Firmware naming: MT6639 uses firmware version prefix \"2_1\" instead of\n \"1_1\" used by MT7925 and other variants. The firmware path is\n mediatek/mt7927/BT_RAM_CODE_MT6639_2_1_hdr.bin, using the mt7927\n directory to match the WiFi firmware convention. The filename will\n likely change to use MT7927 once MediaTek submits a dedicated\n Linux firmware binary.\n\n3. Section filtering: The MT6639 firmware binary contains 9 sections, but\n only sections with (dlmodecrctype \u0026 0xff) \u003d\u003d 0x01 are Bluetooth-related.\n Sending the remaining WiFi/other sections causes an irreversible BT\n subsystem hang requiring a full power cycle. This matches the Windows\n driver behavior observed via USB captures.\n\nAlso add 0x6639 to the reset register (CONNV3) and firmware setup switch\ncases alongside the existing 0x7925 handling.\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221096\nLink: https://github.com/openwrt/mt76/issues/927\nReported-by: Ryan Gilbert \u003cxelnaga@gmail.com\u003e\nSigned-off-by: Javier Tia \u003cfloss@jetm.me\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "22edb157ba3c09d93ee583be6c0b1ce03fe6a237", "tree": "6e5f766f2d908f8141fe6273ee5fd0718a36de3b", "parents": [ "e00e94a428527be3c4ed2a2e69602d7f20b41926" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sun Mar 29 16:43:02 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:08:46 2026 -0400" }, "message": "Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_le_remote_conn_param_req_evt, otherwise it\u0027s possible it is freed\nconcurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage.\n\nFixes: 95118dd4edfec (\"Bluetooth: hci_event: Use of a function table to handle LE subevents\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e00e94a428527be3c4ed2a2e69602d7f20b41926", "tree": "2615ef6093312da385c45e8c4c83b446e7509ea8", "parents": [ "31798ffc35a9bc48e52f70a78a0982a8e339c7e6" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sun Mar 29 16:43:01 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:08:40 2026 -0400" }, "message": "Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync\n\nhci_conn lookup and field access must be covered by hdev lock in\nset_cig_params_sync, otherwise it\u0027s possible it is freed concurrently.\n\nTake hdev lock to prevent hci_conn from being deleted or modified\nconcurrently. Just RCU lock is not suitable here, as we also want to\navoid \"tearing\" in the configuration.\n\nFixes: a091289218202 (\"Bluetooth: hci_conn: Fix hci_le_set_cig_params\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "31798ffc35a9bc48e52f70a78a0982a8e339c7e6", "tree": "62c1114cef787b766e4ea51580fbe6a7617140e4", "parents": [ "4797dfba1aa5bbdd6263c3557626fb357bc20b99" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Sun Mar 29 16:42:59 2026 +0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:08:33 2026 -0400" }, "message": "Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER\n\nWhen protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls\nhci_connect_cfm(conn) without hdev-\u003elock. Generally hci_connect_cfm()\nassumes it is held, and if conn is deleted concurrently -\u003e UAF.\n\nOnly SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen,\nand HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred\nlistening socket code paths, hci_connect_cfm(conn) is called with\nhdev-\u003elock held.\n\nFix by holding the lock.\n\nFixes: 70c464256310 (\"Bluetooth: Refactor connection request handling\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4797dfba1aa5bbdd6263c3557626fb357bc20b99", "tree": "14c57bb81bd66e694423f5a46cba27d9fb1f9ed0", "parents": [ "13be27bc49847211616bb36e58ceacb50a7c4d5f" ], "author": { "name": "hkbinbin", "email": "hkbinbinbin@gmail.com", "time": "Tue Mar 31 05:39:16 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 31 10:01:59 2026 -0400" }, "message": "Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync\n\nhci_le_big_create_sync() uses DEFINE_FLEX to allocate a\nstruct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)\nBIS entries. However, conn-\u003enum_bis can hold up to HCI_MAX_ISO_BIS (31)\nentries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller\nhci_conn_big_create_sync(). When conn-\u003enum_bis is between 18 and 31,\nthe memcpy that copies conn-\u003ebis into cp-\u003ebis writes up to 14 bytes\npast the stack buffer, corrupting adjacent stack memory.\n\nThis is trivially reproducible: binding an ISO socket with\nbc_num_bis \u003d ISO_MAX_NUM_BIS (31) and calling listen() will\neventually trigger hci_le_big_create_sync() from the HCI command\nsync worker, causing a KASAN-detectable stack-out-of-bounds write:\n\n BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0\n Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71\n\nFix this by changing the DEFINE_FLEX count from the incorrect 0x11 to\nHCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that\nconn-\u003ebis can actually carry.\n\nFixes: 42ecf1947135 (\"Bluetooth: ISO: Do not emit LE BIG Create Sync if previous is pending\")\nCc: stable@vger.kernel.org\nSigned-off-by: hkbinbin \u003chkbinbinbin@gmail.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "13be27bc49847211616bb36e58ceacb50a7c4d5f", "tree": "68912daa21e1fbf7d40406b646abc878f46e5a77", "parents": [ "2db5a8b68e31e79e02dbcde655eb25c6866cbc1c" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Mon Mar 30 11:41:34 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 30 16:23:18 2026 -0400" }, "message": "Bluetooth: btmtk: refactor endpoint lookup\n\nUse the common USB helper for looking up bulk and interrupt endpoints\ninstead of open coding.\n\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2db5a8b68e31e79e02dbcde655eb25c6866cbc1c", "tree": "e0e070654e7a614adf942bc73772087e66e43a10", "parents": [ "f9426e0a20196dfb468d94a5a4e0c528c0f159ed" ], "author": { "name": "Johan Hovold", "email": "johan@kernel.org", "time": "Mon Mar 30 11:41:33 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 30 16:23:18 2026 -0400" }, "message": "Bluetooth: btusb: refactor endpoint lookup\n\nUse the common USB helper for looking up bulk and interrupt endpoints\ninstead of open coding.\n\nSigned-off-by: Johan Hovold \u003cjohan@kernel.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "f9426e0a20196dfb468d94a5a4e0c528c0f159ed", "tree": "c22042d8c424d9f8200722a4c90472ac9ad3af8c", "parents": [ "931e19533cfa1f4fab15b106803b85ce577ccc32" ], "author": { "name": "Keenan Dong", "email": "keenanat2000@gmail.com", "time": "Sat Mar 28 16:46:47 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 30 16:23:18 2026 -0400" }, "message": "Bluetooth: MGMT: validate LTK enc_size on load\n\nLoad Long Term Keys stores the user-provided enc_size and later uses\nit to size fixed-size stack operations when replying to LE LTK\nrequests. An enc_size larger than the 16-byte key buffer can therefore\noverflow the reply stack buffer.\n\nReject oversized enc_size values while validating the management LTK\nrecord so invalid keys never reach the stored key state.\n\nFixes: 346af67b8d11 (\"Bluetooth: Add MGMT handlers for dealing with SMP LTK\u0027s\")\nReported-by: Keenan Dong \u003ckeenanat2000@gmail.com\u003e\nSigned-off-by: Keenan Dong \u003ckeenanat2000@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "931e19533cfa1f4fab15b106803b85ce577ccc32", "tree": "34c30e8142f1cfd4dd95bfa2abfff7338397ef4c", "parents": [ "e9191a1f1abb52e83e366946bee916f01452b885" ], "author": { "name": "Jonathan Rissanen", "email": "jonathan.rissanen@axis.com", "time": "Fri Mar 27 11:47:21 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 30 16:23:18 2026 -0400" }, "message": "Bluetooth: hci_h4: Fix race during initialization\n\nCommit 5df5dafc171b (\"Bluetooth: hci_uart: Fix another race during\ninitialization\") fixed a race for hci commands sent during initialization.\nHowever, there is still a race that happens if an hci event from one of\nthese commands is received before HCI_UART_REGISTERED has been set at\nthe end of hci_uart_register_dev(). The event will be ignored which\ncauses the command to fail with a timeout in the log:\n\n\"Bluetooth: hci0: command 0x1003 tx timeout\"\n\nThis is because the hci event receive path (hci_uart_tty_receive -\u003e\nh4_recv) requires HCI_UART_REGISTERED to be set in h4_recv(), while the\nhci command transmit path (hci_uart_send_frame -\u003e h4_enqueue) only\nrequires HCI_UART_PROTO_INIT to be set in hci_uart_send_frame().\n\nThe check for HCI_UART_REGISTERED was originally added in commit\nc2578202919a (\"Bluetooth: Fix H4 crash from incoming UART packets\")\nto fix a crash caused by hu-\u003ehdev being null dereferenced. That can no\nlonger happen: once HCI_UART_PROTO_INIT is set in hci_uart_register_dev()\nall pointers (hu, hu-\u003epriv and hu-\u003ehdev) are valid, and\nhci_uart_tty_receive() already calls h4_recv() on HCI_UART_PROTO_INIT\nor HCI_UART_PROTO_READY.\n\nRemove the check for HCI_UART_REGISTERED in h4_recv() to fix the race\ncondition.\n\nFixes: 5df5dafc171b (\"Bluetooth: hci_uart: Fix another race during initialization\")\nSigned-off-by: Jonathan Rissanen \u003cjonathan.rissanen@axis.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e9191a1f1abb52e83e366946bee916f01452b885", "tree": "3ac946f881a81d4af67fb88a6c557e7f3de5047a", "parents": [ "1e1429288304c4019411e54029a53fbe3102c7ae" ], "author": { "name": "Jonathan Rissanen", "email": "jonathan.rissanen@axis.com", "time": "Fri Mar 27 11:47:20 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 30 16:23:18 2026 -0400" }, "message": "Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error\n\nWhen hci_register_dev() fails in hci_uart_register_dev()\nHCI_UART_PROTO_INIT is not cleared before calling hu-\u003eproto-\u003eclose(hu)\nand setting hu-\u003ehdev to NULL. This means incoming UART data will reach\nthe protocol-specific recv handler in hci_uart_tty_receive() after\nresources are freed.\n\nClear HCI_UART_PROTO_INIT with a write lock before calling\nhu-\u003eproto-\u003eclose() and setting hu-\u003ehdev to NULL. The write lock ensures\nall active readers have completed and no new reader can enter the\nprotocol recv path before resources are freed.\n\nThis allows the protocol-specific recv functions to remove the\n\"HCI_UART_REGISTERED\" guard without risking a null pointer dereference\nif hci_register_dev() fails.\n\nFixes: 5df5dafc171b (\"Bluetooth: hci_uart: Fix another race during initialization\")\nSigned-off-by: Jonathan Rissanen \u003cjonathan.rissanen@axis.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "1e1429288304c4019411e54029a53fbe3102c7ae", "tree": "1e05fb0fda3d9b91029809fa9c9b04c1053e2013", "parents": [ "3e7e7f4bdbe54c88d5490276d04fa8524cd3b5ea" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Mar 25 11:11:46 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 30 16:23:02 2026 -0400" }, "message": "Bluetooth: hci_sync: Fix UAF in le_read_features_complete\n\nThis fixes the following backtrace caused by hci_conn being freed\nbefore le_read_features_complete but after\nhci_le_read_remote_features_sync so hci_conn_del -\u003e hci_cmd_sync_dequeue\nis not able to prevent it:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\nBUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\nBUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\nWrite of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52\n\nCPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:194 [inline]\n kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]\n hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]\n le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344\n hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n \u003c/TASK\u003e\n\nAllocated by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963\n hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084\n le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714\n hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861\n hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408\n hci_event_func net/bluetooth/hci_event.c:7716 [inline]\n hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nFreed by task 5932:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free mm/slub.c:6663 [inline]\n kfree+0x2f8/0x6e0 mm/slub.c:6871\n device_release+0xa4/0x240 drivers/base/core.c:2565\n kobject_cleanup lib/kobject.c:689 [inline]\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1e7/0x590 lib/kobject.c:737\n put_device drivers/base/core.c:3797 [inline]\n device_unregister+0x2f/0xc0 drivers/base/core.c:3920\n hci_conn_del_sysfs+0xb4/0x180 net/bluetooth/hci_sysfs.c:79\n hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]\n hci_conn_del+0x657/0x1180 net/bluetooth/hci_conn.c:1234\n hci_disconn_complete_evt+0x410/0xa00 net/bluetooth/hci_event.c:3451\n hci_event_func net/bluetooth/hci_event.c:7719 [inline]\n hci_event_packet+0xa10/0x11c0 net/bluetooth/hci_event.c:7773\n hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqueue.c:3340 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421\n kthread+0x3c5/0x780 kernel/kthread.c:463\n ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246\n\nThe buggy address belongs to the object at ffff8880796b0000\n which belongs to the cache kmalloc-8k of size 8192\nThe buggy address is located 16 bytes inside of\n freed 8192-byte region [ffff8880796b0000, ffff8880796b2000)\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x796b0\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0xfff00000000040(head|node\u003d0|zone\u003d1|lastcpupid\u003d0x7ff)\npage_type: f5(slab)\nraw: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001\nraw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000\nhead: 00fff00000000040 ffff88813ff27280 0000000000000000 0000000000000001\nhead: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000\nhead: 00fff00000000003 ffffea0001e5ac01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5657, tgid 5657 (dhcpcd-run-hook), ts 79819636908, free_ts 79814310558\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x1af/0x220 mm/page_alloc.c:1845\n prep_new_page mm/page_alloc.c:1853 [inline]\n get_page_from_freelist+0xd0b/0x31a0 mm/page_alloc.c:3879\n __alloc_frozen_pages_noprof+0x25f/0x2440 mm/page_alloc.c:5183\n alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416\n alloc_slab_page mm/slub.c:3075 [inline]\n allocate_slab mm/slub.c:3248 [inline]\n new_slab+0x2c3/0x430 mm/slub.c:3302\n ___slab_alloc+0xe18/0x1c90 mm/slub.c:4651\n __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4774\n __slab_alloc_node mm/slub.c:4850 [inline]\n slab_alloc_node mm/slub.c:5246 [inline]\n __kmalloc_cache_noprof+0x477/0x800 mm/slub.c:5766\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]\n tomoyo_init_log+0xc8a/0x2140 security/tomoyo/audit.c:264\n tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198\n tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]\n tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63\n tomoyo_environ security/tomoyo/domain.c:672 [inline]\n tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888\n tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]\n tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92\n security_bprm_check+0x1b9/0x1e0 security/security.c:794\n search_binary_handler fs/exec.c:1659 [inline]\n exec_binprm fs/exec.c:1701 [inline]\n bprm_execve fs/exec.c:1753 [inline]\n bprm_execve+0x81e/0x1620 fs/exec.c:1729\n do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859\npage last free pid 5657 tgid 5657 stack trace:\n reset_page_owner include/linux/page_owner.h:25 [inline]\n free_pages_prepare mm/page_alloc.c:1394 [inline]\n __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2901\n discard_slab mm/slub.c:3346 [inline]\n __put_partials+0x130/0x170 mm/slub.c:3886\n qlink_free mm/kasan/quarantine.c:163 [inline]\n qlist_free_all+0x4c/0xf0 mm/kasan/quarantine.c:179\n kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286\n __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352\n kasan_slab_alloc include/linux/kasan.h:252 [inline]\n slab_post_alloc_hook mm/slub.c:4948 [inline]\n slab_alloc_node mm/slub.c:5258 [inline]\n __kmalloc_cache_noprof+0x274/0x800 mm/slub.c:5766\n kmalloc_noprof include/linux/slab.h:957 [inline]\n tomoyo_print_header security/tomoyo/audit.c:156 [inline]\n tomoyo_init_log+0x197/0x2140 security/tomoyo/audit.c:255\n tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198\n tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]\n tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63\n tomoyo_environ security/tomoyo/domain.c:672 [inline]\n tomoyo_find_next_domain+0xec1/0x20b0 security/tomoyo/domain.c:888\n tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]\n tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92\n security_bprm_check+0x1b9/0x1e0 security/security.c:794\n search_binary_handler fs/exec.c:1659 [inline]\n exec_binprm fs/exec.c:1701 [inline]\n bprm_execve fs/exec.c:1753 [inline]\n bprm_execve+0x81e/0x1620 fs/exec.c:1729\n do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1859\n do_execve fs/exec.c:1933 [inline]\n __do_sys_execve fs/exec.c:2009 [inline]\n __se_sys_execve fs/exec.c:2004 [inline]\n __x64_sys_execve+0x8e/0xb0 fs/exec.c:2004\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n\nMemory state around the buggy address:\n ffff8880796aff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff8880796aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff8880796b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880796b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880796b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nFixes: a106e50be74b (\"Bluetooth: HCI: Add support for LL Extended Feature Set\")\nReported-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com\nTested-by: syzbot+87badbb9094e008e0685@syzkaller.appspotmail.com\nCloses: https://syzbot.org/bug?extid\u003d87badbb9094e008e0685\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\n" }, { "commit": "3e7e7f4bdbe54c88d5490276d04fa8524cd3b5ea", "tree": "9528b2f9fcf6de7caa28d9574f6e6aca7c11b7d8", "parents": [ "401702ac8a51fa8672089b1ba218676eecb0c5b6" ], "author": { "name": "Oleh Konko", "email": "security@1seal.org", "time": "Thu Mar 26 17:31:24 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 26 17:28:50 2026 -0400" }, "message": "Bluetooth: hci_event: move wake reason storage into validated event handlers\n\nhci_store_wake_reason() is called from hci_event_packet() immediately\nafter stripping the HCI event header but before hci_event_func()\nenforces the per-event minimum payload length from hci_ev_table.\nThis means a short HCI event frame can reach bacpy() before any bounds\ncheck runs.\n\nRather than duplicating skb parsing and per-event length checks inside\nhci_store_wake_reason(), move wake-address storage into the individual\nevent handlers after their existing event-length validation has\nsucceeded. Convert hci_store_wake_reason() into a small helper that only\nstores an already-validated bdaddr while the caller holds hci_dev_lock().\nUse the same helper after hci_event_func() with a NULL address to\npreserve the existing unexpected-wake fallback semantics when no\nvalidated event handler records a wake address.\n\nAnnotate the helper with __must_hold(\u0026hdev-\u003elock) and add\nlockdep_assert_held(\u0026hdev-\u003elock) so future call paths keep the lock\ncontract explicit.\n\nCall the helper from hci_conn_request_evt(), hci_conn_complete_evt(),\nhci_sync_conn_complete_evt(), le_conn_complete_evt(),\nhci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),\nhci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and\nhci_le_past_received_evt().\n\nFixes: 2f20216c1d6f (\"Bluetooth: Emit controller suspend and resume events\")\nCc: stable@vger.kernel.org\nSigned-off-by: Oleh Konko \u003csecurity@1seal.org\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "401702ac8a51fa8672089b1ba218676eecb0c5b6", "tree": "9a1a40d527b6073febf3c924479497cc6d7c89a3", "parents": [ "fdb07d4116bf88b33ee30ac68d21075d15f0c8fa" ], "author": { "name": "Cen Zhang", "email": "zzzccc427@gmail.com", "time": "Thu Mar 26 23:16:45 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 26 17:28:32 2026 -0400" }, "message": "Bluetooth: SCO: fix race conditions in sco_sock_connect()\n\nsco_sock_connect() checks sk_state and sk_type without holding\nthe socket lock. Two concurrent connect() syscalls on the same\nsocket can both pass the check and enter sco_connect(), leading\nto use-after-free.\n\nThe buggy scenario involves three participants and was confirmed\nwith additional logging instrumentation:\n\n Thread A (connect): HCI disconnect: Thread B (connect):\n\n sco_sock_connect(sk) sco_sock_connect(sk)\n sk_state\u003d\u003dBT_OPEN sk_state\u003d\u003dBT_OPEN\n (pass, no lock) (pass, no lock)\n sco_connect(sk): sco_connect(sk):\n hci_dev_lock hci_dev_lock\n hci_connect_sco \u003c- blocked\n -\u003e hcon1\n sco_conn_add-\u003econn1\n lock_sock(sk)\n sco_chan_add:\n conn1-\u003esk \u003d sk\n sk-\u003econn \u003d conn1\n sk_state\u003dBT_CONNECT\n release_sock\n hci_dev_unlock\n hci_dev_lock\n sco_conn_del:\n lock_sock(sk)\n sco_chan_del:\n sk-\u003econn\u003dNULL\n conn1-\u003esk\u003dNULL\n sk_state\u003d\n BT_CLOSED\n SOCK_ZAPPED\n release_sock\n hci_dev_unlock\n (unblocked)\n hci_connect_sco\n -\u003e hcon2\n sco_conn_add\n -\u003e conn2\n lock_sock(sk)\n sco_chan_add:\n sk-\u003econn\u003dconn2\n sk_state\u003d\n BT_CONNECT\n // zombie sk!\n release_sock\n hci_dev_unlock\n\nThread B revives a BT_CLOSED + SOCK_ZAPPED socket back to\nBT_CONNECT. Subsequent cleanup triggers double sock_put() and\nuse-after-free. Meanwhile conn1 is leaked as it was orphaned\nwhen sco_conn_del() cleared the association.\n\nFix this by:\n- Moving lock_sock() before the sk_state/sk_type checks in\n sco_sock_connect() to serialize concurrent connect attempts\n- Fixing the sk_type !\u003d SOCK_SEQPACKET check to actually\n return the error instead of just assigning it\n- Adding a state re-check in sco_connect() after lock_sock()\n to catch state changes during the window between the locks\n- Adding sco_pi(sk)-\u003econn check in sco_chan_add() to prevent\n double-attach of a socket to multiple connections\n- Adding hci_conn_drop() on sco_chan_add failure to prevent\n HCI connection leaks\n\nFixes: 9a8ec9e8ebb5 (\"Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm\")\nSigned-off-by: Cen Zhang \u003czzzccc427@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "fdb07d4116bf88b33ee30ac68d21075d15f0c8fa", "tree": "0feee111f601690b2bff921cad98e13b5bd753ba", "parents": [ "c246bfe2efb6ff48b6fc0c2581c6a1a0fcabee18" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Wed Mar 25 21:07:46 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 26 14:28:16 2026 -0400" }, "message": "Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if immediate\n\nhci_cmd_sync_run() may run the work immediately if called from existing\nsync work (otherwise it queues a new sync work). In this case it fails\nto call the destroy() function.\n\nOn immediate run, make it behave same way as if item was queued\nsuccessfully: call destroy, and return 0.\n\nThe only callsite is hci_abort_conn() via hci_cmd_sync_run_once(), and\nthis changes its return value. However, its return value is not used\nexcept as the return value for hci_disconnect(), and nothing uses the\nreturn value of hci_disconnect(). Hence there should be no behavior\nchange anywhere.\n\nFixes: c898f6d7b093b (\"Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once\")\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c246bfe2efb6ff48b6fc0c2581c6a1a0fcabee18", "tree": "0ec30a918e6cbc7ed432a001f50e10d4439a7425", "parents": [ "0098a022e07b2341cdfa77b9ac75b188f5a1f359" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Wed Mar 25 21:07:45 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 26 14:28:12 2026 -0400" }, "message": "Bluetooth: hci_sync: make hci_cmd_sync_run_once return -EEXIST if exists\n\nhci_cmd_sync_run_once() needs to indicate whether a queue item was\nadded, so caller can know if callbacks are called, so it can avoid\nleaking resources.\n\nChange the function to return -EEXIST if queue item already exists.\n\nModify all callsites vs. the changes. The only callsite is\nhci_abort_conn().\n\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0098a022e07b2341cdfa77b9ac75b188f5a1f359", "tree": "7d437d1594ee9953da8cbb54423811ac96f5f5fc", "parents": [ "dd97a8c7b305a0684b387ab6a9dd6d1fd15ab3f1" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Wed Mar 25 21:07:44 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 26 14:28:08 2026 -0400" }, "message": "Bluetooth: hci_sync: fix leaks when hci_cmd_sync_queue_once fails\n\nWhen hci_cmd_sync_queue_once() returns with error, the destroy callback\nwill not be called.\n\nFix leaking references / memory on these failures.\n\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "dd97a8c7b305a0684b387ab6a9dd6d1fd15ab3f1", "tree": "6bc7e9589c9b3f6c9c6e948ab460ea3c2ca87314", "parents": [ "a94b3460712c656338fe2f72087a384157794630" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Wed Mar 25 21:07:43 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 26 14:28:04 2026 -0400" }, "message": "Bluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if exists\n\nhci_cmd_sync_queue_once() needs to indicate whether a queue item was\nadded, so caller can know if callbacks are called, so it can avoid\nleaking resources.\n\nChange the function to return -EEXIST if queue item already exists.\n\nModify all callsites to handle that.\n\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a94b3460712c656338fe2f72087a384157794630", "tree": "f92c5382d1c19727c85affac7d9aec514cd66314", "parents": [ "08a198361071acbba5d92087572cff34b1c2400f" ], "author": { "name": "Shuai Zhang", "email": "shuai.zhang@oss.qualcomm.com", "time": "Tue Mar 24 10:30:16 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Mar 25 11:42:23 2026 -0400" }, "message": "Bluetooth: hci_qca: disable power control for WCN7850 when bt_en is not defined\n\nOn platforms using an M.2 slot with both UART and USB support, bt_en is\npulled high by hardware. In this case, software-based power control\nshould be disabled. The current platforms are Lemans-EVK and Monaco-EVK.\n\nAdd QCA_WCN7850 to the existing condition so that power_ctrl_enabled is\ncleared when bt_en is not software-controlled (or absent), aligning its\nbehavior with WCN6750 and WCN6855\n\nSigned-off-by: Shuai Zhang \u003cshuai.zhang@oss.qualcomm.com\u003e\nReviewed-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "08a198361071acbba5d92087572cff34b1c2400f", "tree": "d6009305056f7ab86bd6845102196e05f8b39ec9", "parents": [ "acf374fce194d131a220bdeea0fdbfb9d275dc77" ], "author": { "name": "Pengpeng Hou", "email": "pengpeng@iscas.ac.cn", "time": "Wed Mar 25 08:42:45 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Wed Mar 25 11:41:42 2026 -0400" }, "message": "Bluetooth: btusb: clamp SCO altsetting table indices\n\nbtusb_work() maps the number of active SCO links to USB alternate\nsettings through a three-entry lookup table when CVSD traffic uses\ntransparent voice settings. The lookup currently indexes alts[] with\ndata-\u003esco_num - 1 without first constraining sco_num to the number of\navailable table entries.\n\nWhile the table only defines alternate settings for up to three SCO\nlinks, data-\u003esco_num comes from hci_conn_num() and is used directly.\nCap the lookup to the last table entry before indexing it so the\ndriver keeps selecting the highest supported alternate setting without\nreading past alts[].\n\nFixes: baac6276c0a9 (\"Bluetooth: btusb: handle mSBC audio over USB Endpoints\")\nSigned-off-by: Pengpeng Hou \u003cpengpeng@iscas.ac.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "acf374fce194d131a220bdeea0fdbfb9d275dc77", "tree": "99672e50f90cba5cb78cb100cb85d54e0cde9800", "parents": [ "f6bba07f059c15424f497ea884aceda157fb1d6a" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Fri Mar 20 20:23:10 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 23 15:32:35 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop\n\nl2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED\nstate to support L2CAP reconfiguration (e.g. MTU changes). However,\nsince both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from\nthe initial configuration, the reconfiguration path falls through to\nl2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and\nretrans_list without freeing the previous allocations and sets\nchan-\u003esdu to NULL without freeing the existing skb. This leaks all\npreviously allocated ERTM resources.\n\nAdditionally, l2cap_parse_conf_req() does not validate the minimum\nvalue of remote_mps derived from the RFC max_pdu_size option. A zero\nvalue propagates to l2cap_segment_sdu() where pdu_len becomes zero,\ncausing the while loop to never terminate since len is never\ndecremented, exhausting all available memory.\n\nFix the double-init by skipping l2cap_ertm_init() and\nl2cap_chan_ready() when the channel is already in BT_CONNECTED state,\nwhile still allowing the reconfiguration parameters to be updated\nthrough l2cap_parse_conf_req(). Also add a pdu_len zero check in\nl2cap_segment_sdu() as a safeguard.\n\nFixes: 96298f640104 (\"Bluetooth: L2CAP: handle l2cap config request during open state\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "f6bba07f059c15424f497ea884aceda157fb1d6a", "tree": "00fdb1b0291d70e8e718775ab390c7ab3607a423", "parents": [ "b8982b6b9815690bc3195aecc50714f9f36819cf" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Fri Mar 20 20:01:26 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 23 15:32:35 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()\n\nl2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer\nand id_addr_timer while holding conn-\u003elock. However, the work functions\nl2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire\nconn-\u003elock, creating a potential AB-BA deadlock if the work is already\nexecuting when l2cap_conn_del() takes the lock.\n\nMove the work cancellations before acquiring conn-\u003elock and use\ndisable_delayed_work_sync() to additionally prevent the works from\nbeing rearmed after cancellation, consistent with the pattern used in\nhci_conn_del().\n\nFixes: ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in hci_chan_del\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b8982b6b9815690bc3195aecc50714f9f36819cf", "tree": "b0203524ed016aaf1612b6c04da1d6d1c25b93cd", "parents": [ "582cc119bc635a6fd59d6f565fe93c36881d92d9" ], "author": { "name": "Cen Zhang", "email": "zzzccc427@gmail.com", "time": "Wed Mar 18 20:54:03 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 23 15:32:35 2026 -0400" }, "message": "Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock(). This lets it race against\nhci_dev_do_close() -\u003e btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock. When both paths manipulate\nhdev-\u003ereq_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n read of hdev-\u003ereq_rsp at net/bluetooth/hci_sync.c:199\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n write/free by task ioctl/22580:\n btintel_shutdown_combined+0xd0/0x360\n drivers/bluetooth/btintel.c:3648\n hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n BUG: KASAN: slab-use-after-free in\n sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n Read of size 4 at addr ffff888144a738dc\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260\n\nFixes: 973bb97e5aee (\"Bluetooth: btintel: Add generic function for handling hardware errors\")\nSigned-off-by: Cen Zhang \u003czzzccc427@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "582cc119bc635a6fd59d6f565fe93c36881d92d9", "tree": "249849b02fd72bcf3bf35821bca0b8ec0f000869", "parents": [ "eae2412ea6f80623e44075912f12037449ccc38d" ], "author": { "name": "Zhang Chen", "email": "zhangchen01@kylinos.cn", "time": "Thu Mar 19 17:32:11 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 23 15:32:31 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix send LE flow credits in ACL link\n\nWhen the L2CAP channel mode is L2CAP_MODE_ERTM/L2CAP_MODE_STREAMING,\nl2cap_publish_rx_avail will be called and le flow credits will be sent in\nl2cap_chan_rx_avail, even though the link type is ACL.\n\nThe logs in question as follows:\n\u003e ACL Data RX: Handle 129 flags 0x02 dlen 12\n L2CAP: Unknown (0x16) ident 4 len 4\n 40 00 ed 05\n\u003c ACL Data TX: Handle 129 flags 0x00 dlen 10\n L2CAP: Command Reject (0x01) ident 4 len 2\n Reason: Command not understood (0x0000)\n\nBluetooth: Unknown BR/EDR signaling command 0x16\nBluetooth: Wrong link type (-22)\n\nFixes: ce60b9231b66 (\"Bluetooth: compute LE flow credits based on recvbuf space\")\nSigned-off-by: Zhang Chen \u003czhangchen01@kylinos.cn\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "eae2412ea6f80623e44075912f12037449ccc38d", "tree": "e7b3d8b46d949273dc7ece01543d0b51a9e9eca6", "parents": [ "bc280a5ed9efbad898ba66b124805b715ec9b555" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 17 11:54:01 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:08:49 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix regressions caused by reusing ident\n\nThis attempt to fix regressions caused by reusing ident which apparently\nis not handled well on certain stacks causing the stack to not respond to\nrequests, so instead of simple returning the first unallocated id this\nstores the last used tx_ident and then attempt to use the next until all\navailable ids are exausted and then cycle starting over to 1.\n\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221120\nLink: https://bugzilla.kernel.org/show_bug.cgi?id\u003d221177\nFixes: 6c3ea155e5ee (\"Bluetooth: L2CAP: Fix not tracking outstanding TX ident\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nTested-by: Christian Eggers \u003cceggers@arri.de\u003e\n" }, { "commit": "bc280a5ed9efbad898ba66b124805b715ec9b555", "tree": "e2455c9b46c604d7c84c3395c898d29297e2627b", "parents": [ "1d58bcf4a6c51566cf38595721b616de1462a395" ], "author": { "name": "Helen Koike", "email": "koike@igalia.com", "time": "Thu Mar 19 08:58:01 2026 -0300" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:05:22 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb\n\nBefore using sk pointer, check if it is null.\n\nFix the following:\n\n KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267]\n CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025\n Workqueue: events l2cap_info_timeout\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df \u003c0f\u003e b6 04 07 3c 08 0f 92 c0 c3 cc cce\n veth0_macvtap: entered promiscuous mode\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005582615a5008 CR3: 000000007007e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n __kasan_check_byte+0x12/0x40\n lock_acquire+0x79/0x2e0\n lock_sock_nested+0x48/0x100\n ? l2cap_sock_ready_cb+0x46/0x160\n l2cap_sock_ready_cb+0x46/0x160\n l2cap_conn_start+0x779/0xff0\n ? __pfx_l2cap_conn_start+0x10/0x10\n ? l2cap_info_timeout+0x60/0xa0\n ? __pfx___mutex_lock+0x10/0x10\n l2cap_info_timeout+0x68/0xa0\n ? process_scheduled_works+0xa8d/0x18c0\n process_scheduled_works+0xb6e/0x18c0\n ? __pfx_process_scheduled_works+0x10/0x10\n ? assign_work+0x3d5/0x5e0\n worker_thread+0xa53/0xfc0\n kthread+0x388/0x470\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x51e/0xb90\n ? __pfx_ret_from_fork+0x10/0x10\n veth1_macvtap: entered promiscuous mode\n ? __switch_to+0xc7d/0x1450\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n batman_adv: batadv0: Interface activated: batadv_slave_0\n batman_adv: batadv0: Interface activated: batadv_slave_1\n netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0\n netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0\n RIP: 0010:kasan_byte_accessible+0x12/0x30\n Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df \u003c0f\u003e b6 04 07 3c 08 0f 92 c0 c3 cc cce\n ieee80211 phy39: Selected rate control algorithm \u0027minstrel_ht\u0027\n RSP: 0018:ffffc90006e0f808 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffff89746018 RCX: 0000000080000001\n RDX: 0000000000000000 RSI: ffffffff89746018 RDI: 000000000000004c\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: dffffc0000000000 R11: ffffffff8aae3e70 R12: 0000000000000000\n R13: 0000000000000260 R14: 0000000000000260 R15: 0000000000000001\n FS: 0000000000000000(0000) GS:ffff8880983c2000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f7e16139e9c CR3: 000000000e74e000 CR4: 0000000000752ef0\n PKRU: 55555554\n Kernel panic - not syncing: Fatal exception\n\nFixes: 54a59aa2b562 (\"Bluetooth: Add l2cap_chan-\u003eops-\u003eready()\")\nSigned-off-by: Helen Koike \u003ckoike@igalia.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "1d58bcf4a6c51566cf38595721b616de1462a395", "tree": "2a48b6ae8f0e9609fbc2129e22c8a3856c44a908", "parents": [ "0f1a322270bb6fc6b3d7abf4b2e08b9349e25b81" ], "author": { "name": "Lukas Kraft", "email": "rebootrequired42@gmail.com", "time": "Fri Mar 13 17:39:12 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 19 14:03:16 2026 -0400" }, "message": "bluetooth: btusb: Fix whitespace in btusb.c\n\nReplace single space with tab and insert blank line after declaration, according to checkpatch\n\nSigned-off-by: Lukas Kraft \u003crebootrequired42@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0f1a322270bb6fc6b3d7abf4b2e08b9349e25b81", "tree": "cb0cdd722d7a16e2e74b0b0c60ffc8916c3dd357", "parents": [ "9adcc51be54975a6e44449d21fd1313dcf3dd8f0" ], "author": { "name": "Anas Iqbal", "email": "mohd.abd.6602@gmail.com", "time": "Sun Mar 15 10:51:37 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 17 15:13:42 2026 -0400" }, "message": "Bluetooth: hci_ll: Fix firmware leak on error path\n\nSmatch reports:\n\ndrivers/bluetooth/hci_ll.c:587 download_firmware() warn:\n\u0027fw\u0027 from request_firmware() not released on lines: 544.\n\nIn download_firmware(), if request_firmware() succeeds but the returned\nfirmware content is invalid (no data or zero size), the function returns\nwithout releasing the firmware, resulting in a resource leak.\n\nFix this by calling release_firmware() before returning when\nrequest_firmware() succeeded but the firmware content is invalid.\n\nFixes: 371805522f87 (\"bluetooth: hci_uart: add LL protocol serdev driver support\")\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Anas Iqbal \u003cmohd.abd.6602@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "9adcc51be54975a6e44449d21fd1313dcf3dd8f0", "tree": "d7f2f41350fa85c63fafbef8fd439e5256ce3b5e", "parents": [ "3c2dbfa16ca670c0cc7bc6820a32270c1c537db4" ], "author": { "name": "Cen Zhang", "email": "zzzccc427@gmail.com", "time": "Sun Mar 15 20:07:26 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 17 15:13:39 2026 -0400" }, "message": "Bluetooth: hci_sync: annotate data-races around hdev-\u003ereq_status\n\n__hci_cmd_sync_sk() sets hdev-\u003ereq_status under hdev-\u003ereq_lock:\n\n hdev-\u003ereq_status \u003d HCI_REQ_PEND;\n\nHowever, several other functions read or write hdev-\u003ereq_status without\nholding any lock:\n\n - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)\n - hci_cmd_sync_complete() reads/writes from HCI event completion\n - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write\n - hci_abort_conn() reads in connection abort path\n\nSince __hci_cmd_sync_sk() runs on hdev-\u003ereq_workqueue while\nhci_send_cmd_sync() runs on hdev-\u003eworkqueue, these are different\nworkqueues that can execute concurrently on different CPUs. The plain\nC accesses constitute a data race.\n\nAdd READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses\nto hdev-\u003ereq_status to prevent potential compiler optimizations that\ncould affect correctness (e.g., load fusing in the wait_event\ncondition or store reordering).\n\nSigned-off-by: Cen Zhang \u003czzzccc427@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3c2dbfa16ca670c0cc7bc6820a32270c1c537db4", "tree": "f9b9e6c4c33c51f330002ce66f83b98b81fd2c30", "parents": [ "013598897448bbdaef9b72f9aac81bd9743d847c" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 16 15:03:27 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 17 14:51:28 2026 -0400" }, "message": "Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status !\u003d -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory.\n\nLink: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06\nFixes: 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\n" }, { "commit": "013598897448bbdaef9b72f9aac81bd9743d847c", "tree": "04714b86434563365dda1897c8940f7df129755e", "parents": [ "506c02824131311302c6926f58f2dd9ef9f8e02d" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 16 14:34:13 2026 -0400" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 17 14:49:14 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU\n\nThe code was printing skb-\u003elen and sdu_len in the places where it should\nbe sdu_len and chan-\u003eimtu respectively to match the if conditions.\n\nLink: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06\nFixes: fa768fce4aae (\"Bluetooth: LE L2CAP: Disconnect if received packet\u0027s SDU exceeds IMTU\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\n" }, { "commit": "506c02824131311302c6926f58f2dd9ef9f8e02d", "tree": "7d7f195dc70036f800975e146a37128005e61c85", "parents": [ "a480f2bbc7c2b87d480823628766c9210da3ec5c" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Fri Mar 13 05:26:16 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 16 15:14:49 2026 -0400" }, "message": "Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold\n\nsco_recv_frame() reads conn-\u003esk under sco_conn_lock() but immediately\nreleases the lock without holding a reference to the socket. A concurrent\nclose() can free the socket between the lock release and the subsequent\nsk-\u003esk_state access, resulting in a use-after-free.\n\nOther functions in the same file (sco_sock_timeout(), sco_conn_del())\ncorrectly use sco_sock_hold() to safely hold a reference under the lock.\n\nFix by using sco_sock_hold() to take a reference before releasing the\nlock, and adding sock_put() on all exit paths.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a480f2bbc7c2b87d480823628766c9210da3ec5c", "tree": "5050f4b2c9406fc8f59f43875b557522e7f583d9", "parents": [ "6ec1f2e822b22fce0358258944d1213737507e70" ], "author": { "name": "Hyunwoo Kim", "email": "imv4bel@gmail.com", "time": "Fri Mar 13 05:22:39 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 16 15:14:45 2026 -0400" }, "message": "Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()\n\nl2cap_ecred_data_rcv() reads the SDU length field from skb-\u003edata using\nget_unaligned_le16() without first verifying that skb contains at least\nL2CAP_SDULEN_SIZE (2) bytes. When skb-\u003elen is less than 2, this reads\npast the valid data in the skb.\n\nThe ERTM reassembly path correctly calls pskb_may_pull() before reading\nthe SDU length (l2cap_reassemble_sdu, L2CAP_SAR_START case). Apply the\nsame validation to the Enhanced Credit Based Flow Control data path.\n\nFixes: aac23bf63659 (\"Bluetooth: Implement LE L2CAP reassembly\")\nSigned-off-by: Hyunwoo Kim \u003cimv4bel@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6ec1f2e822b22fce0358258944d1213737507e70", "tree": "0e8d1a14d88e7d057dcfb0e0cb51878c5b05d0b7", "parents": [ "ae74ff4cdad55a7acc66dd33894fd85d5a9aa1b1" ], "author": { "name": "Minseo Park", "email": "jacob.park.9436@gmail.com", "time": "Sun Mar 15 22:14:37 2026 +0900" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 16 15:14:39 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req\n\nSyzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()\nthat is triggered by a malformed Enhanced Credit Based Connection Request.\n\nThe vulnerability stems from l2cap_ecred_conn_req(). The function allocates\na local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel\nIDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more\nthan 5 SCIDs, the function calculates `rsp_len` based on this unvalidated\n`cmd_len` before checking if the number of SCIDs exceeds\nL2CAP_ECRED_MAX_CID.\n\nIf the SCID count is too high, the function correctly jumps to the\n`response` label to reject the packet, but `rsp_len` retains the\nattacker\u0027s oversized value. Consequently, l2cap_send_cmd() is instructed\nto read past the end of the 18-byte `pdu` buffer, triggering a\nKASAN panic.\n\nFix this by moving the assignment of `rsp_len` to after the `num_scid`\nboundary check. If the packet is rejected, `rsp_len` will safely\nremain 0, and the error response will only read the 8-byte base header\nfrom the stack.\n\nFixes: c28d2bff7044 (\"Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short\")\nReported-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003db7f3e7d9a596bf6a63e3\nTested-by: syzbot+b7f3e7d9a596bf6a63e3@syzkaller.appspotmail.com\nSigned-off-by: Minseo Park \u003cjacob.park.9436@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ae74ff4cdad55a7acc66dd33894fd85d5a9aa1b1", "tree": "2ae061bd713f9a0b1a970ac5fa72a0593a79bc40", "parents": [ "88a5dee7d0850dcd6e88e8c216094d14f2cc46d3" ], "author": { "name": "Dmitry Baryshkov", "email": "dmitry.baryshkov@oss.qualcomm.com", "time": "Wed Mar 11 01:02:58 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:04:13 2026 -0400" }, "message": "Bluetooth: qca: enable pwrseq support for WCN39xx devices\n\nThe WCN39xx family of WiFi/BT chips incorporates a simple PMU, spreading\nvoltages over internal rails. Implement support for using powersequencer\nfor this family of QCA devices in addition to using regulators.\n\nReviewed-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nSigned-off-by: Dmitry Baryshkov \u003cdmitry.baryshkov@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "88a5dee7d0850dcd6e88e8c216094d14f2cc46d3", "tree": "741cfaafc30f15276faebd59217c7a80879ae8cf", "parents": [ "c2403f1ace273288c8caefa0ab12ef98736e09ae" ], "author": { "name": "Dmitry Baryshkov", "email": "dmitry.baryshkov@oss.qualcomm.com", "time": "Wed Mar 11 01:02:57 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:03:55 2026 -0400" }, "message": "Bluetooth: qca: fix ROM version reading on WCN3998 chips\n\nWCN3998 uses a bit different format for rom version:\n\n[ 5.479978] Bluetooth: hci0: setting up wcn399x\n[ 5.633763] Bluetooth: hci0: QCA Product ID :0x0000000a\n[ 5.645350] Bluetooth: hci0: QCA SOC Version :0x40010224\n[ 5.650906] Bluetooth: hci0: QCA ROM Version :0x00001001\n[ 5.665173] Bluetooth: hci0: QCA Patch Version:0x00006699\n[ 5.679356] Bluetooth: hci0: QCA controller version 0x02241001\n[ 5.691109] Bluetooth: hci0: QCA Downloading qca/crbtfw21.tlv\n[ 6.680102] Bluetooth: hci0: QCA Downloading qca/crnv21.bin\n[ 6.842948] Bluetooth: hci0: QCA setup on UART is completed\n\nFixes: 523760b7ff88 (\"Bluetooth: hci_qca: Added support for WCN3998\")\nReviewed-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nSigned-off-by: Dmitry Baryshkov \u003cdmitry.baryshkov@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c2403f1ace273288c8caefa0ab12ef98736e09ae", "tree": "6787edd08745f4d009d93dae6c12f72f9ca36759", "parents": [ "2b53ed48f00bfa464a26dbd73ec95b176dca1831" ], "author": { "name": "Lukas Johannes Möller", "email": "research@johannes-moeller.dev", "time": "Tue Mar 10 21:59:47 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:03:35 2026 -0400" }, "message": "Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access\n\nl2cap_information_rsp() checks that cmd_len covers the fixed\nl2cap_info_rsp header (type + result, 4 bytes) but then reads\nrsp-\u003edata without verifying that the payload is present:\n\n - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp-\u003edata), which reads\n 4 bytes past the header (needs cmd_len \u003e\u003d 8).\n\n - L2CAP_IT_FIXED_CHAN reads rsp-\u003edata[0], 1 byte past the header\n (needs cmd_len \u003e\u003d 5).\n\nA truncated L2CAP_INFO_RSP with result \u003d\u003d L2CAP_IR_SUCCESS triggers an\nout-of-bounds read of adjacent skb data.\n\nGuard each data access with the required payload length check. If the\npayload is too short, skip the read and let the state machine complete\nwith safe defaults (feat_mask and remote_fixed_chan remain zero from\nkzalloc), so the info timer cleanup and l2cap_conn_start() still run\nand the connection is not stalled.\n\nFixes: 4e8402a3f884 (\"[Bluetooth] Retrieve L2CAP features mask on connection setup\")\nCc: stable@vger.kernel.org\nSigned-off-by: Lukas Johannes Möller \u003cresearch@johannes-moeller.dev\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2b53ed48f00bfa464a26dbd73ec95b176dca1831", "tree": "40e13ac50775997fd4fb49431cea8cfea96b50b9", "parents": [ "7dd00b0734fb4b820d3b197ae7b24471b1b2fd65" ], "author": { "name": "Lukas Johannes Möller", "email": "research@johannes-moeller.dev", "time": "Tue Mar 10 21:59:46 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:03:15 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()\n\nl2cap_ecred_reconf_rsp() casts the incoming data to struct\nl2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with\nresult at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes\nwith result at offset 0).\n\nThis causes two problems:\n\n - The sizeof(*rsp) length check requires 8 bytes instead of the\n correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected\n with -EPROTO.\n\n - rsp-\u003eresult reads from offset 6 instead of offset 0, returning\n wrong data when the packet is large enough to pass the check.\n\nFix by using the correct type. Also pass the already byte-swapped\nresult variable to BT_DBG instead of the raw __le16 field.\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nCc: stable@vger.kernel.org\nSigned-off-by: Lukas Johannes Möller \u003cresearch@johannes-moeller.dev\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7dd00b0734fb4b820d3b197ae7b24471b1b2fd65", "tree": "2a80636e3b6c5ca9b3c81436c3d9468668c3f516", "parents": [ "d1d7a87426cd2e695ddf8e84e6d860b892b2706c" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Tue Mar 03 13:29:53 2026 -0500" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:02:54 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n\u0027Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.\u0027\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found.\n\nFixes: 15f02b910562 (\"Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode\")\nReported-by: Yiming Qian \u003cyimingqian591@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "d1d7a87426cd2e695ddf8e84e6d860b892b2706c", "tree": "312863e3809230c55ab72c70c837b8941388cd30", "parents": [ "eb83f2863557fc8aef8174466e58bc1ebe25e258" ], "author": { "name": "Shaurya Rane", "email": "ssrane_b23@ee.vjti.ac.in", "time": "Thu Nov 06 23:50:16 2025 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:02:33 2026 -0400" }, "message": "Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user\n\nAfter commit ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in\nhci_chan_del\"), l2cap_conn_del() uses conn-\u003elock to protect access to\nconn-\u003eusers. However, l2cap_register_user() and l2cap_unregister_user()\ndon\u0027t use conn-\u003elock, creating a race condition where these functions can\naccess conn-\u003eusers and conn-\u003ehchan concurrently with l2cap_conn_del().\n\nThis can lead to use-after-free and list corruption bugs, as reported\nby syzbot.\n\nFix this by changing l2cap_register_user() and l2cap_unregister_user()\nto use conn-\u003elock instead of hci_dev_lock(), ensuring consistent locking\nfor the l2cap_conn structure.\n\nReported-by: syzbot+14b6d57fb728e27ce23c@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d14b6d57fb728e27ce23c\nFixes: ab4eedb790ca (\"Bluetooth: L2CAP: Fix corrupted list in hci_chan_del\")\nSigned-off-by: Shaurya Rane \u003cssrane_b23@ee.vjti.ac.in\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "eb83f2863557fc8aef8174466e58bc1ebe25e258", "tree": "bfa822d869ff9a79d9e95593221e81bccff79a6b", "parents": [ "49a9ccb181b3156ee1c8cb05383bab9516d8d014" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 05 10:17:47 2026 -0500" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:02:15 2026 -0400" }, "message": "Bluetooth: HIDP: Fix possible UAF\n\nThis fixes the following trace caused by not dropping l2cap_conn\nreference when user-\u003eremove callback is called:\n\n[ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00\n[ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 97.809947] Call Trace:\n[ 97.809954] \u003cTASK\u003e\n[ 97.809961] dump_stack_lvl (lib/dump_stack.c:122)\n[ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798)\n[ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1))\n[ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341)\n[ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2))\n[ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360)\n[ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285)\n[ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5))\n[ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716)\n[ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691)\n[ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678)\n[ 97.810404] __fput (fs/file_table.c:470)\n[ 97.810430] task_work_run (kernel/task_work.c:235)\n[ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201)\n[ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5))\n[ 97.810527] do_exit (kernel/exit.c:972)\n[ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810574] ? __pfx_do_exit (kernel/exit.c:897)\n[ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 97.810721] do_group_exit (kernel/exit.c:1093)\n[ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1))\n[ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366)\n[ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810826] ? vfs_read (fs/read_write.c:555)\n[ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800)\n[ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555)\n[ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.810960] arch_do_signal_or_restart (arch/x86/kernel/signal.c:337 (discriminator 1))\n[ 97.810990] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:334)\n[ 97.811021] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.811055] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.811078] ? ksys_read (fs/read_write.c:707)\n[ 97.811106] ? __pfx_ksys_read (fs/read_write.c:707)\n[ 97.811137] exit_to_user_mode_loop (kernel/entry/common.c:66 kernel/entry/common.c:98)\n[ 97.811169] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752)\n[ 97.811192] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.811215] ? trace_hardirqs_off (./include/trace/events/preemptirq.h:36 (discriminator 33) kernel/trace/trace_preemptirq.c:95 (discriminator 33) kernel/trace/trace_preemptirq.c:90 (discriminator 33))\n[ 97.811240] do_syscall_64 (./include/linux/irq-entry-common.h:226 ./include/linux/irq-entry-common.h:256 ./include/linux/entry-common.h:325 arch/x86/entry/syscall_64.c:100)\n[ 97.811268] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 97.811292] ? exc_page_fault (arch/x86/mm/fault.c:1480 (discriminator 3) arch/x86/mm/fault.c:1527 (discriminator 3))\n[ 97.811318] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n[ 97.811338] RIP: 0033:0x445cfe\n[ 97.811352] Code: Unable to access opcode bytes at 0x445cd4.\n\nCode starting with the faulting instruction\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ 97.811360] RSP: 002b:00007f65c41c6dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 97.811378] RAX: fffffffffffffe00 RBX: 00007f65c41c76c0 RCX: 0000000000445cfe\n[ 97.811391] RDX: 0000000000000400 RSI: 00007f65c41c6e40 RDI: 0000000000000004\n[ 97.811403] RBP: 00007f65c41c7250 R08: 0000000000000000 R09: 0000000000000000\n[ 97.811415] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffe8\n[ 97.811428] R13: 0000000000000000 R14: 00007fff780a8c00 R15: 00007f65c41c76c0\n[ 97.811453] \u003c/TASK\u003e\n[ 98.402453] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ 98.403560] BUG: KASAN: use-after-free in __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)\n[ 98.404541] Read of size 8 at addr ffff888113ee40a8 by task khidpd_00050004/1430\n[ 98.405361]\n[ 98.405563] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 98.405588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 98.405600] Call Trace:\n[ 98.405607] \u003cTASK\u003e\n[ 98.405614] dump_stack_lvl (lib/dump_stack.c:122)\n[ 98.405641] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 98.405667] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.405691] ? __virt_addr_valid (arch/x86/mm/physaddr.c:55)\n[ 98.405724] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)\n[ 98.405748] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)\n[ 98.405778] ? __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)\n[ 98.405807] __mutex_lock (kernel/locking/mutex.c:199 kernel/locking/mutex.c:694 kernel/locking/mutex.c:776)\n[ 98.405832] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4))\n[ 98.405859] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))\n[ 98.405888] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)\n[ 98.405915] ? __pfx___mutex_lock (kernel/locking/mutex.c:775)\n[ 98.405939] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.405963] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6))\n[ 98.405984] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 98.406015] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406038] ? lock_release (kernel/locking/lockdep.c:5536 kernel/locking/lockdep.c:5889 kernel/locking/lockdep.c:5875)\n[ 98.406061] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406085] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./arch/x86/include/asm/irqflags.h:159 ./include/linux/spinlock_api_smp.h:178 kernel/locking/spinlock.c:194)\n[ 98.406107] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406130] ? __timer_delete_sync (kernel/time/timer.c:1592)\n[ 98.406158] ? l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))\n[ 98.406186] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406210] l2cap_unregister_user (./include/linux/list.h:381 (discriminator 2) net/bluetooth/l2cap_core.c:1723 (discriminator 2))\n[ 98.406263] hidp_session_thread (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/bluetooth/hidp/core.c:996 net/bluetooth/hidp/core.c:1305)\n[ 98.406293] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)\n[ 98.406323] ? kthread (kernel/kthread.c:433)\n[ 98.406340] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)\n[ 98.406370] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406393] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 98.406424] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)\n[ 98.406453] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406476] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))\n[ 98.406499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406523] ? kthread (kernel/kthread.c:433)\n[ 98.406539] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406565] ? kthread (kernel/kthread.c:433)\n[ 98.406581] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)\n[ 98.406610] kthread (kernel/kthread.c:467)\n[ 98.406627] ? __pfx_kthread (kernel/kthread.c:412)\n[ 98.406645] ret_from_fork (arch/x86/kernel/process.c:164)\n[ 98.406674] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)\n[ 98.406704] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.406728] ? __pfx_kthread (kernel/kthread.c:412)\n[ 98.406747] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)\n[ 98.406774] \u003c/TASK\u003e\n[ 98.406780]\n[ 98.433693] The buggy address belongs to the physical page:\n[ 98.434405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888113ee7c40 pfn:0x113ee4\n[ 98.435557] flags: 0x200000000000000(node\u003d0|zone\u003d2)\n[ 98.436198] raw: 0200000000000000 ffffea0004244308 ffff8881f6f3ebc0 0000000000000000\n[ 98.437195] raw: ffff888113ee7c40 0000000000000000 00000000ffffffff 0000000000000000\n[ 98.438115] page dumped because: kasan: bad access detected\n[ 98.438951]\n[ 98.439211] Memory state around the buggy address:\n[ 98.439871] ffff888113ee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 98.440714] ffff888113ee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 98.441580] \u003effff888113ee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 98.442458] ^\n[ 98.443011] ffff888113ee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 98.443889] ffff888113ee4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 98.444768] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ 98.445719] Disabling lock debugging due to kernel taint\n[ 98.448074] l2cap_conn_free: freeing conn ffff88810c22b400\n[ 98.450012] CPU: 1 UID: 0 PID: 1430 Comm: khidpd_00050004 Tainted: G B 7.0.0-rc1-dirty #14 PREEMPT(lazy)\n[ 98.450040] Tainted: [B]\u003dBAD_PAGE\n[ 98.450047] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n[ 98.450059] Call Trace:\n[ 98.450065] \u003cTASK\u003e\n[ 98.450071] dump_stack_lvl (lib/dump_stack.c:122)\n[ 98.450099] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808)\n[ 98.450125] l2cap_conn_put (net/bluetooth/l2cap_core.c:1822)\n[ 98.450154] session_free (net/bluetooth/hidp/core.c:990)\n[ 98.450181] hidp_session_thread (net/bluetooth/hidp/core.c:1307)\n[ 98.450213] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)\n[ 98.450271] ? kthread (kernel/kthread.c:433)\n[ 98.450293] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)\n[ 98.450339] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.450368] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1))\n[ 98.450406] ? __pfx_hidp_session_wake_function (net/bluetooth/hidp/core.c:1251)\n[ 98.450442] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.450471] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:79 (discriminator 1))\n[ 98.450499] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.450528] ? kthread (kernel/kthread.c:433)\n[ 98.450547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.450578] ? kthread (kernel/kthread.c:433)\n[ 98.450598] ? __pfx_hidp_session_thread (net/bluetooth/hidp/core.c:1264)\n[ 98.450637] kthread (kernel/kthread.c:467)\n[ 98.450657] ? __pfx_kthread (kernel/kthread.c:412)\n[ 98.450680] ret_from_fork (arch/x86/kernel/process.c:164)\n[ 98.450715] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)\n[ 98.450752] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 98.450782] ? __pfx_kthread (kernel/kthread.c:412)\n[ 98.450804] ret_from_fork_asm (arch/x86/entry/entry_64.S:258)\n[ 98.450836] \u003c/TASK\u003e\n\nFixes: b4f34d8d9d26 (\"Bluetooth: hidp: add new session-management helpers\")\nReported-by: soufiane el hachmi \u003ckilwa10@gmail.com\u003e\nTested-by: soufiane el hachmi \u003ckilwa10@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "49a9ccb181b3156ee1c8cb05383bab9516d8d014", "tree": "d9f5ffa579ec9326871703079ac031caddead156", "parents": [ "4a62953e5f1431238ef6be912c227ff79486385f" ], "author": { "name": "Wang Tao", "email": "wangtao554@huawei.com", "time": "Fri Feb 27 11:03:39 2026 +0000" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:01:53 2026 -0400" }, "message": "Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") introduced\nmgmt_pending_valid(), which not only validates the pending command but\nalso unlinks it from the pending list if it is valid. This change in\nsemantics requires updates to several completion handlers to avoid list\ncorruption and memory safety issues.\n\nThis patch addresses two left-over issues from the aforementioned rework:\n\n1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()\nis replaced with mgmt_pending_free() in the success path. Since\nmgmt_pending_valid() already unlinks the command at the beginning of\nthe function, calling mgmt_pending_remove() leads to a double list_del()\nand subsequent list corruption/kernel panic.\n\n2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error\npath is removed. Since the current command is already unlinked by\nmgmt_pending_valid(), this foreach loop would incorrectly target other\npending mesh commands, potentially freeing them while they are still being\nprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()\nis also simplified to use cmd-\u003eopcode directly.\n\nFixes: 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\")\nSigned-off-by: Wang Tao \u003cwangtao554@huawei.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4a62953e5f1431238ef6be912c227ff79486385f", "tree": "53d4e6e565c909a4a347ff63bcca04f26a85dd05", "parents": [ "5d7e18841bb7580828ddfb0bf56c5e0a0a11182c" ], "author": { "name": "Michael Grzeschik", "email": "m.grzeschik@pengutronix.de", "time": "Thu Mar 05 14:50:52 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:01:32 2026 -0400" }, "message": "Bluetooth: hci_sync: Fix hci_le_create_conn_sync\n\nWhile introducing hci_le_create_conn_sync the functionality\nof hci_connect_le was ported to hci_le_create_conn_sync including\nthe disable of the scan before starting the connection.\n\nWhen this code was run non synchronously the immediate call that was\nsetting the flag HCI_LE_SCAN_INTERRUPTED had an impact. Since the\ncompletion handler for the LE_SCAN_DISABLE was not immediately called.\nIn the completion handler of the LE_SCAN_DISABLE event, this flag is\nchecked to set the state of the hdev to DISCOVERY_STOPPED.\n\nWith the synchronised approach the later setting of the\nHCI_LE_SCAN_INTERRUPTED flag has not the same effect. The completion\nhandler would immediately fire in the LE_SCAN_DISABLE call, check for\nthe flag, which is then not yet set and do nothing.\n\nTo fix this issue and make the function call work as before, we move the\nsetting of the flag HCI_LE_SCAN_INTERRUPTED before disabling the scan.\n\nFixes: 8e8b92ee60de (\"Bluetooth: hci_sync: Add hci_le_create_conn_sync\")\nSigned-off-by: Michael Grzeschik \u003cm.grzeschik@pengutronix.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5d7e18841bb7580828ddfb0bf56c5e0a0a11182c", "tree": "408563c84f0515fc6b2730e320647bdb11638b91", "parents": [ "29453188b83330920d20c3177a4debe3f5211f83" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Mon Mar 02 15:21:21 2026 -0500" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:01:15 2026 -0400" }, "message": "Bluetooth: btintel_pci: Fix btintel_pcie_read_hwexp code style\n\nUse proper alignment for break under a switch.\n\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "29453188b83330920d20c3177a4debe3f5211f83", "tree": "767a3e2d74e214fc38c468bb9488281810dc8086", "parents": [ "ee334786489fd87135dd93fd5c077316a5cfe2d6" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:39 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:00:55 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Add device id of Scorpious2, Nova Lake-PCD-S\n\nsudo lspci -v -k -d 8086:6e74\n\t80:14.7 Bluetooth: Intel Corporation Device 6e74 (rev 10)\n Subsystem: Intel Corporation Device 0011\n Flags: bus master, fast devsel, latency 0, IRQ 16\n Memory at 200002a8000 (64-bit, non-prefetchable) [size\u003d16K]\n Capabilities: [c8] Power Management version 3\n Capabilities: [d0] MSI: Enable- Count\u003d1/1 Maskable- 64bit+\n Capabilities: [40] Express Root Complex Integrated Endpoint, MSI 00\n Capabilities: [80] MSI-X: Enable+ Count\u003d32 Masked-\n Capabilities: [100] Latency Tolerance Reporting\n Kernel driver in use: btintel_pcie\n Kernel modules: btintel_pcie\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ee334786489fd87135dd93fd5c077316a5cfe2d6", "tree": "97502c4403c89b3079c08d5d9b24aef6fff6e575", "parents": [ "05d1b1d54d14ff3df964c1e5e14c020208ac8011" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:38 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:00:35 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Add device id of Scorpius Peak2, Nova Lake-PCD-H\n\nsudo lspci -v -k -d 8086:d346\n\t00:14.7 Bluetooth: Intel Corporation Device d346\n\tSubsystem: Intel Corporation Device 0011\n\tFlags: bus master, fast devsel, latency 0, IRQ 16, IOMMU group 14\n\tMemory at b018378000 (64-bit, non-prefetchable) [size\u003d16K]\n\tCapabilities: [c8] Power Management version 3\n\tCapabilities: [d0] MSI: Enable- Count\u003d1/1 Maskable- 64bit+\n\tCapabilities: [40] Express Root Complex Integrated Endpoint, MSI 00\n\tCapabilities: [80] MSI-X: Enable+ Count\u003d32 Masked-\n\tCapabilities: [100] Latency Tolerance Reporting\n\tKernel driver in use: btintel_pcie\n\tKernel modules: btintel_pcie\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "05d1b1d54d14ff3df964c1e5e14c020208ac8011", "tree": "356857d4a43757c01b475dc602f27f5b5fc575d6", "parents": [ "c8af33bf9a3d3f6b097d62daf1825c948e7f3c81" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:37 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 14:00:14 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Add support for exception dump for ScP2F\n\nAdd device coredump support for Scorpious Peak2F product.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c8af33bf9a3d3f6b097d62daf1825c948e7f3c81", "tree": "cb5647262b6222f2b93364da3dd803acc385c88c", "parents": [ "e2c39b6b2521b23cb16c27402e05813cda1d1b5f" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:36 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:59:54 2026 -0400" }, "message": "Bluetooth: btintel: Add support for Scorpious Peak2F support\n\nAdd support for Intel Bluetooth Scorpious Peak2F core.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e2c39b6b2521b23cb16c27402e05813cda1d1b5f", "tree": "38443833f344ebebdad11f654ef7bb007a8b1c78", "parents": [ "37c57d525679fa9c7d99ca3406b3d42e56358d39" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:35 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:59:34 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Add support for exception dump for ScP2\n\nAdd device coredump support for Scorpious Peak2 product.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "37c57d525679fa9c7d99ca3406b3d42e56358d39", "tree": "f58b97ca38d2988ca650cc3f301963db23bd1ba1", "parents": [ "17bfc1af71694824fc0771e075c23891ccd011ff" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:34 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:59:14 2026 -0400" }, "message": "Bluetooth: btintel: Add DSBR support for ScP2 onwards\n\nAdd DSBR support for Scorpious Peak2 cores onwards.\n\nRefer commit eb9e749c0182 (\"Bluetooth: btintel: Allow configuring drive\nstrength of BRI\") for details about DSBR.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "17bfc1af71694824fc0771e075c23891ccd011ff", "tree": "efcf37e452e49a8013de6b0531546fa3d11c78f1", "parents": [ "569aad7c95cb0a11caa31d012b954368568fdf57" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:33 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:58:54 2026 -0400" }, "message": "Bluetooth: btintel: Add support for Scorpious Peak2 support\n\nAdd support for Intel Bluetooth Scorpious Peak2 core.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "569aad7c95cb0a11caa31d012b954368568fdf57", "tree": "360041bbde542f2d0fb1e3f4345bb3ee05b931d0", "parents": [ "e47687d6ecf3a04b48c2eea7e7bd168ada6159aa" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:32 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:58:34 2026 -0400" }, "message": "Bluetooth: btintel: Replace CNVi id with hardware variant\n\nUse hardware variant instead of CNVi to send dsbr command.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e47687d6ecf3a04b48c2eea7e7bd168ada6159aa", "tree": "97a7c4c622cd3b2098bdcc5dd3a5e77d748a593c", "parents": [ "e321a506f11cb725d36e0fa2c3a13da110ce3497" ], "author": { "name": "Kiran K", "email": "kiran.k@intel.com", "time": "Sat Feb 28 14:42:31 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:58:14 2026 -0400" }, "message": "Bluetooth: btintel: Add support for hybrid signature for ScP2 onwards\n\nIf FW image has hybrid signature (ECDSA and LMS) then send CSS header,\nECDSA public key, ECDSA signature, LMS public key, LMS signature and\ncommand buffer to device.\n\nSigned-off-by: Kiran K \u003ckiran.k@intel.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "e321a506f11cb725d36e0fa2c3a13da110ce3497", "tree": "4c45adb3129f7e2d9bf1a7a52070119e98af3c2a", "parents": [ "ef20d3012d9e4ee791b7da1f8fe70ed41d83305b" ], "author": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Fri Feb 27 15:23:01 2026 -0500" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:57:56 2026 -0400" }, "message": "Bluetooth: ISO: Fix defer tests being unstable\n\niso-tester defer tests seem to fail with hci_conn_hash_lookup_cig\nbeing unable to resolve a cig in set_cig_params_sync due a race\nwhere it is run immediatelly before hci_bind_cis is able to set\nthe QoS settings into the hci_conn object.\n\nSo this moves the assigning of the QoS settings to be done directly\nby hci_le_set_cig_params to prevent that from happening again.\n\nFixes: 26afbd826ee3 (\"Bluetooth: Add initial implementation of CIS connections\")\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ef20d3012d9e4ee791b7da1f8fe70ed41d83305b", "tree": "a69df65713dd9e146130e225a9a3beb00a184c8b", "parents": [ "71099dd0c476441cab9f3f058ca64b07fc2e4833" ], "author": { "name": "Christian Eggers", "email": "ceggers@arri.de", "time": "Wed Feb 25 18:07:26 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:57:35 2026 -0400" }, "message": "Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS\n\nCore 6.0, Vol 3, Part A, 3.4.3:\n\"... If the payload size of any K-frame exceeds the receiver\u0027s MPS, the\nreceiver shall disconnect the channel...\"\n\nThis fixes L2CAP/LE/CFC/BV-27-C (running together with \u0027l2test -r -P\n0x0027 -V le_public -I 100\u0027).\n\nSigned-off-by: Christian Eggers \u003cceggers@arri.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\nTested-by: Christian Eggers \u003cceggers@arri.de\u003e\n" }, { "commit": "71099dd0c476441cab9f3f058ca64b07fc2e4833", "tree": "bee73c11f605d407a7c84cefece3ba29af9a4b11", "parents": [ "3a7e3a91d8f7a6195df4856e9ae502742db06c54" ], "author": { "name": "Christian Eggers", "email": "ceggers@arri.de", "time": "Wed Feb 25 18:07:28 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:57:17 2026 -0400" }, "message": "Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy\n\nThe last test step (\"Test with Invalid public key X and Y, all set to\n0\") expects to get an \"DHKEY check failed\" instead of \"unspecified\".\n\nFixes: 6d19628f539f (\"Bluetooth: SMP: Fail if remote and local public keys are identical\")\nSigned-off-by: Christian Eggers \u003cceggers@arri.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3a7e3a91d8f7a6195df4856e9ae502742db06c54", "tree": "68e846122c827705e3b41072c1d059245dbff40e", "parents": [ "fa768fce4aae76c8ca66005c8b65f50bcda7d82c" ], "author": { "name": "Christian Eggers", "email": "ceggers@arri.de", "time": "Wed Feb 25 18:07:27 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:56:57 2026 -0400" }, "message": "Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU\n\nCore 6.0, Vol 3, Part A, 3.4.3:\n\"... If the sum of the payload sizes for the K-frames exceeds the\nspecified SDU length, the receiver shall disconnect the channel.\"\n\nThis fixes L2CAP/LE/CFC/BV-27-C (running together with \u0027l2test -r -P\n0x0027 -V le_public\u0027).\n\nFixes: aac23bf63659 (\"Bluetooth: Implement LE L2CAP reassembly\")\nSigned-off-by: Christian Eggers \u003cceggers@arri.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "fa768fce4aae76c8ca66005c8b65f50bcda7d82c", "tree": "592ba322dd02bef3fcbc061c215dd00246175648", "parents": [ "8a4870640d8f46b6da7709af2f2d4b65f7ff0ab4" ], "author": { "name": "Christian Eggers", "email": "ceggers@arri.de", "time": "Wed Feb 25 18:07:25 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:56:36 2026 -0400" }, "message": "Bluetooth: LE L2CAP: Disconnect if received packet\u0027s SDU exceeds IMTU\n\nCore 6.0, Vol 3, Part A, 3.4.3:\n\"If the SDU length field value exceeds the receiver\u0027s MTU, the receiver\nshall disconnect the channel...\"\n\nThis fixes L2CAP/LE/CFC/BV-26-C (running together with \u0027l2test -r -P\n0x0027 -V le_public -I 100\u0027).\n\nFixes: aac23bf63659 (\"Bluetooth: Implement LE L2CAP reassembly\")\nSigned-off-by: Christian Eggers \u003cceggers@arri.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8a4870640d8f46b6da7709af2f2d4b65f7ff0ab4", "tree": "44599c49ee36758cb3a4e92c00bcb6e017edfbd1", "parents": [ "8741193d35054468cdd3e0f4e07d2b95400b8b6e" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:25 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:56:18 2026 -0400" }, "message": "Bluetooth: btmtk: add MT7902 SDIO support\n\nAdd MT7902 Bluetooth SDIO support by introducing chip data and\nregistering the device ID.\n\nRuntime PM is not yet supported by the driver, but normal operation\nis unaffected.\n\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8741193d35054468cdd3e0f4e07d2b95400b8b6e", "tree": "179d67fda116f266f1d0332d6feabf94d07e183b", "parents": [ "b191f0195436f3efe8a1940da0f01e9083bd5470" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:24 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:55:58 2026 -0400" }, "message": "Bluetooth: btusb: Add new VID/PID 0e8d/1ede for MT7902\n\nAdd VID 0e8d \u0026 PID 1ede for MediaTek MT7902 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d05 Cnt\u003d02 Dev#\u003d 4 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0e8d ProdID\u003d1ede Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI: If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI:* If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nCo-developed-by: Bitterblue Smith \u003crtl8821cerfe2@gmail.com\u003e\nSigned-off-by: Bitterblue Smith \u003crtl8821cerfe2@gmail.com\u003e\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "b191f0195436f3efe8a1940da0f01e9083bd5470", "tree": "d92117fd9dfe3cd9bb7dbb1fbfe9156922ca3162", "parents": [ "0a6b6f43c88f3ffe5560a33127cba7eadcffca1d" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:23 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:55:37 2026 -0400" }, "message": "Bluetooth: btusb: Add new VID/PID 13d3/3596 for MT7902\n\nAdd VID 13d3 \u0026 PID 3596 for MediaTek MT7902 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d07 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 2 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3596 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003d(none)\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI: If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003d(none)\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nCo-developed-by: Kush Kulshrestha \u003ckush.kulshrestha.5@gmail.com\u003e\nSigned-off-by: Kush Kulshrestha \u003ckush.kulshrestha.5@gmail.com\u003e\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0a6b6f43c88f3ffe5560a33127cba7eadcffca1d", "tree": "f054a2be054c753901620879894e156e0c9ca033", "parents": [ "3ae21b1f375a3f027f7dad3def65458c06d60d9b" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:22 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:55:18 2026 -0400" }, "message": "Bluetooth: btusb: Add new VID/PID 13d3/3594 for MT7902\n\nAdd VID 13d3 \u0026 PID 3594 for MediaTek MT7902 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d03 Lev\u003d01 Prnt\u003d01 Port\u003d02 Cnt\u003d01 Dev#\u003d 3 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3594 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI:* If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003d(none)\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI: If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003d(none)\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nCo-developed-by: Kush Kulshrestha \u003ckush.kulshrestha.5@gmail.com\u003e\nSigned-off-by: Kush Kulshrestha \u003ckush.kulshrestha.5@gmail.com\u003e\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "3ae21b1f375a3f027f7dad3def65458c06d60d9b", "tree": "efe30a62a41af70f1b262f9078038421409e8880", "parents": [ "0536a7c6cda10f0ca4a679dc50d53a0f8b319cde" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:21 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:54:58 2026 -0400" }, "message": "Bluetooth: btusb: Add new VID/PID 13d3/3580 for MT7902\n\nAdd VID 13d3 \u0026 PID 3580 for MediaTek MT7902 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d03 Lev\u003d01 Prnt\u003d01 Port\u003d02 Cnt\u003d01 Dev#\u003d 2 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3580 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI: If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI:* If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nCo-developed-by: Kush Kulshrestha \u003ckush.kulshrestha.5@gmail.com\u003e\nSigned-off-by: Kush Kulshrestha \u003ckush.kulshrestha.5@gmail.com\u003e\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "0536a7c6cda10f0ca4a679dc50d53a0f8b319cde", "tree": "355c7ddd786fec9987659683869902ac49b6fd62", "parents": [ "094d67e7b3c43fbc57aad879f6cb6afb9e6291e0" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:20 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:54:37 2026 -0400" }, "message": "Bluetooth: btusb: Add new VID/PID 13d3/3579 for MT7902\n\nAdd VID 13d3 \u0026 PID 3579 for MediaTek MT7902 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d01 Lev\u003d01 Prnt\u003d01 Port\u003d09 Cnt\u003d04 Dev#\u003d 7 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d13d3 ProdID\u003d3579 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI: If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI:* If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "094d67e7b3c43fbc57aad879f6cb6afb9e6291e0", "tree": "522d6f9de9876a3fb2dbd1b35e927a3b8e894269", "parents": [ "7d122ed738dffeeb7957e34257a1c2d24149960b" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:19 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:54:17 2026 -0400" }, "message": "Bluetooth: btmtk: add MT7902 MCU support\n\nAdd MT7902 device ID and firmware filename to enable MCU firmware\nloading.\n\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "7d122ed738dffeeb7957e34257a1c2d24149960b", "tree": "024793345ebd677dbf88772a60d800ec1acb86e8", "parents": [ "c00e9ba07dcb702e0f53d9de4068c0b81a8655b3" ], "author": { "name": "Sean Wang", "email": "sean.wang@mediatek.com", "time": "Tue Feb 24 00:13:18 2026 -0600" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:54:00 2026 -0400" }, "message": "mmc: sdio: add MediaTek MT7902 SDIO device ID\n\nAdd SDIO device ID (0x790a) for MediaTek MT7902 to sdio_ids.h.\n\nAcked-by: Ulf Hansson \u003culf.hansson@linaro.org\u003e\nSigned-off-by: Sean Wang \u003csean.wang@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c00e9ba07dcb702e0f53d9de4068c0b81a8655b3", "tree": "5347bd20ea30edbc6763cb55c628643f41ab5ae6", "parents": [ "2c54e9bdb3e250b24a3ec007cc999a01f710c6b2" ], "author": { "name": "Thorsten Blum", "email": "thorsten.blum@linux.dev", "time": "Tue Feb 24 00:33:42 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:53:40 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Use struct_size to improve hci_drv_read_info\n\nUse struct_size(), which provides additional compile-time checks for\nstructures with flexible array members (e.g., __must_be_array()), to\ndetermine the allocation size for a new \u0027struct hci_drv_rp_read_info\u0027.\n\nSigned-off-by: Thorsten Blum \u003cthorsten.blum@linux.dev\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "2c54e9bdb3e250b24a3ec007cc999a01f710c6b2", "tree": "656b06f180361ad0642216b782e816b25f0476ec", "parents": [ "6371d6ab68ce9e377f20a8685ddca6d4010f72bf" ], "author": { "name": "Dylan Eray", "email": "dylan.eray6@gmail.com", "time": "Thu Feb 19 20:32:09 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:53:19 2026 -0400" }, "message": "Bluetooth: btusb: Add Lite-On 04ca:3807 for MediaTek MT7921\n\nAdd USB device ID (04ca:3807) for a Lite-On Wireless_Device containing\na MediaTek MT7921 (MT7920) Bluetooth chipset found in Acer laptops.\n\nWithout this entry, btusb binds via the generic USB class-based wildcard\nmatch but never sets the BTUSB_MEDIATEK flag. This means btmtk never\ntriggers firmware loading, and the driver sends a raw HCI Reset that\nthe uninitialized chip cannot respond to, resulting in:\n\n Bluetooth: hci0: Opcode 0x0c03 failed: -110\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below:\n\nT: Bus\u003d03 Lev\u003d01 Prnt\u003d01 Port\u003d09 Cnt\u003d01 Dev#\u003d5 Spd\u003d480 MxCh\u003d0\nP: Vendor\u003d04ca ProdID\u003d3807 Rev\u003d1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC: #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nI: If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nI: If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nI: If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003d(none)\n\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Dylan Eray \u003cdylan.eray6@gmail.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "6371d6ab68ce9e377f20a8685ddca6d4010f72bf", "tree": "3c71c659ea5215b5be18583cc8f5b88598bf4a9f", "parents": [ "a57a8e89885928bf359300aa81e7d066a6547a30" ], "author": { "name": "Thorsten Blum", "email": "thorsten.blum@linux.dev", "time": "Fri Feb 20 09:00:59 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:53:00 2026 -0400" }, "message": "Bluetooth: btintel_pcie: Replace snprintf(\"%s\") with strscpy\n\nReplace snprintf(\"%s\", ...) with the faster and more direct strscpy().\n\nSigned-off-by: Thorsten Blum \u003cthorsten.blum@linux.dev\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a57a8e89885928bf359300aa81e7d066a6547a30", "tree": "de5c3995584e0c36d0e5f66339451abe96e33078", "parents": [ "f041f6ddc986f9eda4b75941b1befb21264c78e1" ], "author": { "name": "Hans de Goede", "email": "johannes.goede@oss.qualcomm.com", "time": "Thu Feb 12 15:17:21 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:52:41 2026 -0400" }, "message": "Bluetooth: hci_qca: Fix BT not getting powered-off on rmmod\n\nThe BT core skips calling the hci_dev\u0027s shutdown method when the HCI\nis unregistered. This means that qca_power_off() was not getting called\nleaving BT powered on.\n\nThis causes regulators / pwrseq providers to not get disabled which also\ncauses problem when re-loading the module because regulators and pwrseq\nproviders have an enablecount which now has never dropped to 0, causing\nthe BT to not get properly reset between rmmod and re-load which causes\ninitialization failure on the re-load.\n\nFix this by calling qca_power_off() from qca_close() when BT has not\nalready been powered off through a qca_hci_shutdown() call.\n\nhci_ldisc.c will call qca_close() after freeing the hdev, so this\nmeans that qca_power_off() can now no longer deref hu-\u003ehdev, change\nthe logging in qca_power_off() to no longer use hu-\u003ehdev.\n\nSigned-off-by: Hans de Goede \u003cjohannes.goede@oss.qualcomm.com\u003e\nReviewed-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "f041f6ddc986f9eda4b75941b1befb21264c78e1", "tree": "cee690eb2b5a0a6aa0e1787ae9ab6e8238a09583", "parents": [ "123220c0b2dbbde45d11161802c8910190b588a1" ], "author": { "name": "Hans de Goede", "email": "johannes.goede@oss.qualcomm.com", "time": "Thu Feb 12 15:17:20 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:52:21 2026 -0400" }, "message": "Bluetooth: hci_qca: Fix confusing shutdown() and power_off() naming\n\nThe function called qca_power_off() is actually the hci_dev shutdown\nhandler, rename it to qca_hci_shutdown() to make this clear.\n\nWhile the qca_power_shutdown() function is actually the counter-part\nof qca_power_on() rename it to qca_power_off() to make this clear.\n\nSigned-off-by: Hans de Goede \u003cjohannes.goede@oss.qualcomm.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nReviewed-by: Bartosz Golaszewski \u003cbartosz.golaszewski@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "123220c0b2dbbde45d11161802c8910190b588a1", "tree": "f3650e1f299f194b6766af04bb8762c215b666c0", "parents": [ "a72c9f23709a98c41f383f4756f114e7aa32f4e9" ], "author": { "name": "Marek Vasut", "email": "marex@nabladev.com", "time": "Mon Feb 09 18:11:48 2026 +0100" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:52:01 2026 -0400" }, "message": "Bluetooth: btbcm: Add entry for BCM4343A2 UART Bluetooth\n\nThis patch adds the device ID for the BCM4343A2 module, found e.g.\nin the muRata 1YN WiFi+BT combined device. The required firmware\nfile is named \u0027BCM4343A2.hcd\u0027.\n\nSigned-off-by: Marek Vasut \u003cmarex@nabladev.com\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "a72c9f23709a98c41f383f4756f114e7aa32f4e9", "tree": "e8ec31866f36543505bc64fed87001d3395beb58", "parents": [ "ef891390b96e2836440b42ae523f9aaa3b2cba0e" ], "author": { "name": "Vivek Sahu", "email": "vivek.sahu@oss.qualcomm.com", "time": "Tue Feb 10 17:31:01 2026 +0530" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:51:42 2026 -0400" }, "message": "Bluetooth: qca: Refactor code on the basis of chipset names\n\nWhenever new chipset support is added to the driver code,\nwe ended up adding chipset name to the last of the switch case\narising code readability issue because of improper sorting of\nthe chipset names in various places of the code.\n\nRefactor code such a way that new chipset can be added easily\nin the code without compromising code readability.\n\nSigned-off-by: Vivek Sahu \u003cvivek.sahu@oss.qualcomm.com\u003e\nReviewed-by: Dmitry Baryshkov \u003cdmitry.baryshkov@oss.qualcomm.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "ef891390b96e2836440b42ae523f9aaa3b2cba0e", "tree": "23c1eb40b074e6c323aa106fd79fc5eeb367ccbf", "parents": [ "27d69b605667af0ed6e7a492c498b9e800105cdc" ], "author": { "name": "Chris Lu", "email": "chris.lu@mediatek.com", "time": "Tue Feb 03 14:25:10 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:51:22 2026 -0400" }, "message": "Bluetooth: btmtk: Add reset mechanism if downloading firmware failed\n\nAdd a new flag \u0027BTMTK_FIRMWARE_DL_RETRY\u0027.\nIf an error occurs during mt79xx firmware download process, this flag\nwill be set and cleared after a reset. If the flag is already set and\nfirmware still cannot be loaded successfully after a reset, no further\nreset attempts will be made. In other words, if there is a problem during\nfirmware download, only one reset will be attempted.\n\nSigned-off-by: Chris Lu \u003cchris.lu@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "27d69b605667af0ed6e7a492c498b9e800105cdc", "tree": "8f742051e10ba7b2f47ac04c7600ae3622f86f52", "parents": [ "5df0e3c73f180179a80330912f5efdf1420e94bf" ], "author": { "name": "Chris Lu", "email": "chris.lu@mediatek.com", "time": "Tue Feb 03 14:25:09 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:51:02 2026 -0400" }, "message": "Bluetooth: btmtk: add status check in mt79xx firmware setup\n\nTo prevent abnormal controller states, it is necessary to check\nstatus in another part of the mt79xx firmware setup. During this\nprocess, receiving the \u0027BTMTK_WMT_PATCH_PROGRESS\u0027 status is unexpected.\nIf this occurs, it should be treated as an error, and driver must be\nprevented from continuing execution.\n\nSigned-off-by: Chris Lu \u003cchris.lu@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "5df0e3c73f180179a80330912f5efdf1420e94bf", "tree": "91e9c08cd2292cd2397dcbe43ad4a67cadb609ad", "parents": [ "c5fac7696fb275e83402eb8409649d121a16fa93" ], "author": { "name": "Chris Lu", "email": "chris.lu@mediatek.com", "time": "Tue Feb 03 14:25:08 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:50:41 2026 -0400" }, "message": "Bluetooth: btmtk: improve mt79xx firmware setup retry flow\n\nIf retries are exhausted, driver should not do futher operation.\nDuring mt79xx firmware download process, if the retry count reaches0,\ndriver will return an -EIO error and release the firmware resources.\n\nSigned-off-by: Chris Lu \u003cchris.lu@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "c5fac7696fb275e83402eb8409649d121a16fa93", "tree": "71fb1a25984a4584289f7223612ccfaebbbd4e1f", "parents": [ "06291f12fa498b47fceda31abed864ec19a2126e" ], "author": { "name": "Dongyang Jin", "email": "jindongyang@kylinos.cn", "time": "Tue Feb 03 15:10:48 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:50:23 2026 -0400" }, "message": "Bluetooth: btbcm: remove done label in btbcm_patchram\n\nThere is no point in having the label since all it does is return the\nvalue in the \u0027err\u0027 variable. Instead make every goto return directly\nand remove the label.\n\nSigned-off-by: Dongyang Jin \u003cjindongyang@kylinos.cn\u003e\nReviewed-by: Paul Menzel \u003cpmenzel@molgen.mpg.de\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "06291f12fa498b47fceda31abed864ec19a2126e", "tree": "d7390f052231f4a742879c8e56a57156333409d6", "parents": [ "4305792c40fc18cf7779403ede3c229e8ba6573d" ], "author": { "name": "Pauli Virtanen", "email": "pav@iki.fi", "time": "Tue Feb 03 21:57:21 2026 +0200" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:50:05 2026 -0400" }, "message": "Bluetooth: hci_core: Rate limit the logging of invalid ISO handle\n\nSome controller firmwares (eg for MT7925) continuously send invalid ISO\npacket, which result to \"ISO unknown handle\" error spam in logs. It\u0027s\nnot important to show all of them to the user.\n\nRate limit these ISO error messages, similarly as we do for SCO.\n\nSigned-off-by: Pauli Virtanen \u003cpav@iki.fi\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "4305792c40fc18cf7779403ede3c229e8ba6573d", "tree": "4803f934c9c672513cecf4ea21d31c00b943b1fe", "parents": [ "8e7adcf81564a3fe886a6270eea7558f063e5538" ], "author": { "name": "Chris Lu", "email": "chris.lu@mediatek.com", "time": "Fri Jan 30 14:13:56 2026 +0800" }, "committer": { "name": "Luiz Augusto von Dentz", "email": "luiz.von.dentz@intel.com", "time": "Thu Mar 12 13:46:05 2026 -0400" }, "message": "Bluetooth: btusb: MT7922: Add VID/PID 0489/e174\n\nAdd VID 0489 \u0026 PID e174 for MediaTek MT7922 USB Bluetooth chip.\n\nThe information in /sys/kernel/debug/usb/devices about the Bluetooth\ndevice is listed as the below.\n\nT: Bus\u003d06 Lev\u003d01 Prnt\u003d01 Port\u003d00 Cnt\u003d01 Dev#\u003d 2 Spd\u003d480 MxCh\u003d 0\nD: Ver\u003d 2.10 Cls\u003def(misc ) Sub\u003d02 Prot\u003d01 MxPS\u003d64 #Cfgs\u003d 1\nP: Vendor\u003d0489 ProdID\u003de174 Rev\u003d 1.00\nS: Manufacturer\u003dMediaTek Inc.\nS: Product\u003dWireless_Device\nS: SerialNumber\u003d000000000\nC:* #Ifs\u003d 3 Cfg#\u003d 1 Atr\u003de0 MxPwr\u003d100mA\nA: FirstIf#\u003d 0 IfCount\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01\nI:* If#\u003d 0 Alt\u003d 0 #EPs\u003d 3 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d81(I) Atr\u003d03(Int.) MxPS\u003d 16 Ivl\u003d125us\nE: Ad\u003d82(I) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nE: Ad\u003d02(O) Atr\u003d02(Bulk) MxPS\u003d 512 Ivl\u003d0ms\nI:* If#\u003d 1 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 0 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 9 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 2 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 17 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 3 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 25 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 4 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 33 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 5 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 49 Ivl\u003d1ms\nI: If#\u003d 1 Alt\u003d 6 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d83(I) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nE: Ad\u003d03(O) Atr\u003d01(Isoc) MxPS\u003d 63 Ivl\u003d1ms\nI: If#\u003d 2 Alt\u003d 0 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 64 Ivl\u003d125us\nI:* If#\u003d 2 Alt\u003d 1 #EPs\u003d 2 Cls\u003de0(wlcon) Sub\u003d01 Prot\u003d01 Driver\u003dbtusb\nE: Ad\u003d8a(I) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\nE: Ad\u003d0a(O) Atr\u003d03(Int.) MxPS\u003d 512 Ivl\u003d125us\n\nSigned-off-by: Chris Lu \u003cchris.lu@mediatek.com\u003e\nSigned-off-by: Luiz Augusto von Dentz \u003cluiz.von.dentz@intel.com\u003e\n" }, { "commit": "8e7adcf81564a3fe886a6270eea7558f063e5538", "tree": "cc0ef03f167ae61e3ee4513ca8177907574d65a8", "parents": [ "6f459eda8b60382efa0da2ca025c26a2018adc87" ], "author": { "name": "MD Danish Anwar", "email": "danishanwar@ti.com", "time": "Tue Mar 10 18:50:35 2026 +0530" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 12 13:30:03 2026 +0100" }, "message": "net: ti: icssg: Fix wrong macro used in RX classifier configuration\n\nThe RX_CLASS_OR_REG macro is being used with RX_CLASS_OR_EN parameter\nwhen writing to the AND enable register. This should use RX_CLASS_AND_EN\ninstead to properly configure the classifier AND enable register.\n\nFix this by using the correct RX_CLASS_AND_EN macro parameter for\nRX_CLASS_OR_REG when configuring the PTP duplicate and HSR tag\nclassifiers.\n\nFixes: f56438a74d88 (\"net: ti: icssg: Add HSR/PRP protocol frame filtering\")\nSigned-off-by: MD Danish Anwar \u003cdanishanwar@ti.com\u003e\nLink: https://patch.msgid.link/20260310132035.1299787-1-danishanwar@ti.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "6f459eda8b60382efa0da2ca025c26a2018adc87", "tree": "7b41e552f198f061413c3a28fe33b4d80bdac215", "parents": [ "4320f1f111c587b8c6c9abc06f43e25bc10b670c" ], "author": { "name": "Eric Dumazet", "email": "edumazet@google.com", "time": "Tue Mar 10 12:44:51 2026 +0000" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 12 13:22:03 2026 +0100" }, "message": "tcp: add tcp_release_cb_cond() helper\n\nMajority of tcp_release_cb() calls do nothing at all.\n\nProvide tcp_release_cb_cond() helper so that release_sock()\ncan avoid these calls.\n\nAlso hint the compiler that __release_sock() and wake_up()\nare rarely called.\n\n$ scripts/bloat-o-meter -t vmlinux.old vmlinux.new\nadd/remove: 0/0 grow/shrink: 0/1 up/down: 0/-77 (-77)\nFunction old new delta\nrelease_sock 258 181 -77\nTotal: Before\u003d25235790, After\u003d25235713, chg -0.00%\n\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@google.com\u003e\nLink: https://patch.msgid.link/20260310124451.2280968-1-edumazet@google.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "4320f1f111c587b8c6c9abc06f43e25bc10b670c", "tree": "e12fb5db692389490f9478f5007ddb4756167336", "parents": [ "52e4d5da6db788c3abc5bbb0e044e761b3540a30" ], "author": { "name": "Wojciech Slenska", "email": "wojciech.slenska@gmail.com", "time": "Tue Mar 10 12:22:30 2026 +0100" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 12 12:28:11 2026 +0100" }, "message": "dt-bindings: net: qcom,ipa: document qcm2290 compatible\n\nDocument that ipa on qcm2290 uses version 4.2, the same\nas sc7180.\n\nAcked-by: Krzysztof Kozlowski \u003ckrzk@kernel.org\u003e\nSigned-off-by: Wojciech Slenska \u003cwojciech.slenska@gmail.com\u003e\nLink: https://patch.msgid.link/20260310112309.79261-2-wojciech.slenska@gmail.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "52e4d5da6db788c3abc5bbb0e044e761b3540a30", "tree": "fa85034d35df564a9223c7337f2b40fe2dceb3a6", "parents": [ "0de607dc4fd80ede3b2a35e8a72f99c7a0bbc321", "00608d02ddf04b49c14801f4b0581b1b937bc766" ], "author": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 12 12:13:50 2026 +0100" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 12 12:13:50 2026 +0100" }, "message": "Merge branch \u0027net-hinic3-pf-initialization\u0027\n\nFan Gong says:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nnet: hinic3: PF initialization\n\nThis is [2/3] part of hinic3 Ethernet driver second submission.\nWith this patch hinic3 becomes a complete Ethernet driver with\npf and vf.\n\nAdd cmdq detailed-response interfaces.\nAdd dump interfaces for cmdq, aeq, ceq and mailbox.\nAdd msg_send_lock for message sending concurrency.\nAdd PF device support and chip_present_flag to check cards.\nAdd rx vlan offload support.\nAdd PF FLR wait and timeout handling.\nAdd 5 ethtool ops for information of driver and link.\n\nv1: https://lore.kernel.org/netdev/cover.1771916043.git.zhuyikai1@h-partners.com/\nv2: https://lore.kernel.org/netdev/cover.1772697509.git.zhuyikai1@h-partners.com/\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nLink: https://patch.msgid.link/cover.1773062356.git.zhuyikai1@h-partners.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" }, { "commit": "00608d02ddf04b49c14801f4b0581b1b937bc766", "tree": "fa85034d35df564a9223c7337f2b40fe2dceb3a6", "parents": [ "330adcedd0035414b138635fd6b5f61f00cf419f" ], "author": { "name": "Fan Gong", "email": "gongfan1@huawei.com", "time": "Tue Mar 10 09:04:57 2026 +0800" }, "committer": { "name": "Paolo Abeni", "email": "pabeni@redhat.com", "time": "Thu Mar 12 12:13:48 2026 +0100" }, "message": "hinic3: Add ethtool basic ops\n\nImplement following ethtool callback function:\n.get_link_ksettings\n.get_drvinfo\n.get_msglevel\n.set_msglevel\n.get_link\n\n These callbacks allow users to utilize ethtool for detailed\nnetwork configuration and monitoring.\n\nCo-developed-by: Zhu Yikai \u003czhuyikai1@h-partners.com\u003e\nSigned-off-by: Zhu Yikai \u003czhuyikai1@h-partners.com\u003e\nSigned-off-by: Fan Gong \u003cgongfan1@huawei.com\u003e\nLink: https://patch.msgid.link/b56d490c2a06cae9541a0297d76b11d869f37161.1773062356.git.zhuyikai1@h-partners.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n" } ], "next": "330adcedd0035414b138635fd6b5f61f00cf419f" }