linux-bluetooth Weekly Report - Week 19

11 May 2026

Total messages: 182 (130 human, 52 CI/bot)

Note: Of the 182 messages, 130 are human-generated, 52 are CI/bot (bluez.test.bot 20, BluezTestBot 16, patchwork-bot+bluetooth 9, github-actions[bot] 3, prathibhamadugonde 1, Sasha Levin 1, kernel test robot 1, bugzilla-daemon 1).

Summary

A productive week centered on security fixes, build system modernization, and kernel bluetooth hardening. Martin Brodeur rapidly iterated on the SDP signed integer underflow fix (v1-v3, all pushed same day) following last week’s 8.1 HIGH security disclosure. Bastien Nocera was the most prolific contributor (23 messages) with the major meson build system v10 (16-patch series), cleanup variable attribute helpers (v1-v3), and a mpris-proxy crash fix (pushed). Manivannan Sadhasivam (18 messages) posted PCI M.2 power sequencing v2 (9 patches) with active review from Bartosz Golaszewski. Luiz Augusto von Dentz (17 messages) posted the Short Connection Interval feature (v1-v4), fixed an L2CAP ecred_conn_rsp crash, and pushed numerous patches to master. Breno Leitao contributed the getsockopt_iter conversion series (7 patches, converting remaining Bluetooth socket families). Jann Horn (Google) posted accept_q serialize v4 (applied to bluetooth-next), and Siwei Zhang iterated on the L2CAP UAF in l2cap_sock_new_connection_cb (v1-v4). The GIT PULL bluetooth 2026-05-06 was merged, and a Linux 7.1-rc3 Bluetooth regression was reported.

Key Patch Series & Discussions

Kernel Patches

Topic	From	Affiliation	Patches	Status/Notes
[PATCH v4] Bluetooth: serialize accept_q access	Jann Horn / Ren Wei	Google / Independent	1	v4 (May 6); applied to bluetooth-next; serializes accept_q access to fix UAF in bt_accept_poll
[PATCH v1-v4 0/1] Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_new_connection_cb()	Siwei Zhang	Independent	1 (4 revisions)	v1 (May 11) through v4 RESEND (May 11); L2CAP socket UAF fix; Luiz reviewed
[PATCH] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer	Michael Bommarito	Independent	1	May 11; applied to bluetooth-next; fixes sending stack pointer instead of packed PDU
[PATCH v1-v4 1/2] Bluetooth: HCI: Add initial support for Short Connection Interval feature	Luiz Augusto von Dentz	Intel	2 (4 revisions)	v1 (May 5) through v4 (May 7); new Short Connection Interval HCI support
[PATCH] Bluetooth: L2CAP: avoid using hci_conn after dropping hold	Cen Zhang	Independent	1	May 6; avoids hci_conn use-after-free in L2CAP
[PATCH net-next 0/7] net: convert remaining bluetooth socket families to getsockopt_iter	Breno Leitao	Meta/Debian	7	May 11; converts RFCOMM, BNEP, SCO, ISO, HCI to getsockopt_iter; reviewed by Jakub Kicinski
[PATCH v1] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp	Luiz Augusto von Dentz	Intel	1	May 11; fixes crash in enhanced credit connection response
[PATCH v2 0/9] Fixes/improvements for the PCI M.2 power sequencing driver	Manivannan Sadhasivam	Qualcomm	9	v2 (May 7); PCI M.2 Bluetooth power sequencing improvements; reviewed by Bartosz Golaszewski, Daniel Golle
[PATCH v2 0/8] Support for block device NVMEM providers	Loic Poulain	Qualcomm	8	v2 (May 7); cross-subsystem block NVMEM providers; reviewed by Bartosz Golaszewski, Daniel Golle, Manivannan Sadhasivam
[PATCH] Bluetooth: btmtk: handle FUNC_CTRL events without status field	Tristan Madani	Independent	1	May 9; applied to bluetooth-next; handles short WMT FUNC_CTRL events
[PATCH] Bluetooth: btusb: Add new VID/PID 0x0489/0xe156 for MT7902	Sean Wang	MediaTek	1	May 4; new MT7902 device ID
[RFC PATCH] Bluetooth: fix Set Public Address on controller in HCI_AUTO_OFF grace period	Dan Klishch	Independent	1	May 4; continued from W18
[PATCH v1] bluetooth: btintel: Add Bluetooth SAR revision 2 support	Kiran K	Intel	1	May 4; continued from W18
[PATCH] Bluetooth: HIDP: guard session->conn in hidp_connection_del	Michael Bommarito	Independent	1	Applied to bluetooth-next (patchwork May 4); HIDP UAF guard
[PATCH] Bluetooth: hci_bcm4377: Use named initializers for pci_device_id array	Uwe Kleine-König	BayLibre	1	May 4; cleanup patch
[PATCH] Bluetooth: ath3k: add missing blank line after declarations	Lucas Poupeau	Independent	1	May 4; style cleanup
[PATCH v5] Bluetooth: l2cap: defer conn param update	—	—	1	Continued discussion (May 5); Luiz reviewed
[PATCH v3] Bluetooth: 6lowpan: Fix peer and channel lifetime during teardown	Zhang Cen	Independent	1 (3 revisions)	May 11; v1-v3 same day; 6lowpan peer cleanup race fix
[PATCH] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()	Zhang Cen	Independent	1	May 9; RFCOMM listener socket hold fix
[PATCH] Bluetooth: mgmt: validate advertising TLV envelopes before parsing	Zhang Cen	Independent	1	May 9; advertising TLV validation
[PATCH] Bluetooth: virtio_bt: fix potential memory leak in virtbt_probe()	Nihaal	IIT Madras	1	May 8; virtio_bt memory leak fix
[PATCH] Bluetooth: btintel_pcie: fix stale cache in set_dxstate fallback check	Vladimir Kondratyev	Independent	1	May 7; btintel_pcie stale cache fix
[PATCH] Bluetooth: hci_uart: serialize close flush with write_work	Wuyankun	UnionTech	1	May 9; hci_uart race fix
[PATCH 1/4] Bluetooth: hci_sync: pin conn across hci_le_create_conn_sync	—	—	4	May 11; pins connection across LE connection sync
[PATCH] Bluetooth: btmtk: set HCI_QUIRK_BROKEN_ENHANCED_SETUP_SYNC_CONN for MT6639	Silviu Sandulache	Independent	1	May 11; MT6639 quirk
[PATCH v6] Bluetooth: hci_qca: Convert timeout from jiffies to ms	—	—	1	Applied to bluetooth-next; continued from W14-W18
[PATCH v1 0/6] sdio: About pointers in sdio_device_id::driver_data	Uwe Kleine-König	BayLibre	6	May 11; sdio driver_data pointer cleanup

BlueZ Userspace Patches

Topic	From	Affiliation	Patches	Status/Notes
[BlueZ v10 00/16] Add meson build system and HTML docs	Bastien Nocera	Red Hat	16	v10 (May 5); major meson build system addition with HTML documentation generation
[BlueZ v1-v3 0/5] Add helper for “cleanup” variable attribute	Bastien Nocera	Red Hat	5 (3 revisions)	v1 (May 6) through v3 (May 11); GCC/Clang cleanup attribute helpers
[PATCH BlueZ v1-v3] sdp: fix overflow in sdp_extract_seqtype()	Martin Brodeur	Fluent Logic	1 (3 revisions)	v1-v3 all May 4; pushed same day; fixes 8.1 HIGH SDP signed integer underflow
[BlueZ v2 1/2] mpris-proxy: Fix possible crash	Bastien Nocera	Red Hat	2	v2 (May 5); pushed to master
[PATCH BlueZ v1 1/3] tools/tester: Fix crash when hciemu_new fails	Luiz Augusto von Dentz	Intel	3	May 6; pushed to master; fixes tester crash on hciemu initialization failure
[PATCH BlueZ] bap: Fix typo in QoS D-Bus dictionary entry names	Thomas Kirschner	Independent	1	May 6; pushed to master
[PATCH BlueZ] client/btpclient: Add BTP_EV_GAP_SEC_LEVEL_CHANGED support	Luiz Augusto von Dentz	Intel	1	May 7; pushed to master; btpclient security level event support
[PATCH BlueZ v1-v3] monitor: Add parsing of CS step mode data in RAS Notifications	Prathibha Madugonde	Qualcomm	1 (3 revisions)	v1-v3 (May 7-8); pushed to master
[RFC PATCH BlueZ] monitor: Fix RAS CS step mode parsing issues	Luiz Augusto von Dentz	Intel	1	May 8; pushed to master; fixes issues in RAS CS step mode parsing
[PATCH BlueZ 0/1] bap: Handle CIS loss during streaming	raghu447	Collabora	1	May 11; handles CIS disconnection while in streaming state
[BlueZ 1/3] mesh: Remove unused but set variable	Bastien Nocera	Red Hat	3	May 11; cleanup patches
[PATCH BlueZ] adapter: add BCAA UUID also when seen device is not discoverable	Pav	Independent	1	May 11; pushed to master
Patch: support libical 4.0	Bastien Nocera	Red Hat	1	May 11; libical 4.0 API compatibility

Discussions & Bug Reports

Topic	From	Notes
[SECURITY] BlueZ sdp.c signed integer underflow (8.1 HIGH)	Martin Brodeur	May 4; continued from W18 disclosure; rapid fix iteration (v1-v3) and push same day
Bluetooth: RFCOMM: missing sock_hold() in rfcomm_get_sock_by_channel()	y2k	May 8; RFCOMM socket reference counting bug report
Bluetooth: L2CAP: missing NULL guard in remaining l2cap_chan_ops callbacks	y2k	May 8; L2CAP channel ops NULL guard analysis
Bug 221449 Wireless gamepad stopped working through Bluetooth	bugzilla-daemon	New (May 6); gamepad regression
Bug 221481 btintel_pcie: suspend fails with -EBUSY on Intel Lunar Lake (s2idle)	bugzilla-daemon	New (May 7); Intel Lunar Lake btintel_pcie suspend regression
Linux 7.1-rc3 regression (Bluetooth)	Thorsten Leemhuis	May 11; 7.1-rc3 Bluetooth regression report
[syzbot] WARNING in l2cap_send_conn_req	syzbot	May 6; L2CAP connection request warning
bluetooth hci0: Direct firmware load for rtl_bt/rtl8761a_config.bin failed	Zenm Chen	May 5; Realtek firmware loading failure
[PATCH BlueZ 0/1] btmon/TDS: decode org 0x02 as Wi-Fi Alliance	Paul Menzel	MPG; May 9; review of btmon Wi-Fi Alliance decoding

Top Contributors (by message count)

Contributor	Affiliation	Messages
Bastien Nocera	Red Hat	23
Manivannan Sadhasivam	Qualcomm	18
Luiz Augusto von Dentz	Intel	17
Martin Brodeur	Fluent Logic	11
Breno Leitao	Meta/Debian	10
Loic Poulain	Qualcomm	8
Siwei Zhang	Independent	6
Bartosz Golaszewski	Linaro	4
Zhang Cen	Independent	4
Sean Wang	MediaTek	2
raghu447 (Raghavendra Rao)	Collabora	2
Mikhail Gavrilov	Independent	2
Daniel Golle	Independent	2

Merged to master (BlueZ & bluetooth-next)

Applied to bluetooth-next (kernel, via patchwork notifications)

GIT PULL bluetooth 2026-05-06 — bluetooth pull request merged
PATCH bluetooth-next v2: remove all PCMCIA drivers — applied (May 4)
Bluetooth: btrtl: fix RTL8761B/BU broken LE extended scan — Alexej Sidorenko, applied (May 4)
Bluetooth: hci_event: fix memset typo — Jann Horn, applied (May 4)
Bluetooth: HIDP: guard session->conn in hidp_connection_del — Michael Bommarito, applied (May 4)
Bluetooth: serialize accept_q access — Ren Wei/Jann Horn, applied (May 8)
Bluetooth: btmtk: accept too short WMT FUNC_CTRL events — Tristan Madani, applied (May 11)
Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer — Michael Bommarito, applied (May 11)
Bluetooth: hci_qca: Convert timeout from jiffies to ms — v6, applied (May 11)

Pushed to bluez/bluez master

db9aa4..dd093e: sdp: fix overflow in sdp_extract_seqtype() (Martin Brodeur, v1-v3, May 4)
d11e06: sdp: fix overflow in sdp_extract_seqtype() v3 (Martin Brodeur, May 4)
a253b2: monitor: Add features bits defined in 6.2 (Luiz, May 4)
c769d9..897689: mpris-proxy: Fix possible crash (Bastien Nocera, May 5)
fae0c7: hciemu: Fix crash if hciemu_client_new return NULL (Luiz, May 5)
7828f7: emulator/vhci: Add debug messages to error paths (Luiz, May 5)
7ffffa..eff7db: all: Remove more unneeded MIN/MAX macro definitions (Bastien, May 6)
ccc22a: shared/hci: Add BPF filter for registered events (applied from W18, pushed May 6)
acd0a4: tools/tester: Fix crash when hciemu_new fails (Luiz, May 7)
2fb1b7: client/btpclient: Add BTP_EV_GAP_SEC_LEVEL_CHANGED (Luiz, May 7)
d45fd4: bap: Fix typo in QoS D-Bus dictionary entry names (Thomas Kirschner, May 7)
27e1da..27dcd3: monitor: Add parsing of CS step mode data in RAS Notifications (Prathibha Madugonde, May 7)
7cd27f..b1528e: monitor: Parsing of CS step mode data in RAS Notifications (Prathibha/Luiz, May 8)
b58ccc: monitor: Fix RAS CS step mode parsing issues (Luiz, May 8)
078adb: btmon: decode 0x02 as Wi-Fi Alliance (Preston Hunt, May 9)
4246ca: bap: set QOS state when CIS is lost while streaming (raghu447, May 11)
9c42e0: mesh: Remove unused but set variable (Bastien, May 11)
61f18b..af87aa: all: Remove more unneeded MIN/MAX macro definitions (Bastien, May 11)
2c6d6b: adapter: add BCAA UUID also when seen device is not discoverable (Pav, May 11)

Company Focus Areas

Intel

Luiz Augusto von Dentz contributed 17 messages: posted the Short Connection Interval feature (v1-v4, 2-patch series adding new HCI feature support), fixed a crash in l2cap_ecred_conn_rsp, fixed RAS CS step mode parsing, pushed hciemu crash fix, tools/tester crash fix, btpclient SEC_LEVEL support, and monitor features 6.2. Reviewed multiple patches including the L2CAP UAF fix series. Kiran K continued btintel SAR revision 2.

Red Hat

Bastien Nocera was the most prolific contributor (23 messages): posted the meson build system v10 (16-patch series — the single largest patch series this week), cleanup variable attribute helpers (v1-v3, 5 patches), mpris-proxy crash fix v2 (pushed), mesh unused variable cleanup (pushed), MIN/MAX macro removal (pushed), and libical 4.0 support.

Qualcomm

Manivannan Sadhasivam contributed 18 messages with the PCI M.2 power sequencing v2 (9 patches, actively reviewed by Bartosz Golaszewski and Daniel Golle). Loic Poulain contributed 8 messages with block device NVMEM providers v2 (8 patches, cross-subsystem). Prathibha Madugonde posted RAS CS step mode parsing (v1-v3, pushed). Wei Deng contributed 1 review message.

Fluent Logic

Martin Brodeur contributed 11 messages: rapidly iterated on the SDP overflow fix (v1-v3, all pushed same day) addressing the 8.1 HIGH SDP signed integer underflow vulnerability disclosed in W18.

Meta/Debian

Breno Leitao contributed 10 messages with the getsockopt_iter conversion series (7 patches converting RFCOMM, BNEP, SCO, ISO, HCI to the new getsockopt_iter API). Reviewed by Jakub Kicinski.

Collabora

raghu447 (Raghavendra Rao) contributed 2 messages with bap: Handle CIS loss during streaming (pushed to master). Frédéric Danis contributed 1 message.

Linaro

Bartosz Golaszewski contributed 4 review messages on the PCI M.2 power sequencing and block NVMEM series.

MediaTek

Sean Wang posted the MT7902 VID/PID addition (2 messages).

Google

Jann Horn posted accept_q serialize v4 (applied to bluetooth-next, 1 message).

BayLibre

Uwe Kleine-König contributed 1 message: hci_bcm4377 named initializers and sdio driver_data pointer cleanup.

Independent Contributors

Siwei Zhang iterated on the L2CAP UAF in l2cap_sock_new_connection_cb (v1-v4, 6 messages). Michael Bommarito had two patches applied: HIDP session->conn guard and ecred_reconfigure PDU fix. Zhang Cen posted 4 messages: 6lowpan peer lifetime fix (v1-v3), RFCOMM listener hold, and mgmt TLV validation. y2k (desarrollaria.com) reported RFCOMM sock_hold and L2CAP NULL guard issues. Dan Klishch continued Set Public Address RFC. Other contributors: Tristan Madani (btmtk FUNC_CTRL, applied), Thomas Kirschner (bap typo, pushed), Ren Wei (accept_q, applied), Lucas Poupeau (ath3k cleanup), Vladimir Kondratyev (btintel_pcie fix), Conor Kotwasinski (sysfs), Pav (adapter BCAA UUID, pushed), Preston Hunt (btmon Wi-Fi Alliance, pushed).

Notable Trends

Rapid SDP vulnerability response: Martin Brodeur’s SDP overflow fix went from v1 to v3 and was pushed to master within a single day (May 4), demonstrating fast turnaround on the 8.1 HIGH severity vulnerability disclosed in W18.
Meson build system reaches v10: Bastien Nocera’s 16-patch meson build series continues to mature, representing the largest single patch series this week and a significant infrastructure modernization effort for BlueZ.
Intensive security hardening across L2CAP/socket layer: Multiple independent security fixes landed this week: accept_q serialization (Jann Horn, applied), HIDP UAF guard (applied), ecred_reconfigure PDU fix (applied), and ongoing L2CAP UAF iteration (Siwei Zhang, v1-v4). The Bluetooth socket layer is receiving significant security scrutiny.
getsockopt_iter API modernization: Breno Leitao’s 7-patch series converts remaining Bluetooth socket families (RFCOMM, BNEP, SCO, ISO, HCI) to the modern getsockopt_iter API, continuing the net-next socket API unification effort.
PCI M.2 power sequencing evolving: Manivannan Sadhasivam’s v2 series (9 patches) received active cross-company review from Bartosz Golaszewski (Linaro) and Daniel Golle, reflecting broad industry interest in standardized M.2 Bluetooth power management.
btintel_pcie issues continue: A new Bug 221481 reports btintel_pcie suspend failing with -EBUSY on Intel Lunar Lake, adding to the growing list of btintel_pcie issues. Vladimir Kondratyev posted a stale cache fix.
7.1-rc3 Bluetooth regression reported: A regression report from Thorsten Leemhuis flags Bluetooth issues in the 7.1-rc3 kernel release cycle.

Back to news