bluetooth: Cherry pick bluetooth commits 13.11.2025 #3500
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When we reconnect to a bonded device we always attempted to send the changed PACS notifications, regardless of whether the remote device has subscribed to them or not. This resulted in a lot of failed attempts to send notifications when CONFIG_BT_GATT_ENFORCE_SUBSCRIPTION is enabled (which it is by default). Ideally we would not set the flags for devices that have not subscribed, but since we cannot call bt_gatt_is_subscribed for non-connected devices, we need to do this when the notify_cb is called. It would be possible to use BT_GATT_CCC_MANAGED instead of BT_AUDIO_CCC to keep track of the writes for each client, but that would be a minor optimization which would require significant rework and additions to PACS. The current solution is inspired by the implementation used in has.c Signed-off-by: Emil Gydesen <[email protected]>
- Implemented fragmented packet handling for AVCTP protocol - Refactored AVCTP header structure to support multiple packet types - Enhanced AVCTP send logic with packet segmentation support - Updated AVRCP integration to support new AVCTP fragmented flow Signed-off-by: Make Shi <[email protected]>
Add a new callback to support the situation when a subunit info command is received, and add an API to respond to the subunit info command. Signed-off-by: Make Shi <[email protected]>
Add avrcp_subunit_info_req callback function in shell and a command to set the subunit info response. Signed-off-by: Make Shi <[email protected]>
Add a new callback to support the situation when a Pass Through command is received, and add an API to respond to the Pass Through command. Signed-off-by: Make Shi <[email protected]>
Add a callback function in shell and a new command for AVRCP TG passthrough support Signed-off-by: Make Shi <[email protected]>
Disconnect the L2CAP connection when fails on sending an error response (unit info, subunit info, or passthrough). Signed-off-by: Make Shi <[email protected]>
bt_hci_bus enumeration is not used anymore. This commit deprecates it. Signed-off-by: Ioannis Damigos <[email protected]>
use bt_a2dp_stream_create_pdu to create the stream pdu net buf, then application can use the buf->len to check whether the buf's size exceeds the l2cap mtu. Signed-off-by: Mark Wang <[email protected]>
The reconfig's configuration is not saved to stream, fix it. Signed-off-by: Mark Wang <[email protected]>
Remove lookups in the Scan Delegator that relates to the advertiser address. The reason for this, is that the address is not considered a unique value for receive states, since the address may change over time in the case of (N)RPAs. Instead we shall rely exclusively on the address type, the sid and the broadcast ID. The implementation of the Scan Delegator and Broadcast Sink has been updated to not use addresses for lookups anymore, and there has been a minor API modification to set the PA sync state as part of bt_bap_scan_delegator_add_src as the higher layers are better suited to handle the PA Sync state. Signed-off-by: Emil Gydesen <[email protected]>
The Scan Delegator has been modified to not set the PA sync state automatically anymore, so the test needed to be updated. Signed-off-by: Emil Gydesen <[email protected]>
add did profile codes Signed-off-by: Kai Cheng <[email protected]>
In the SDP specification, the `MaximumAttributeByteCount` of SA and SSA should be in range 0x0007-0xffff. But in the current implementation, this value is not checked both SDP server and client sides. Check the `MaximumAttributeByteCount` when receiving the SA or SSA request on SDP server side. Check the tail room of the receiving buffer before sending the SA or SSA request on SDP client side. Signed-off-by: Lyle Zhu <[email protected]>
The minimum receiving buffer size is 0x0007. The following SDP discovery should not be started if the space of the receiving buffer is less than 0x0007. If there is no more space of the receiving buffer for the next SDP SSA discovery, try to notify the upper layer with the partial resolved. Signed-off-by: Lyle Zhu <[email protected]>
In partial resolved notification case, there is a case that the tail room of new allocated buffer is not bigger than the tail room of the current receiving buffer. Since, the new allocated buffer has the same size with the current receiving buffer, it means a complete SDP record cannot fit into the allocated buffer. In this way, the following SDP discovery should be stopped. In partial resolved notification case, if the tail room of the new allocated buffer is not more the tail room of the current receiving buffer, reports the error `-ENOMEM` and stop the following SDP discovery. Signed-off-by: Lyle Zhu <[email protected]>
Add service id BTP_SERVICE_ID_SDP=0x1f for SDP. Implement function `tester_init_sdp` and `tester_unregister_sdp`. Signed-off-by: Lyle Zhu <[email protected]>
Add commands `BTP_SDP_SEARCH_REQ`, `BTP_SDP_ATTR_REQ`, and `BTP_SDP_SEARCH_ATTR_REQ`. Add service record handle report event `BTP_SDP_EV_SERVICE_RECORD_HANDLE`. Handle the commands and call function `bt_sdp_discover()` to start the SDP discovery. And report the discovered service record handle if the request type is `BTP_SDP_SEARCH_REQ`. Signed-off-by: Lyle Zhu <[email protected]>
Move Bluetooth Assigned Numbers to own header file to separate them from core GAP functionality. Signed-off-by: Pavel Vasilyev <[email protected]>
Move assigned number for audio from audio.h to assigned_numbers.h where all assigned numbers are located. Signed-off-by: Pavel Vasilyev <[email protected]>
Move assigned number for mesh from mesh.h to assigned_numbers.h where all assigned numbers are located. Signed-off-by: Pavel Vasilyev <[email protected]>
when role is server and try to get chan by psm in application, it works fail because chan do not store psm. Signed-off-by: Cheng Chang <[email protected]>
add one Kconfig `BT_L2CAP_RX_FLUSH_TO` to configure the minimum L2CAP RX flush timeout accepted during processing peer's l2cap flush timeout configuration. Signed-off-by: Mark Wang <[email protected]>
Some headsets reply conf_rsp with flush timeout (0xFFFF) even conf_req don't configure the flush timeout, stack should accept it. Signed-off-by: Mark Wang <[email protected]>
This function logically belongs to gatt.c as it is GATT API. Signed-off-by: Pavel Vasilyev <[email protected]>
This gives some extra information on what could be a reason for SMP timeout. Signed-off-by: Szymon Janc <[email protected]>
In bt_conn_unref(), a local variable is used as atomic target:
atomic_val_t old = atomic_dec(&conn->ref);
/* Prevent from accessing connection object */
bool deallocated = (atomic_get(&old) == 1);
Using atomic_get() to access a non-shared local variable
cannot prevent any data race on that variable,
and only causes confusion.
Moreover, this call to atomic_get() is incorrect: the API expects
an atomic_t* argument (target), not an atomic_val_t* (value).
This compiles and /works/ only because Zephyr defines both to be
the same integer type, and thus: atomic_get(&old) == old.
The equivalent C11 code, where _Atomic(T) and T are different types,
wouldn't compile.
Signed-off-by: Christophe Dufaza <[email protected]>
An assertion in bt_conn_unref() accesses the connection's state after decrementing its reference count. This is not consistent since, if we removed the last reference, the Bluetooth Host stack may reuse the connection object before the assertion is checked. Instead, retrieve the connection property tested by the assertion before decrementing the counter, as we do for other properties. Simplify the code path by returning early when we did not remove the last reference. Remind that automatic advertiser resumption is deprecated. Signed-off-by: Christophe Dufaza <[email protected]>
The API documentation for the recycled() callback predates [1], and still warns users to "treat this callback as an ISR", although it now runs on the system workqueue thread, as does disconnected(). "Making Bluetooth API calls" to "re-start connectable advertising or scanning" should no longer be "strongly discouraged". On the contrary, we can emphasize that this is the right event to listen for to initiate operations that will try to re-allocate a freed connection object. Mention that BT_MAX_CONN configures the size of the connection pool. Refs: - [1] efb5d83: Bluetooth: Host: Defer `conn.recycled()` to the syswq Signed-off-by: Christophe Dufaza <[email protected]>
The API documentation for the disconnected() callback warns that the listener can't assume that the corresponding connection object has been freed and may me available to the application. The recommendations given to still start a new connection or connectable advertiser are outdated or misleading: - "start connectable advertising": the options that "will attempt to resume the advertiser under some conditions" are deprecated since Zephyr 4.0 (BT_LE_ADV_OPT_CONNECTABLE and related) - "using k_work_submit()": assuming everything will be fine when the work is actually processed is not reliable - "increase CONFIG_BT_MAX_CONN": setting BT_MAX_CONN to N+1 when planning N simultaneous connections is a work-around that users may have gotten used to (despite its footprint), but there is no longer any reason to advise it Stop documenting creating new connections or restarting advertising from the disconnected() callback and instead recommend relying on recycled() for these use cases. Signed-off-by: Christophe Dufaza <[email protected]>
move extending advertising start after periodic adv. Signed-off-by: Lingao Meng <[email protected]>
When multiple relay adv sets are used, the bt_mesh_adv_send function calls bt_mesh_adv_relay_ready which should distribute relayed advertisements across all relay adv sets. Until the submitted relay adv set work is started, the ADV_FLAG_ACTIVE is not set. Therefore, next call to bt_mesh_adv_send will try to re-submit the same relay adv set work, instead of picking up another relay set which is actually free and ready to send an advertisement. This commit adds a check that checks if the adv set work is already pending to be executed. And if so, schedule_send returns false to make bt_mesh_adv_relay_ready pick next relay adv set. This shouldn't brake advertising because once adv set is done transmitting advertisment, it will pick up a next one. The ADV_FLAG_PROXY check is added to do re-submit for adv set which was used for proxy advertisement since we need to prioritize mesh messages over proxy advertisements when those are running on the same adv set. Signed-off-by: Pavel Vasilyev <[email protected]>
There is a corner case found that the ACL connected event may be printed when script is sending shell command by calling function `shell.exec_command()`. The echo of shell command will mix with the ACL connected event message. The received message cannot be recognized by the function `shell.exec_command()`. It caused the timeout exception reported by the function `shell.exec_command()`. Before sending any shell commands, check the DUT connected event after the connection is established on script side. Signed-off-by: Lyle Zhu <[email protected]>
Fix prj_minimal.conf as the project configuration and not as the extra configuration for the sample. Signed-off-by: Vinayak Kariappa Chettimada <[email protected]>
When creating the audio connection, the SCO connection request will be sent before the response "OK" to AT command "AT+BCS" is issued. It causes the issue that the HFP HF cannot response the SCO connection request with the correct codec. Then the SCO connection cannot be established properly. Put all processing into the same context, thus avoiding non-sequential execution caused by the different priorities of different threads. Add a flag `BT_HFP_AG_AT_PROCESS` to flag the AT command is being processed. When the flag `BT_HFP_AG_AT_PROCESS` is set, put the pending executions into temp list `tx_submit_pending`. After the AT response `OK` or `ERROR` has been sent, move the pending executions from `tx_submit_pending` to `tx_pending`. Signed-off-by: Lyle Zhu <[email protected]>
When alloc the evt buffer,such as the adv report, only compare the remaining data len, should aslo consider the hdr_len, because the hdr also copy to alloced buffer.if not consider the hdr, then hdr + remaining data may larger than alloced buffer, because the alloced buffer is not enough,then will assert when receive the remaining data. Signed-off-by: Guotao Zhang <[email protected]>
When limited advertising is enabled there is pending deleyable work for timing it out. If in such case struct bt_le_ext_adv is cleared by memset system will crash on next tick. Fix this by ensuring work is cancelled before clearing struct bt_le_ext_adv. Using bt_le_ext_adv_foreach() ensures that this will be correctly handled with and without extended advertising enabled. Signed-off-by: Szymon Janc <[email protected]>
…ance Fix the issue regarding passing the TRNG peripheral instance to the driver. Increase the SYSTEM_WORKQUEUE_STACK_SIZE when CONFIG_BT is set. According to the log of thread analyzer for beacon sample, 1048 bytes are needed. So, it's been increased to a safer value. Signed-off-by: Ali Hozhabri <[email protected]>
rootcause: The dynamic L2CAP channel rx.cid is not reset, it will be intercepted by the judgment condition of the fixed channel, directly using the last alloced cid may cause cid conflict. Co-authored-by: zhenwei fang <[email protected]> Signed-off-by: Lyle Zhu <[email protected]>
There is no guarantess enum will be packed so passing uint8_t as node_id to bt_mesh_subnet_priv_node_id_get() could (and likely will) result in writing past stack variable. Signed-off-by: Szymon Janc <[email protected]>
bt_tbs_originate() returns assigned Call ID as non-negative value. Signed-off-by: Szymon Janc <[email protected]>
Add vendor-specific RF power mode configuration during HCI setup for SiLabs SiWx91x devices. This configures the BLE TX power index in the controller's RF subsystem. The implementation sends a vendor command (OCF 0x0006) with protocol mode (2) and power index (RSI_BLE_PWR_INX) during the setup phase. This ensures proper RF power configuration before normal Bluetooth operations begin. Technical details: - Uses bt_hci_cmd_alloc() with manual HCI header construction - Command opcode: 0xFC06 (OGF=0x3F, OCF=0x0006) - Parameters: protocol_mode=2, power_index from RSI_BLE_PWR_INX - Executed during bt_hci_setup callback Signed-off-by: Arun Kumar Nagelly <[email protected]>
This reverts commit b07be64. Signed-off-by: Jordan Yates <[email protected]>
…tion In some cases, the host starts scanning internally for establishing connections (BT_LE_SCAN_USER_CONN), such as host-based resolving or auto-connection. In this situation, even if the application does not start explicit scan, the host still needs to handle the advertising reports to continue the connection process. Previously, both bt_hci_le_adv_report() and bt_hci_le_adv_ext_report() will break or discard all reports when explicit scan is not active. This causes the connection to stay in SCAN_BEFORE_INITIATING and never move forward. This patch adds checking of BT_LE_SCAN_USER_CONN to allow advertising reports to be processed during connection-purpose scanning. When the scan is started explicitly by application, the behavior remains the same, only small comments are updated to describe this behavior and keep the original code style unchanged. Signed-off-by: Zhijie Zhong <[email protected]>
This allows upper tester to terminate existing call. Was affecting TMAP/CG/VRC/BV-01-C qualification test case. Signed-off-by: Szymon Janc <[email protected]>
When building an observer-only build the check_pending_conn label would result in CI warnings/errors due to this only being a C23 feature: scan.c:692:1: error: label at end of compound statement is a C23 extension Turns out the #ifdefs are completely unnecessary, and the code can simply take advantage of IS_ENABLED(), which should get rid of the warning. Signed-off-by: Johan Hedberg <[email protected]>
This fix multiple issues with command implementation: - lack of LE to host convertion - using strtoul() on non-string data - passing stack variable as attr data (which must be present until notification is sent) This was affecting GATT/SR/GAN/BV-02-C qualification test case. Signed-off-by: Szymon Janc <[email protected]>
Bluetooth 6.2 has version number 0x10 and was released in November 2025. This commit ensures this version number is properly decoded. Signed-off-by: Aleksandar Stanoev <[email protected]>
Enable retransmissions of Generic Provisioning PDUs. This should fix pb_cancel test where provisionee fails to receive Link Open PDU due to parallel PB-GATT advertisement, but since Link Open PDU is not retransmitted, test fails. Signed-off-by: Pavel Vasilyev <[email protected]>
Add delay to avoid missed packet by tester. This fixes brg_subnet_duplicate_filtering test. Signed-off-by: Pavel Vasilyev <[email protected]>
When received the DLC disconnect request, after prime the DLC disconnect response, the DLC will be cleared and the `dlc->session` is cleared. If the no DLC is linked in current session, the idle timer of the session will be scheduled. In current implementation, the `dlc->session` is used to get the session pointer, but it is invalid in this time. And the unexpected fault occurs. Fix the issue by getting the session pointer from parameter of the function `rfcomm_handle_disc()` instead of `dlc->session`. Fix issue #99035. Signed-off-by: Lyle Zhu <[email protected]>
PA sync can be terminated before BIG sync is stopped. This results in ps_sync being NULL and thus crash in stop callback. Simply store address needed by BTP events and don't rely on pa_sync. Signed-off-by: Szymon Janc <[email protected]>
Increase BT RX Thread Stack Size which is needed for successfull provisioning over PB-GATT. Output from `kernel thread stacks` shell command: ``` BT RX WQ (real size 4096): unused 1408 usage 2688 / 4096 (65 %) ``` Fixes #98521 Signed-off-by: Pavel Vasilyev <[email protected]>
Increase main stack size when MBEDTLS_INIT is enabled to avoid stack overflow as it consumes 1536 bytes. Signed-off-by: Ali Hozhabri <[email protected]>
Track may not have next track and thus this must be checked before trying to match ID. This was affecting following qualification test cases: GMCS/SR/MCP/BV-38-C GMCS/SR/MCP/BV-39-C GMCS/SR/MCP/BV-40-C Signed-off-by: Szymon Janc <[email protected]>
Handling of CIS termination had several issues, most notably: - it depended on allocating a termination node from the general rx node pool, causing asserts if the pool was exhausted - CIS established events was not always generated when required, potentially causing CIS Centrals to get stuck without being able to create any new CISes - Cancelling a CIS Create procedure only worked correctly if the CIS Create was currently active and happened to belong to the same CIS - CIG state handling often (always?) assumed a CIG with only one CIS ll_conn_iso_stream now has a dedicated termination node, same as ll_conn and ll_sync_iso_set LLCP statemachine for Cis Create procedure has been reworked to ensure a notification node for CIS Established is available as early as possible. In addition, it should now always be sent when needed Introduced ull_central_iso_all_cises_terminated() to check if all CISes in a CIG has been terminated (or not created yet) - which is now used for updating the CIG state ull_cp_cc_cancel() now takes the CIS to cancel as an argument so it doesn't end up canceling an entirely different CIS Create procedure; In addition it now works for queued procedures as well Flushing a (central) CIS Create procedure in LLCP will now properly generate a CIS Established event (with an error) Signed-off-by: Troels Nilsson <[email protected]>
The previous method of deriving the local MAC address from the MCU's
Unique ID (UID) by slicing the last 3 bytes had two issues:
1. **Low Entropy:** Risk of address collision because only a small
portion of the UID was used, and this portion may not vary much.
2. **Offset Error:** An incorrect offset calculation could copy
non-intended bytes.
This commit resolves both issues by replacing the slice operation
with a **CRC-32 hash** over the **entire 16-byte UID**.
The lower 3 bytes (24 bits) of the resulting CRC-32 are used as the
local part of the MAC address, maximizing randomization and ensuring
a high probability of uniqueness across all devices.
Signed-off-by: Badr Bacem KAABIA <[email protected]>
Add a few useful commands and information when running the BT Tester with native_sim, either with or without the Zephyr controller. Signed-off-by: Emil Gydesen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.